WO2023082222A1 - Procédés et systèmes d'authentification dans des réseaux sans fil - Google Patents

Procédés et systèmes d'authentification dans des réseaux sans fil Download PDF

Info

Publication number
WO2023082222A1
WO2023082222A1 PCT/CN2021/130512 CN2021130512W WO2023082222A1 WO 2023082222 A1 WO2023082222 A1 WO 2023082222A1 CN 2021130512 W CN2021130512 W CN 2021130512W WO 2023082222 A1 WO2023082222 A1 WO 2023082222A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network
ausf
user device
udm
Prior art date
Application number
PCT/CN2021/130512
Other languages
English (en)
Inventor
Jin Peng
Shilin You
Yuze LIU
Zhen XING
Zhaoji Lin
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to PCT/CN2021/130512 priority Critical patent/WO2023082222A1/fr
Publication of WO2023082222A1 publication Critical patent/WO2023082222A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • This patent document is directed generally to wireless communications.
  • Wireless communication technologies are moving the world toward an increasingly connected and networked society.
  • the rapid growth of wireless communications and advances in technology has led to greater demand for capacity and connectivity.
  • Other aspects, such as energy consumption, device cost, spectral efficiency, and latency are also important to meeting the needs of various communication scenarios.
  • next generation systems and wireless communication techniques need to provide support for an increased number of users and devices, as well as support an increasingly mobile society.
  • This patent document describes, among other things, techniques, and apparatuses for authentication in wireless networks.
  • the disclosed technology can be implemented in some embodiments to provide security methods for authentication and refreshing shared keys in UE and Home Network.
  • a method of wireless communication includes initiating, by a first network, an authentication procedure for a user device to establish or refresh shared keys between the user device and the first network, and verifying, by the first network, an identity of the user device based on a message generated by the user device.
  • another method for wireless communications includes receiving, by a user device, an authentication request that includes authentication information generated by a first network that initiates an authentication procedure for the user device to establish or refresh shared keys between the user device and the first network; performing, by the user device, a computation on the authentication information; and transmitting, by the user device, an authentication response to the first network based on the computation.
  • a wireless communication apparatus comprising a processor configured to implement a method described herein is disclosed.
  • computer readable medium including executable instructions to implement a method described herein is disclosed.
  • FIG. 1 shows an example of a base station (BS) and user equipment (UE) in wireless communication.
  • BS base station
  • UE user equipment
  • FIG. 2 is a block diagram representation of a portion of an apparatus that can be used to implement methods and/or techniques of the presently disclosed technology.
  • FIG. 3 shows an example of the initiation of an authentication procedure and selection of authentication method.
  • FIG. 4 shows an example of an authentication procedure for a transformed Extensible Authentication Protocol Authentication and Key Agreement (EAP-AKA') .
  • EAP-AKA' Extensible Authentication Protocol Authentication and Key Agreement
  • FIG. 5 shows an example of an authentication procedure for 5G Authentication and Key Agreement (5G AKA) .
  • FIG. 6 shows an example of an authentication procedure implemented based on some embodiments of the disclosed technology.
  • FIG. 7 shows another example of an authentication procedure implemented based on some embodiments of the disclosed technology.
  • FIG. 8 shows another example of an authentication procedure implemented based on some embodiments of the disclosed technology.
  • FIG. 9 shows an example of a wireless communication method based on some embodiments of the disclosed technology.
  • FIG. 10 shows another example of a wireless communication method based on some embodiments of the disclosed technology.
  • FIG. 1 shows an example of a wireless communication system (e.g., a long term evolution (LTE) , 5G or NR cellular network) that includes a BS 120 and one or more user equipment (UE) 111, 112 and 113.
  • the uplink transmissions (131, 132, 133) can include uplink control information (UCI) , higher layer signaling (e.g., UE assistance information or UE capability) , or uplink information.
  • the downlink transmissions (141, 142, 143) can include DCI or high layer signaling or downlink information.
  • the UE may be, for example, a smartphone, a tablet, a mobile computer, a machine to machine (M2M) device, a terminal, a mobile device, an Internet of Things (IoT) device, and so on.
  • M2M machine to machine
  • IoT Internet of Things
  • FIG. 2 is a block diagram representation of a portion of an apparatus that can be used to implement methods and/or techniques of the presently disclosed technology.
  • an apparatus 205 such as a network device or a base station or a wireless device (or UE) , can include processor electronics 210 such as a microprocessor that implements one or more of the techniques presented in this document.
  • the apparatus 205 can include transceiver electronics 215 to send and/or receive wireless signals over one or more communication interfaces such as antenna (s) 220.
  • the apparatus 205 can include other communication interfaces for transmitting and receiving data.
  • Apparatus 205 can include one or more memories (not explicitly shown) configured to store information such as data and/or instructions.
  • the processor electronics 210 can include at least a portion of the transceiver electronics 215. In some embodiments, at least some of the disclosed techniques, modules or functions are implemented using the apparatus 205.
  • the disclosed technology can be implemented in some embodiments to provide a security method of authentication and refreshing shared keys in UE and Home Network.
  • the security method implemented based on some embodiments of the disclosed technology can refresh K AUSF in UE and AUSF without involving network functions in the serving network.
  • the primary authentication produces a key K AUSF which is shared between UE and the home network.
  • UE and home network may further derive more shared keys from the K AUSF such as K AKMA and K AF in the AKMA service. These shared keys are used to secure communications of home network services between UE and the home network.
  • the disclosed technology can be implemented in some embodiments to refresh the shared keys in UE and the home network, thereby ensuring sustainable security.
  • the home network is not able to initiate the primary authentication, and only the SEAF in the serving network is able to initiate the primary authentication.
  • the 3GPP discussion paper proposes a network driven method, in which the AUSF requests the AMF to initiate primary authentication for the UE to generate a new K AUSF .
  • This discussion paper also proposes a UE driven method, in which the UE shall sends a NAS message with ngKSI set to 111 to initiate the primary authentication and generate a new K AUSF .
  • both methods initiate the primary authentication, which involves the serving network. In cases the operator policy of the serving network does not allow a home network triggered or UE triggered primary authentication, these methods does not work.
  • FIG. 3 shows an example of the initiation of an authentication procedure and selection of authentication method.
  • SEAF Security Anchor Functionality
  • the SEAF 320 may initiate an authentication with UE 310 during a procedure establishing a signaling connection with the UE 310, according to the policy of the SEAF 320.
  • the UE 310 may use Subscription Concealed Identifier (SUCI) or 5G-Globally Unique Temporary UE Identity (5G-GUTI) in the Registration Request.
  • SUCI Subscription Concealed Identifier
  • 5G-GUTI 5G-Globally Unique Temporary UE Identity
  • the SEAF 320 may invoke Nausf_UEAuthentication service by sending a Nausf_UEAuthentication_Authenticate Request message to an Authentication Server Function (AUSF) 330 when the SEAF 320 wishes to initiate an authentication.
  • AUSF Authentication Server Function
  • Nausf_UEAuthentication_Authenticate Request message may include SUCI or Subscription Permanent Identifier (SUPI) and information associated with the serving network name.
  • SUPI Subscription Permanent Identifier
  • the AUSF 330 may check that the requesting SEAF in the serving network is entitled to use the serving network name in the Nausf_UEAuthentication_Authenticate Request by comparing the serving network name with the expected serving network name.
  • Unified Data Management (UDM) 340 may invoke Subscription Identifier De-concealing Function (SIDF) if an SUCI is received.
  • SIDF Subscription Identifier De-concealing Function
  • the SIDF may de-conceal SUCI to gain SUPI before UDM can process the request.
  • the UDM/Authentication credential Repository and Processing Function (ARPF) 340 may choose the authentication method.
  • FIG. 4 shows an example of an authentication procedure for a transformed Extensible Authentication Protocol Authentication and Key Agreement (EAP-AKA') .
  • EAP-AKA' Extensible Authentication Protocol Authentication and Key Agreement
  • the K SEAF needs to be derived by AUSF 430 and UE, and SEAF 420 in the serving network may store the K SEAF . These operations are not needed if K AUSF is refreshed.
  • UDM/ARPF 440 may generate an authentication vector (AV) and transmit Nudm_UEAuthentication_Get Response message to the AUSF 430.
  • the AUSF 430 transmits EAP-Request/AKA'-Challenge message to the SEAF 420 in an ausf_UEAuthentication_Authenticate Response message, and the SEAF 420 transmits EAP-Request/AKA'-Challenge message and ngKSI and ABBA to the UE 410.
  • the UE 410 Upon receipt of the EAP-Request/AKA'-Challenge message and ngKSI and ABBA, the UE 410 calculates an authentication response.
  • the UE 410 shall send the EAP-Response/AKA'-Challenge message to the SEAF in an Auth-Resp message.
  • the SEAF 420 transmits the EAP-Response/AKA'-Challenge message to the AUSF 430 in Nausf_UEAuthentication_Authenticate Request message.
  • the AUSF 430 may verify the message.
  • FIG. 5 shows an example of an authentication procedure for 5G Authentication and Key Agreement (5G AKA) .
  • AUSF 530 generates 5G Authentication Vector (5G AV) from 5G Home Environment Authentication Vector (5G HE AV) .
  • SEAF 520 in the serving network may challenge UE 510 and store K SEAF , and the UE 510 needs to derive K SEAF . These operations are not needed if K AUSF is refreshed .
  • UDM/ARPF 540 generates an authentication vector (AV) and transmits, to AUSF 530, 5G HE AV together with an indication that the 5G HE AV in a Nudm_UEAuthentication_Get Response.
  • the AUSF 530 stores XRES*and calculate HXRES*, and transmits, to SEAF 520, 5G SE AV (e.g., RAND, AUTN, HXRES*) .
  • SEAF 520 transmits Authentication Request to UE 510, and upon receipt of the Authentication Request, the UE 510 calculates Authentication Response (e.g., RES*) and compares to HXRES*and then transmits the Authentication Response to the SEAF 520.
  • Authentication Response e.g., RES*
  • the SEAF 520 sends the RES*in a Nausf_UEAuthentication_Authenticate Request message to the AUSF 530.
  • the AUSF 530 receives as authentication confirmation the Nausf_UEAuthentication_Authenticate Request message including a RES*it may verify whether the AV has expired.
  • the disclosed technology can be implemented in some embodiments to perform an authentication and refresh shared keys in UE and the home network without involving the serving network.
  • FIG. 6 shows an example of an authentication procedure implemented based on some embodiments of the disclosed technology.
  • AUSF in the home network initiates the procedure of authentication and refreshing K AUSF in the UE and the AUSF based on EAP-AKA’.
  • the AUSF 630 sends, to the UDM 640, an Nudm_UEAuthentication_Get Request including the UE identity (e.g., SUPI) .
  • the UE identity e.g., SUPI
  • the UDM upon receipt of the Nudm_UEAuthentication_Get Request, the UDM generates an authentication vector (AV) .
  • the UDM/ARPF 640 computes a transformed cipher key (CK’) and a transformed integrity key (IK’) and replace cipher key (CK) and integrity key (IK) with CK' and IK'.
  • the UDM 640 subsequently sends this transformed authentication vector AV' (RAND, AUTN, XRES, CK', IK') to the AUSF 630 from which it received the Nudm_UEAuthentication_Get Request together with an indication that the AV' is to be used for EAP-AKA' using a Nudm_UEAuthentication_Get Response message.
  • AV' RAND, AUTN, XRES, CK', IK'
  • the AUSF 630 sends the EAP-Request/HN-AKA'-Challenge message to the SEAF in a Namf_UEAuthentication_Authenticate Request message.
  • the SEAF 620 transparently forwards the EAP-Request/HN-AKA'-Challenge message to the UE 610 in a NAS message Authentication Request message.
  • the Mobile Equipment (ME) forwards Random Challenge (RAND) and Authentication Token (AUTN) received in EAP-Request/HN-AKA'-Challenge message to the USIM.
  • RAND Random Challenge
  • AUTN Authentication Token
  • the USIM verifies the freshness of the AV' by checking whether AUTN can be accepted. If so, the USIM computes a response RES. The USIM may return RES, CK, IK to the ME. If the USIM computes a Kc (e.g., GPRS Kc) from CK and IK using conversion function c3, and sends it to the ME, then the ME ignores such GPRS Kc and does not store the GPRS Kc on USIM or in ME. The ME derives CK' and IK'.
  • Kc e.g., GPRS Kc
  • the UE 610 sends the EAP-Response/HN-AKA'-Challenge message to the SEAF 620 in a NAS message Auth-Resp message.
  • the SEAF 620 transparently forwards the EAP-Response/HN-AKA'-Challenge message to the AUSF630 in Namf_UEAuthentication_Authenticate Response message.
  • the AUSF 630 verifies the message by comparing the XRES and RES, and if the AUSF 630 has successfully verified this message, it continues as follows, otherwise it returns an error message to the SEAF 620.
  • the AUSF 630 informs UDM 640 of the authentication result.
  • the AUSF 630 and the UE 610 may exchange EAP-Request/HN-AKA'-Notification and EAP-Response/HN-AKA'-Notification messages via the SEAF 620.
  • the SEAF 620 may transparently forward these messages.
  • the AUSF 630 derives Extended Master Session Key (EMSK) from CK’ and IK’.
  • EMSK Extended Master Session Key
  • the AUSF uses the most significant 256 bits of EMSK as the K AUSF .
  • the AUSF shall send an Extensible Authentication Protocol (EAP) Success message in Namf_UEAuthentication_Authenticate Request to the SEAF 620, which transparently forwards it to the UE 610.
  • EAP Extensible Authentication Protocol
  • the SEAF 620 sends the EAP Success message to the UE 610 in the N1 message.
  • the UE 610 Upon receiving the EAP-Success message, the UE 610 derives EMSK from CK’ and IK’.
  • the ME uses the most significant 256 bits of the EMSK as the KAUSF.
  • FIG. 7 shows another example of an authentication procedure implemented based on some embodiments of the disclosed technology.
  • the AUSF in the home network initiates the procedure of authentication and refreshing K AUSF in the UE and the AUSF based on 5G Authentication and Key Agreement (AKA) .
  • AKA 5G Authentication and Key Agreement
  • the AUSF sends an Nudm_UEAuthentication_Get Request to the UDM, including the UE identity (e.g., SUPI) .
  • the UE identity e.g., SUPI
  • the UDM/ARPF 740 creates a 5G HE AV.
  • the UDM/ARPF 740 derives K AUSF and calculate XRES*.
  • the UDM/ARPF also creates a 5G HE AV from RAND, AUTN, XRES*, and K AUSF .
  • the UDM 740 returns, to the AUSF 730, the 5G HE AV together with an indication that the 5G HE AV is to be used for 5G AKA, in a Nudm_UEAuthentication_Get Response.
  • the AUSF 730 temporarily stores the XRES*together with the SUPI.
  • the AUSF 730 returns, to the SEAF 720, RAND and AUTN in a Namf_UEAuthentication_Authenticate Request.
  • the SEAF 720 sends RAND, AUTN to the UE 710 in a NAS message HN Authentication Request.
  • the ME forwards the RAND and AUTN received in NAS message HN Authentication Request to the USIM.
  • the USIM verifies the freshness of the received values by checking whether Authentication Token (AUTN) can be accepted as described in TS 33.102. If so, the USIM computes a response RES. The USIM returns RES, CK, IK to the ME. The ME calculates K AUSF from CK
  • AUTN Authentication Token
  • the UE 710 shall return RES*to the SEAF 720 in a NAS message HN Authentication Response.
  • the SEAF 720 sends RES*, as received from the UE, in a Namf_UEAuthentication_Authenticate Response message to the AUSF 730.
  • the AUSF may verify whether the 5G AV has expired. If the 5G AV has expired, the AUSF may consider the authentication as unsuccessful from the home network point of view. Upon successful authentication, the AUSF stores the K AUSF . The AUSF 730 compares the received RES*with the stored XRES*. If the RES*matches XRES*, the AUSF considers the authentication as successful from the home network point of view. The AUSF 730 informs the UDM 740 of the authentication result.
  • FIG. 8 shows another example of an authentication procedure implemented based on some embodiments of the disclosed technology.
  • the UDM in the home network initiates the procedure of authentication and establishing or refreshing K AUSF in the UE and the AUSF.
  • the UDM 840 when it decides to establish or refresh the K AUSF , it generates an authentication vector (AV) .
  • the UDM/ARPF 840 computes CK' and IK' and replaces CK and IK with CK' and IK'.
  • the UDM 840 selects an AUSF if there is no AUSF related to this registration.
  • the UDM 840 sends, to the AUSF 830, the AMF ID along with the AV’.
  • the UDM 840 subsequently sends, to the AUSF 830, this transformed authentication vector AV' (RAND, AUTN, XRES, CK', IK') together with an indication that the AV' is to be used for EAP-AKA' using a Nausf_UEAuthentication Request message.
  • the AUSF 830 sends the EAP-Request/HN-AKA'-Challenge message to the SEAF 820 identified by the AMF ID received in a Namf_UEAuthentication_Authenticate Request message.
  • the SEAF 820 transparently forwards the EAP-Request/HN-AKA'-Challenge message to the UE 810 in a NAS message Authentication Request message.
  • the ME forwards the RAND and AUTN received in EAP-Request/HN-AKA'-Challenge message to the USIM.
  • the USIM verifies the freshness of the AV' by checking whether AUTN can be accepted. If so, the USIM computes a response RES. The USIM shall return RES, CK, IK to the ME. If the USIM computes a Kc (e.g., GPRS Kc) from CK and IK using conversion function c3 as described in TS 33.102 and sends it to the ME, then the ME ignores such GPRS Kc and does not store the GPRS Kc on USIM or in ME. The ME derives CK' and IK'.
  • Kc e.g., GPRS Kc
  • the UE 810 send the EAP-Response/HN-AKA'-Challenge message to the SEAF 820 in a NAS message Auth-Resp message.
  • the SEAF 820 transparently forwards the EAP-Response/HN-AKA'-Challenge message to the AUSF 830 in Namf_UEAuthentication_Authenticate Response message.
  • the AUSF 830 verifies the message by comparing the XRES and RES, and if the AUSF 830 has successfully verified this message, it continues as follows, otherwise it returns an error message to the SEAF 820.
  • the AUSF 80 informs the UDM 840 of the authentication result.
  • the AUSF 830 and the UE 810 may exchange EAP-Request/HN-AKA'-Notification and EAP-Response /HN-AKA'-Notification messages via the SEAF 820.
  • the SEAF 820 transparently forwards these messages.
  • the AUSF 830 derives EMSK from CK’ and IK’.
  • the AUSF 830 uses the most significant 256 bits of EMSK as the K AUSF .
  • the AUSF 830 sends an EAP Success message in Namf_UEAuthentication_Authenticate Request to the SEAF 820, which transparently forwards it to the UE 810.
  • the SEAF 820 sends the EAP Success message to the UE 810 in the N1 message.
  • the UE 810 Upon receiving the EAP-Success message, the UE 810 derives EMSK from CK’ and IK’.
  • the ME uses the most significant 256 bits of the EMSK as the K AUSF .
  • the AUSF 830 sends, to the UDM 840, a success indication in Nausf_UEAuthentication Response message.
  • the disclosed technology can be implemented in some embodiments to provide security methods for authentication and refreshing shared keys in UE and Home Network.
  • the AUSF initiates the primary authentication by sending an Nudm_UEAuthentication_Get Request to the UDM, and by sending, to the SEAF, the EAP-Request/HN-AKA'-Challenge message in a Namf_UEAuthentication_Authenticate Request message.
  • the SEAF transparently forwards messages between the AUSF and the UE.
  • K SEAF is not derived either in the AUSF or the UE.
  • 5G AKA based authentication is re-used with tailoring off process on the SEAF.
  • the UDM initiates the authentication procedure.
  • FIG. 9 shows an example of a wireless communication method based on some embodiments of the disclosed technology.
  • a wireless communication method 900 includes, at 910, initiating, by a first network, an authentication procedure for a user device to establish or refresh shared keys between the user device and the first network, and at 920, verifying, by the first network, an identity of the user device based on a message generated by the user device.
  • the authentication procedure is initiated for the user device to access a second network, establish or refresh shared keys between the user device and the first network, or access the second network and establish or refresh the shared keys between the user device and the first network.
  • the verifying of the identity of the user device is performed based on the message generated by the user device and forwarded by the second network during the authentication procedure.
  • the first network is a home network
  • the second network is a serving network.
  • FIG. 10 shows another example of a wireless communication method based on some embodiments of the disclosed technology.
  • a wireless communication method 1000 includes, at 1010, receiving, by a user device, an authentication request that includes authentication information generated by a first network that initiates an authentication procedure for the user device to establish or refresh shared keys between the user device and the first network, at 1020, performing, by the user device, a computation on the authentication information, and at 1030, transmitting, by the user device, an authentication response to the first network based on the computation.
  • the first network is a home network
  • the second network is a serving network
  • a wireless device or wireless communication device may be user equipment (UE) , mobile station, or any other wireless terminal including fixed nodes such as base stations.
  • a network device includes a base station including a next generation Node B (gNB) , enhanced Node B (eNB) , or any other device that performs as a base station, or a core network device that can perform the network functions discussed in this patent document.
  • gNB next generation Node B
  • eNB enhanced Node B
  • the base station and/or core network perform the various functions including UDM, PCF, Network Exposure Function (NEF) , DDNMF (e.g., 5GDDNMF) , Unified Data Repository (UDR) , AMF (Access and Mobility Management Function) , Session Management Function (SMF) , User Plane Function (UPF) .
  • NEF Network Exposure Function
  • DDNMF e.g., 5GDDNMF
  • UDR Unified Data Repository
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • UPF User Plane Function
  • a method of wireless communication comprising: initiating, by a first network, an authentication procedure for a user device to establish or refresh shared keys between the user device and the first network; and verifying, by the first network, an identity of the user device based on a message generated by the user device.
  • the first network is a home network.
  • Clause 2 The method of clause 1, wherein the initiating of the authentication procedure includes transmitting a first authentication request message from an authentication server function (AUSF) of the first network to a unified data management (UDM) of the first network.
  • AUSF authentication server function
  • UDM unified data management
  • Clause 3 The method of clause 2, wherein the first authentication request message includes an identity of the user device.
  • Clause 5 The method of clause 1, wherein the initiating of the authentication procedure includes generating authentication information by a UDM of the first network in response to a request from the AUSF.
  • Clause 6 The method of clause 1, wherein the initiating of the authentication procedure includes generating authentication information by a UDM of the first network regardless of a request from the AUSF.
  • Clause 7 The method of clause 1, wherein the initiating of the authentication procedure includes receiving, at the AUSF, authentication information from the UDM.
  • Clause 8 The method of clause 7, wherein the authentication information includes a transformed authentication vector that is generated by transforming keys in an authentication vector (AV) .
  • AV authentication vector
  • the authentication information includes a home environment authentication vector (HE AV) that is generated by deriving an intermediate key stored in the AUSF of the first network and transforming an expected response (XRES) .
  • HE AV home environment authentication vector
  • Clause 13 The method of clause 1, wherein the initiating of the authentication procedure includes transmitting a second authentication request message from an authentication server function (AUSF) in the first network to a security anchor functionality (SEAF) of a second network.
  • AUSF authentication server function
  • SEAF security anchor functionality
  • Clause 14 The method of clause 13, wherein the second authentication request message includes a first authentication information, and wherein the first authentication information is forwarded to the user device by the SEAF of the second network.
  • Clause 15 The method of clause 13, wherein the second authentication request message includes a first authentication information, and wherein the SEAF of the second network transmits, to the user device, a second authentication information generated by adjusting the first authentication information.
  • Clause 16 The method of any of clauses 13-15, wherein the first network and the user device exchange messages associated with the authentication procedure through the SEAF of the second network.
  • Clause 17 The method of clause 16, wherein the AUSF of the first network verifies the messages from the user device to perform the authentication procedure.
  • Clause 18 The method of clause 17, further comprising notifying, by the first network, the second network of a result of the authentication procedure with respect to the user device.
  • Clause 19 The method of any of clauses 1-17, further comprising transmitting, by the AUSF of the first network, to the UDM of the first network, an indication of a successful authentication with respect to the user device.
  • Clause 20 The method of any of clauses 1-17, further comprising generating an intermediate key of the AUSF on the use device and the first network upon a successful authentication with respect to the user device.
  • a method of wireless communication comprising: receiving, by a user device, an authentication request that includes authentication information generated by a first network that initiates an authentication procedure for the user device to establish or refresh shared keys between the user device and the first network; performing, by the user device, a computation on the authentication information; and transmitting, by the user device, an authentication response to the first network based on the computation.
  • the first network is a home network.
  • Clause 22 The method of clause 21, wherein the authentication information is forwarded by a second network to the user device.
  • Clause 24 The method of clause 21, wherein the first network initiates the authentication procedure by transmitting an authentication request message from an AUSF of the first network to a UDM of the first network.
  • Clause 25 The method of clause 21, wherein the first network initiates the authentication procedure by generating authentication information by a UDM of the first network in response to a request from the AUSF.
  • Clause 26 The method of clause 21, wherein the first network initiates the authentication procedure by generating authentication information by a UDM of the first network regardless of a request from the AUSF.
  • Clause 27 The method of any of clauses 25-26, wherein the authentication information includes a transformed authentication vector that is generated by transforming keys in an authentication vector (AV) .
  • AV authentication vector
  • Clause 28 The method of clause 27, wherein the authentication procedure is performed based on an extensible authentication protocol (EAP) authentication and key agreement (AKA) .
  • EAP extensible authentication protocol
  • AKA authentication and key agreement
  • Clause 29 The method of any of clauses 25-26, wherein the authentication information includes a home environment authentication vector (HE AV) that is generated by deriving an intermediate key stored in the AUSF of the first network and transforming an expected response (XRES) .
  • HE AV home environment authentication vector
  • Clause 30 The method of clause 29, wherein the AUSF of the first network stores the transformed XRES.
  • Clause 31 The method of clause 29, wherein the authentication procedure is performed based on 5G authentication and key agreement (AKA) .
  • AKA 5G authentication and key agreement
  • Clause 32 The method of any of clauses 2-31, wherein the first network is a home network and the second network is a serving network.
  • Clause 33 An apparatus for wireless communication, comprising a processor, wherein the processor is configured to implement a method recited in any of clauses 1 to 32.
  • Clause 34 A computer readable program storage medium having code stored thereon, the code, when executed by a processor, causing the processor to implement a method recited in any of clauses 1 to 32.
  • the disclosed and other embodiments, modules and the functional operations described in this document can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this document and their structural equivalents, or in combinations of one or more of them.
  • the disclosed and other embodiments can be implemented as one or more computer program products, i.e., one or more modules of computer program instructions encoded on a computer readable medium for execution by, or to control the operation of, data processing apparatus.
  • the computer readable medium can be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of matter effecting a machine-readable propagated signal, or a combination of one or more them.
  • data processing apparatus encompasses all apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers.
  • the apparatus can include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
  • a propagated signal is an artificially generated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus.
  • a computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • a computer program does not necessarily correspond to a file in a file system.
  • a program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document) , in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code) .
  • a computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
  • the processes and logic flows described in this document can be performed by one or more programmable processors executing one or more computer programs to perform functions by operating on input data and generating output.
  • the processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit) .
  • processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read only memory or a random-access memory or both.
  • the essential elements of a computer are a processor for performing instructions and one or more memory devices for storing instructions and data.
  • a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks.
  • mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks.
  • a computer need not have such devices.
  • Computer readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto optical disks; and CD ROM and DVD-ROM disks.
  • semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
  • magnetic disks e.g., internal hard disks or removable disks
  • magneto optical disks e.g., CD ROM and DVD-ROM disks.
  • the processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Ce document de brevet décrit, entre autres, des techniques et des appareils d'authentification dans des réseaux sans fil. Selon un aspect, un procédé de communication sans fil est divulgué. Le procédé comprend le déclenchement, par un premier réseau, d'une procédure d'authentification pour un dispositif d'utilisateur pour établir des clés partagées de rafraîchissement entre le dispositif d'utilisateur et le premier réseau ; et la vérification, par le premier réseau, d'une identité du dispositif d'utilisateur sur la base d'un message généré par le dispositif d'utilisateur.
PCT/CN2021/130512 2021-11-15 2021-11-15 Procédés et systèmes d'authentification dans des réseaux sans fil WO2023082222A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/130512 WO2023082222A1 (fr) 2021-11-15 2021-11-15 Procédés et systèmes d'authentification dans des réseaux sans fil

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/130512 WO2023082222A1 (fr) 2021-11-15 2021-11-15 Procédés et systèmes d'authentification dans des réseaux sans fil

Publications (1)

Publication Number Publication Date
WO2023082222A1 true WO2023082222A1 (fr) 2023-05-19

Family

ID=86334888

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/130512 WO2023082222A1 (fr) 2021-11-15 2021-11-15 Procédés et systèmes d'authentification dans des réseaux sans fil

Country Status (1)

Country Link
WO (1) WO2023082222A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110800331A (zh) * 2017-07-20 2020-02-14 华为国际有限公司 网络验证方法、相关设备及系统
US20210320788A1 (en) * 2018-12-29 2021-10-14 Huawei Technologies Co., Ltd. Communication method and related product

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110800331A (zh) * 2017-07-20 2020-02-14 华为国际有限公司 网络验证方法、相关设备及系统
US20210320788A1 (en) * 2018-12-29 2021-10-14 Huawei Technologies Co., Ltd. Communication method and related product

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on authentication and key management for applications; based on 3GPP credential in 5G (Release 16)", 3GPP TR 33.835, no. V0.4.0, 1 April 2019 (2019-04-01), pages 1 - 64, XP051723261 *

Similar Documents

Publication Publication Date Title
US10849191B2 (en) Unified authentication for heterogeneous networks
US9992671B2 (en) On-line signup server for provisioning of certificate credentials to wireless devices
EP3338473B1 (fr) Procédé et appareil d'authentification de dispositifs sans fil
US8887251B2 (en) Handover method of mobile terminal between heterogeneous networks
RU2367098C1 (ru) Система и способ аутентификации в системе связи
KR20230124621A (ko) 비-3gpp 서비스 액세스를 위한 ue 인증 방법 및 시스템
EP3718330A1 (fr) Création de clé de session
WO2020249068A1 (fr) Procédé, dispositif et système d'authentification
WO2020146998A1 (fr) Procédé et dispositif permettant d'empêcher le traçage d'un utilisateur, support de stockage, et dispositif électronique
US20220124092A1 (en) Authentication Processing Method and Device, Storage Medium, and Electronic Device
WO2023082222A1 (fr) Procédés et systèmes d'authentification dans des réseaux sans fil
WO2020208294A1 (fr) Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public
CN115280803B (zh) 多媒体广播组播服务认证方法、装置、设备及介质
KR20230079179A (ko) 무선 네트워크에서 보안 키 동기화를 처리하기 위한 방법, 단말, 및 네트워크 개체
US20230413047A1 (en) Network relay security
US20230336992A1 (en) Method and apparatus for authenticating user equipment in wireless communication system
US20230413055A1 (en) Security methods for protecting discovery procedures in wireless networks
US20240073212A1 (en) Communication method and apparatus
WO2023178689A1 (fr) Procédé et appareil de mise en œuvre de sécurité, dispositif et élément de réseau
WO2023142102A1 (fr) Mise à jour de configuration de sécurité dans des réseaux de communication
WO2024103509A1 (fr) Activation de gestion de clé et d'authentification pour un service d'application pour des utilisateurs itinérants
CN115174653B (zh) 节点配对方法
WO2023245351A1 (fr) Rafraîchissement de clés d'authentification pour des services basés sur la proximité
US20240179525A1 (en) Secure communication method and apparatus
US20240022908A1 (en) Authentication using a digital identifier for ue access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21963670

Country of ref document: EP

Kind code of ref document: A1