WO2023143411A1 - Device authentication methods, apparatus and communication device - Google Patents

Device authentication methods, apparatus and communication device Download PDF

Info

Publication number
WO2023143411A1
WO2023143411A1 PCT/CN2023/073272 CN2023073272W WO2023143411A1 WO 2023143411 A1 WO2023143411 A1 WO 2023143411A1 CN 2023073272 W CN2023073272 W CN 2023073272W WO 2023143411 A1 WO2023143411 A1 WO 2023143411A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
message
network element
authentication
identification information
Prior art date
Application number
PCT/CN2023/073272
Other languages
French (fr)
Chinese (zh)
Inventor
李欢
谢振华
Original Assignee
维沃移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 维沃移动通信有限公司 filed Critical 维沃移动通信有限公司
Publication of WO2023143411A1 publication Critical patent/WO2023143411A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup

Definitions

  • the present application belongs to the technical field of communication, and in particular relates to a device authentication method, device and communication device.
  • the mobile phone can set up a WiFi hotspot for other devices, such as enabling a notebook to access the Internet through the mobile phone.
  • the notebook is a non-third generation partnership project (3rd Generation Partnership Project, 3GPP) device, and the communication network cannot know that the notebook is surfing the Internet, so the legitimacy of the notebook cannot be verified. If a rogue device accesses the network through a mobile phone, the secure communication between the mobile phone and the network is at risk.
  • the related art does not describe how the non-3GPP equipment accesses the core network through a 3GPP equipment. In the scenario of personal IoT and fixed-mobile convergence, how to securely connect non-3GPP devices to the core network is an urgent problem to be solved.
  • the embodiment of the present application provides a device authentication method, device and communication device, which can solve the problem of how to securely allow non-3GPP devices to access the core network.
  • a device authentication method including:
  • the first terminal acquires the identification information of the second terminal
  • the first terminal sends a first message to the first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger an authentication procedure for the second terminal.
  • a device authentication method including:
  • the first network element triggers an authentication procedure for the second terminal according to the first message.
  • a device authentication device including:
  • a first obtaining module configured to obtain identification information of the second terminal
  • a first sending module configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger authentication of the second terminal process.
  • a device authentication device including:
  • a first receiving module configured to receive a first message sent by a first terminal, where the first message includes identification information of the second terminal;
  • a processing module configured to trigger an authentication procedure for the second terminal according to the first message.
  • a terminal in a fifth aspect, includes a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the programs or instructions are executed by the processor, the following The steps of the method in one aspect.
  • a terminal including a processor and a communication interface, wherein the processor is configured to obtain identification information of a second terminal, and the communication interface is configured to send a first message to a first network element, the The first message includes identification information of the second terminal, and the first message is used to trigger an authentication procedure for the second terminal.
  • a network-side device in a seventh aspect, includes a processor and a memory, the memory stores programs or instructions that can run on the processor, and the programs or instructions are executed by the processor When realizing the steps of the method as described in the second aspect.
  • a network side device including a processor and a communication interface, wherein the communication interface is used to receive a first message sent by a first terminal, and the first message includes an identifier of the second terminal Information; the processor is configured to trigger an authentication procedure for the second terminal according to the first message.
  • a ninth aspect provides a device authentication system, including: a terminal and a network-side device, the terminal can be used to perform the steps of the device authentication method described in the first aspect, and the network-side device can be used to perform steps such as The steps of the device authentication method described in the second aspect.
  • a readable storage medium is provided, and a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the steps of the method described in the first aspect are implemented, or the steps of the method as described in the first aspect are implemented, or the The steps of the method described in the second aspect.
  • a chip in an eleventh aspect, includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run a program or an instruction to implement the method described in the first aspect. method, or implement the method as described in the second aspect.
  • a computer program product is provided, the computer program product is stored in a storage medium, and the computer program product is executed by at least one processor to implement the steps of the method described in the first aspect, or Implement the method as described in the second aspect.
  • the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers the authentication of the second terminal through the first message
  • the second terminal non-3GPP terminal
  • the non-3GPP device accesses the communication network through the personal Internet of Things network or home network
  • the security of communication can be effectively guaranteed.
  • FIG. 1 shows a structural diagram of a communication system applicable to an embodiment of the present application
  • FIG. 2 shows one of the schematic flow diagrams of the device authentication method in the embodiment of the present application
  • FIG. 3 shows the second schematic flow diagram of the device authentication method in the embodiment of the present application
  • FIG. 4 shows one of the interactive schematic diagrams of the device authentication method in the embodiment of the present application
  • FIG. 5 shows the second interactive schematic diagram of the device authentication method according to the embodiment of the present application
  • FIG. 6 shows the third interactive schematic diagram of the device authentication method according to the embodiment of the present application.
  • FIG. 7 shows the fourth interactive schematic diagram of the device authentication method according to the embodiment of the present application.
  • FIG. 8 shows one of the module schematic diagrams of the device authentication device according to the embodiment of the present application.
  • FIG. 9 shows a structural block diagram of a communication device according to an embodiment of the present application.
  • FIG. 10 shows a structural block diagram of a terminal in an embodiment of the present application.
  • FIG. 11 shows the second schematic diagram of the modules of the device authentication device according to the embodiment of the present application.
  • FIG. 12 shows the second structural block diagram of the network side device according to the embodiment of the present application.
  • first, second and the like in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific sequence or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or described herein and that "first" and “second” distinguish objects. It is usually one category, and the number of objects is not limited. For example, there may be one or more first objects.
  • “and/or” in the description and claims means at least one of the connected objects, and the character “/” generally means that the related objects are an "or” relationship.
  • LTE Long Term Evolution
  • LTE-Advanced LTE-Advanced
  • LTE-A Long Term Evolution-Advanced
  • CDMA Code Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • OFDMA Orthogonal Frequency Division Multiple Access
  • SC-FDMA Single-carrier Frequency Division Multiple Access
  • system and “network” in the embodiments of the present application are often used interchangeably, and the described technology can be used for the above-mentioned system and radio technology, and can also be used for other systems and radio technologies.
  • the following description describes the New Radio (New Radio, NR) system for example purposes, and uses NR terminology in most of the following descriptions, but these techniques can also be applied to applications other than NR system applications, such as the 6th generation (6th Generation , 6G) communication system.
  • 6G 6th generation
  • Fig. 1 shows a block diagram of a wireless communication system to which the embodiment of the present application is applicable.
  • the wireless communication system includes a terminal 11 and a network side device 12 .
  • the terminal 11 can be a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer) or a notebook computer, a personal digital assistant (Personal Digital Assistant, PDA), a palmtop computer, a netbook, a super mobile personal computer (ultra-mobile personal computer, UMPC), mobile Internet device (Mobile Internet Device, MID), augmented reality (augmented reality, AR) / virtual reality (virtual reality, VR) equipment, robot, wearable device (Wearable Device) , Vehicle User Equipment (VUE), Pedestrian User Equipment (PUE), intelligent Home (household equipment with wireless communication functions, such as refrigerators, TVs, washing machines or furniture, etc.), game consoles, personal computers (personal computers, PCs), teller machines or self-service machines and other terminal-side devices, wearable devices include: smart watches
  • the network side device 12 may include an access network device or a core network device, where the access network device 12 may also be called a radio access network device, a radio access network (Radio Access Network, RAN), a radio access network function, or Wireless access network unit.
  • RAN Radio Access Network
  • RAN Radio Access Network
  • Wireless access network unit Wireless access network unit
  • the access network device 12 may include a base station, a wireless local area network (Wireless Local Area Networks, WLAN) access point or a WiFi node, etc., and the base station may be called a node B, an evolved node B (eNB), an access point, or a base transceiver station (Base Transceiver Station, BTS), radio base station, radio transceiver, Basic Service Set (BSS), Extended Service Set (Extended Service Set, ESS), Home Node B, Home Evolved Node B, sending and receiving point (Transmitting Receiving Point, TRP) or some other appropriate term in the field, as long as the same technical effect is achieved, the base station is not limited to specific technical terms.
  • a base station may be called a node B, an evolved node B (eNB), an access point, or a base transceiver station (Base Transceiver Station, BTS), radio base station, radio transceiver, Basic Service Set (BSS), Extended Service Set (Extended Service Set, ESS),
  • the core network equipment may include but not limited to at least one of the following: core network node, core network function, mobility management entity (Mobility Management Entity, MME), access mobility management function (Access and Mobility Management Function, AMF), session management function (Session Management Function, SMF), user plane function (User Plane Function, UPF), policy control function (Policy Control Function, PCF), policy and charging rules function unit (Policy and Charging Rules Function, PCRF), edge application service Discovery function (Edge Application Server Discovery Function, EASDF), unified data management (Unified Data Management, UDM), unified data warehouse (Unified Data Repository, UDR), home subscriber server (Home Subscriber Server, HSS), centralized network configuration ( Centralized network configuration, CNC), network storage function (Network Repository Function, NRF), network exposure function (Network Exposure Function, NEF), local NEF (L
  • the core network equipment in the NR system is introduced as an example, and the core network equipment is not limited. specific type of .
  • the functions of the above-mentioned core network device may be realized by multiple devices, or the functions of multiple core network devices may be realized by one device, which is not limited in this embodiment of the present application.
  • the functions of multiple core network devices are implemented by one device, the interaction among the multiple core network devices in the embodiment of the present application is an internal operation of the device.
  • PIN Personal IoT Network
  • PIN is a group consisting of at least one PIN element (PIN Element, PINE), wherein at least one PIN element is a terminal (User Equipment, UE). PIN elements communicate with each other. Two PIN elements can communicate through a direct connection between them, or indirectly through a communication network.
  • PIN Element PINE
  • UE User Equipment
  • a PIN element is a UE or a non-3GPP device.
  • a PIN element can also be a non-5G-Capable over WLAN (N5CW) device on a wireless local area network.
  • N5CW non-5G-Capable over WLAN
  • Non-3GPP devices refer to devices that do not use credentials defined by 3GPP, devices that do not support NAS protocols defined by 3GPP, or devices that do not support 3GPP access technologies (such as 3G/4G/5G air interface technology) but only support non-3GPP access technologies (such as WiFi, fixed network, Bluetooth and other access technologies) equipment.
  • the PIN element when it accesses the communication network through PEGC, it can also execute the process of non-3GPP equipment or N5CW equipment, for example, the NAS of UE is not used to interact with the communication network.
  • the solutions described in the embodiments of this application can also be used.
  • a PIN can have one or more PIN elements with gateway capability (PIN Element With Gateway Capability, PEGC).
  • the PIN elements in the PIN can communicate with each other directly or through PEGC.
  • the PIN element in the PIN can communicate with other devices or application servers outside the PIN through the PEGC.
  • PEGC can be a gateway in a smart home scenario, or a mobile phone in a wearable device scenario.
  • the current 3GPP 5G core network supports fixed network access, including support for residential gateways (Residential Gateway, RG) to access the 5G core network through fixed networks and 3GPP networks, and also includes 3GPP terminal devices accessing 5G core networks through residential gateways.
  • RG Residential Gateways
  • the embodiment of this application provides a device authentication method, including:
  • Step 201 the first terminal acquires the identification information of the second terminal.
  • the first terminal is a personal Internet of Things gateway
  • the second terminal is a device that cannot use the NAS protocol.
  • the second terminal is a non-3GPP device or a personal Internet of Things device.
  • the second terminal is a 3GPP device, and the connection between the second terminal and the first terminal The connection does not support NAS protocol transfers.
  • the above-mentioned first terminal may also be a home gateway.
  • a connection may be established between the first terminal and the second terminal through WiFi, Bluetooth or passive Internet of Things (for example, passive Internet of Things (Passive IoT)) technology.
  • Passive IoT passive Internet of Things
  • the second terminal can be a 3GPP device or a non-3GPP device, and the passive Internet of Things technology can also be a 3GPP access technology or a non-3GPP access technology. into technology.
  • Step 202 The first terminal sends a first message to the first network element, the first message includes identification information of the second terminal, and the first information is used to trigger authentication of the second terminal rights process.
  • the first network element is a mobility management network element or a session management network element, if the mobility management network element is an access and mobility management function (Access and Mobility Management Function, AMF), the session management network element It is the Session Management Function (SMF).
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
  • the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  • the first terminal sends a first request to the first network element, including:
  • the first terminal sends the first message through a non-access stratum (Non Access Stratum, NAS) connection between the first terminal and the first network element.
  • NAS Non Access Stratum
  • the first message further includes at least one of the following:
  • Non-3GPP equipment indication information
  • the non-3GPP device indication information is non-3GPP device registration type information.
  • the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
  • the identification information of the second terminal includes at least one of the following:
  • the device identification of the second terminal is the device identification of the second terminal
  • IMSI International Mobile Subscriber Identity
  • the general public subscription identifier (Generic Public Subscription Identifier, GPSI) of the second terminal.
  • the acquisition of the identification information of the second terminal by the first terminal includes:
  • the first terminal acquires the identification information of the second terminal.
  • the first terminal acquires the identification information of the second terminal through an authentication procedure for the second terminal.
  • the second terminal is associated with or connected to a wireless local area network (Wireless Local Area Network, WLAN) of the first terminal.
  • WLAN Wireless Local Area Network
  • the first terminal and the second terminal use an EAP authentication process.
  • the above authentication process may specifically include:
  • the first terminal sends an EAP-Req/Identity message to the second terminal
  • the second terminal sends an EAP-Res/Identity message to the first terminal, where the EAP-Res/Identity message includes identification information of the second terminal.
  • the identity information of the second terminal may be sent through a network access identity (Network Access Identity, NAI).
  • NAI Network Access Identity
  • the second terminal may indicate that it does not support using the NAS access core
  • the core network or wants to access the core network without NAS.
  • the NAI can contain the field 5gc-nn to indicate that it does not support NAS access to 5GC, or it wishes to access 5GC without NAS.
  • the identification information of the second terminal may be used to identify the second terminal in the PIN or in the 5G system.
  • the acquisition of the identification information of the second terminal by the first terminal includes:
  • the first terminal obtains the first target request message sent by the second terminal, where the first target request message is used to establish a secure connection with the first terminal device.
  • the first target request message may be an Internet Key Exchange (Internet Key Exchange, IKE)_AUTH request message, and the first target request message includes the identification information of the second terminal.
  • IKE Internet Key Exchange
  • IPsec Security Association IP Security Association
  • the second terminal associates or connects to the WLAN of the first terminal, and obtains an IP address from the WLAN of the first terminal, and the second terminal may use a Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, DHCP) request or other The request message requests to obtain an IP address.
  • DHCP Dynamic Host Configuration Protocol
  • the first terminal may authenticate the second terminal first, and then assign an IP address to the second terminal after authentication.
  • the second terminal sends a second target request message to the first terminal
  • the second target request message may be specifically an IKE_AUTH request message
  • the second target request message does not carry
  • the AUTH parameter indicates that EAP authentication is required.
  • the first terminal sends a response message, such as an IKE_AUTH response message, to the second terminal, and the response message includes the EAP request message.
  • the second terminal sends an IKE_AUTH request message to the first terminal, which includes an EAP response message, including identification information of the second terminal.
  • the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
  • the embodiment of the present application also provides a device authentication method, including:
  • Step 301 The first network element receives a first message sent by a first terminal, where the first message includes identification information of the second terminal.
  • the first network element is a mobility management network element or a session management network element, if the mobility management network element is an access and mobility management function (Access and Mobility Management Function, AMF), the session management network element It is the Session Management Function (SMF).
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • Step 302 The first network element triggers an authentication procedure for the second terminal according to the first message.
  • the first terminal is a personal Internet of Things gateway
  • the second terminal is a device that cannot use the NAS protocol.
  • the second terminal is a non-3GPP device or a personal Internet of Things device.
  • the second terminal is a 3GPP device, and the connection between the second terminal and the first terminal does not support NAS protocol transmission.
  • the above-mentioned first terminal may also be a home gateway.
  • a connection can be established between the first terminal and the second terminal through WiFi, Bluetooth or passive Internet of Things (Passive IoT) technology.
  • Passive IoT passive Internet of Things
  • the second terminal can be a 3GPP device or a non-3GPP device, and the passive Internet of Things technology can also be a 3GPP access technology or a non-3GPP access technology. into technology.
  • the first network element receives the first message containing the identification information of the second terminal sent by the first terminal, and triggers an authentication procedure for the second terminal based on the first message, so as to realize the authentication through the first terminal.
  • the purpose of the terminal (3GPP terminal) assisting the second terminal (non-3GPP terminal) to access the core network for authentication is to effectively guarantee the security of communication in the scenario where a non-3GPP device accesses the communication network through a personal IoT network or a home network sex.
  • the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  • the first network element receiving the first message sent by the first terminal includes:
  • the first network element receives the first message through the NAS connection between the first terminal and the first network element.
  • the first message further includes at least one of the following:
  • Non-3GPP equipment indication information
  • the non-3GPP device indication information is non-3GPP device registration type information.
  • the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
  • the identification information of the second terminal includes at least one of the following:
  • the device identification of the second terminal is the device identification of the second terminal
  • the subscription permanent identification SUPI of the second terminal The subscription permanent identification SUPI of the second terminal
  • the subscription encryption identity SUCI of the second terminal
  • the general public subscription identity GPSI of the second terminal The general public subscription identity GPSI of the second terminal.
  • the first network element triggers an authentication procedure for the second terminal according to the first message, including:
  • the first network element sends a second message to a second network element according to the first message, where the second message is used to request authentication of the second terminal.
  • the first network element is a mobility management network element
  • the second network element is an authentication server network element
  • the first network element is a session management network element
  • the second network element is a mobility management network element
  • the above-mentioned first terminal is PEGC
  • the above-mentioned second terminal is PINE
  • the above-mentioned device authentication method includes:
  • Step 401 An L2 connection is established between PINE and PEGC.
  • the PINE is associated with or connected to the WLAN of the PEGC.
  • Step 402 The PEGC initiates an authentication process to obtain the identification information of the PINE.
  • PINE sends its own identification information to PEGC.
  • PEGC and PINE use the EAP authentication process.
  • PEGC sends an EAP-Req/Identity message to PINE.
  • PINE sends an EAP-Res/Identity message to PEGC, which includes its own identity.
  • the identifier of PINE may be a Network Access Identity (Network Access Identity, sent in the form of NAI).
  • NAI Network Access Identity
  • PINE can indicate that it does not support NAS access to 5GC, or that it wishes to access 5GC without NAS.
  • the field 5gc-nn may be included in the NAI to indicate that it does not support NAS access to 5GC, or it wishes to access 5GC without NAS.
  • the NAI sent by PINE may be type1.rid678.schid0.useriduser17@nai.5gc-nn.mnc123.mcc45.3gppnetwork.org.
  • the identification information of the PINE is used to identify the PINE in the PIN or in the 5G system, for example, it may be the MAC address of the PINE, the device identifier of the PINE, IMSI, SUPI, SUCI, or GPSI.
  • Step 403 The PEGC sends a NAS message to the AMF, indicating to connect the PINE to the core network.
  • the PEGC sends a registration request message to the AMF, including at least one of the registration type, the ID of the PEGC, and the ID of the PINE.
  • the registration type may indicate PINE registration, or indicate non-3GPP device registration.
  • the registration request message may also be a PINE registration request message or a non-3GPP device registration request message, indicating to access the PINE to the core network.
  • the identity of the PINE itself may also indicate that the PINE needs to be connected to the core network.
  • the N5CW indication or the passive IoT indication may also be carried in the NAS message, indicating that the N5CW device or the passive IoT device requests access.
  • the NAS message may also include an indication of requesting access for a terminal that does not support NAS, indicating that a device that does not support NAS requests access when accessing the 5GC through the PEGC.
  • the PEGC can send the above NAS message through the NAS connection between itself and the AMF.
  • the AMF is an AMF serving PEGC.
  • Step 404 After receiving the NAS message in step 3, the AMF triggers the core network's authentication procedure for the PINE.
  • the AMF sends an authentication request to the AUSF, which includes a PIN indication or a non-3GPP indication.
  • the EAP authentication process is executed between PINE and the Authentication Server Function (AUSF). After successful authentication, AUSF sends EAP-Success message to AMF.
  • Step 405 The AMF sends a NAS message to the PEGC to instruct the PINE to successfully access the core network.
  • the above registration request message may also be other NAS messages, which are not specifically limited here.
  • the PEGC can be replaced by a residential gateway (Residential Gateway, RG), and the PINE can also be replaced by other non-3GPP devices.
  • the core network is sometimes called 5G core Heart network (5G Core network, 5GC) or 5G system (5G System, 5GS).
  • the access core network may also be referred to as an access communication network.
  • step 404 is optional.
  • step 404 may be replaced by, after receiving the NAS message, the AMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network.
  • the PEGC may only obtain the identification information of the PINE, instead of initiating an authentication process for the PINE.
  • the above-mentioned first terminal is PEGC
  • the above-mentioned second terminal is PINE
  • the above-mentioned device authentication method includes:
  • Step 501 A connection is established between PINE and PEGC, and an IP address is obtained.
  • the PINE associates or connects to the WLAN of the PEGC, and obtains an IP address from the WLAN of the PEGC.
  • the PINE may use a DHCP request or other messages to request to obtain an IP address, which is not specifically limited in this embodiment of the present application.
  • the PEGC may first authenticate the PINE and then assign an IP address to the PINE. What information is used by the PEGC to authenticate the PINE is not specifically limited in this embodiment of the application.
  • Step 502 PINE establishes IP security association with PEGC.
  • IKE initial messages are exchanged between PINE and PEGC to establish an IP security association.
  • Step 503 PINE sends an IKE_AUTH request message to PEGC.
  • the IKE_AUTH request message includes the identification information of the PINE.
  • identification information of PINE reference may be made to the description in step 402 .
  • the PINE sends an IKE_AUTH request message to the PEGC, which does not carry the AUTH parameter, indicating that EAP authentication is required.
  • PEGC sends IKE_AUTH response message to PINE, which includes EAP request message.
  • the PINE sends an IKE_AUTH request message to the PEGC, which includes an EAP response message, including the identification information of the PINE.
  • Step 504 The PEGC sends a NAS message to the AMF to connect the PINE to the core network.
  • step 403 For details, refer to the description of step 403 in the foregoing embodiment.
  • Step 505 After receiving the NAS message, the AMF triggers the core network's authentication procedure for the PINE.
  • This step can refer to the description of the above step 404, the difference is that PINE and PEGC use The IKE message transmits authentication process interaction information.
  • Step 506 The AMF sends a NAS message to the PEGC to indicate that the PINE has successfully accessed the core network.
  • the registration request message in this embodiment may also be replaced with other NAS messages, which is not specifically limited in this embodiment.
  • step 505 is optional.
  • step 404 may be replaced by, after receiving the NAS message, the AMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network.
  • the above-mentioned first terminal is PEGC
  • the above-mentioned second terminal is PINE
  • the above-mentioned device authentication method includes:
  • Step 601 An L2 connection is established between PINE and PEGC.
  • Step 602 The PEGC initiates an authentication process to obtain the identification information of the PINE.
  • steps 601 and 602 reference may be made to the description of steps 401 and 402, which will not be repeated here.
  • Step 603 The PEGC sends a NAS message to the AMF to connect the PINE to the core network.
  • the NAS message includes the registration type, at least one of the identifier of the PEGC and the identifier of the PINE.
  • the registration type may indicate PINE registration, or indicate non-3GPP device registration.
  • the NAS message may also be a PINE registration request message or a non-3GPP device registration request message.
  • the identity of the PINE itself may also indicate that the PINE needs to be connected to the core network.
  • the N5CW indication or the passive IoT indication may also be carried in the NAS message, indicating that the N5CW device or the passive IoT device requests access.
  • the NAS message may also include an indication of requesting access for a terminal that does not support NAS, indicating that a device that does not support NAS requests access when accessing the 5GC through the PEGC.
  • the NAS message includes an N1 session management (Session Management, SM) message. It is used to instruct the SMF to connect the PINE to the core network.
  • SM Session Management
  • the N1 SM message can be a PDU session establishment request message or other N1 SM messages.
  • At least one of the PEGC identifier and the PINE identifier may be included in the N1 SM message.
  • the PEGC can send the above NAS message through the NAS connection between itself and the AMF. Should AMF is an AMF serving PEGC.
  • Step 604 The AMF sends an N11 message to the SMF to connect the PINE to the core network.
  • the N11 message includes at least one of the registration type, the ID of the PEGC, and the ID of the PINE.
  • the AMF sends the N1 SM message to the SMF.
  • the N11 message may be a PINE session establishment request message.
  • the N11 message in this step may also indicate establishing a session channel or allocating network resources for PINE.
  • Step 605 The SMF sends a response message of the N11 message to the AMF, so as to trigger the authentication procedure for the PINE.
  • the PINE identifier may be included in the response message of the N11 message.
  • the logo of PEGC may also be included.
  • the SMF may be a session management network element serving the PEGC. It can be determined that the PINE needs to be authenticated according to the PEGC subscription and the operator's policy.
  • the response message of the N11 message may be a PINE authentication request message.
  • Step 606 The AMF triggers the core network to authenticate the PINE.
  • step 606 reference may be made to the description of step 404.
  • Step 607 AMF sends N11 message to SMF, indicating PINE authentication is successful.
  • the N11 message may be a PINE authentication response message.
  • steps 605 to 607 are optional steps.
  • the SMF sends an N11 message to the AMF, indicating that the PINE session is established successfully.
  • the N11 message may be a PINE session establishment response message.
  • the AMF sends a NAS message to the PEGC, indicating that the PINE access is successful.
  • the NAS message may be a PINE registration or a non-3GPP device registration request message.
  • the SMF allocates user plane resources or session resources to the PINE.
  • a NAS message in step 603 can simultaneously trigger authentication and session establishment, saving network resources.
  • PINE successfully connected to 5GC. It can also be considered that the session channel of the PINE is established or the network has successfully allocated resources for the PINE.
  • step 605 may be replaced by, after receiving the N11 message, the SMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network.
  • step 606 may be replaced by, after receiving the response message of the N11 message, the AMF determines not to perform authentication on the PINE according to the identifier of the PINE and/or the identifier of the PEGC.
  • the PEGC in step 602 may also just obtain the identification information of the PINE, rather than initiating an authentication process for the PINE.
  • the above-mentioned first terminal is PEGC
  • the above-mentioned second terminal is PINE
  • the above-mentioned device authentication method includes:
  • Step 701 A connection is established between PINE and PEGC, and an IP address is obtained.
  • step 501 For details, refer to the description of step 501 .
  • Step 702 PINE establishes IP security association with PEGC.
  • IKE initial messages are exchanged between PINE and PEGC to establish an IP security association.
  • Step 703 PINE sends an IKE_AUTH request message to PEGC.
  • step 503 For details, refer to the description of step 503 .
  • Step 704 The PEGC sends a NAS message to the AMF to connect the PINE to the core network.
  • Step 705 The AMF sends an N11 message to the SMF to connect the PINE to the core network.
  • Step 706 The SMF sends a response message of the N11 message to the AMF to trigger the authentication procedure for the PINE.
  • Step 707 The AMF triggers the core network to authenticate the PINE.
  • Step 708 The AMF sends an N11 message to the SMF, indicating that the PINE authentication is successful.
  • steps 706 to 708 are optional steps.
  • step 704 to step 708 reference may be made to the description of the above step 603 to step 607.
  • the SMF sends an N11 message to the AMF, indicating that the PINE session is established successfully.
  • the N11 message may be a PINE session establishment response message.
  • the AMF sends a NAS message to the PEGC, indicating that the PINE access is successful.
  • the NAS message may be a PINE registration or a non-3GPP device registration request message.
  • the SMF allocates user plane resources or session resources to the PINE.
  • a NAS message in step 703 can simultaneously trigger authentication and session establishment, saving network resources.
  • PINE successfully connected to 5GC. It can also be considered that the session channel of the PINE is established or the network has successfully allocated resources for the PINE.
  • the 3GPP terminal device assists the non-3GPP device to access the 5G core network for authentication, and the communication security is guaranteed in the scenario where the non-3GPP device accesses the communication network through a personal Internet of Things network or a home network.
  • step 706 may be replaced by, after receiving the N11 message, the SMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network.
  • step 707 may be replaced by, after receiving the response message of the N11 message, the AMF determines not to perform authentication on the PINE according to the identifier of the PINE and/or the identifier of the PEGC.
  • the device authentication method provided in the embodiment of the present application may be executed by a device authentication device.
  • the device authentication method performed by the device authentication device is taken as an example to illustrate the device authentication device provided in the embodiment of the present application.
  • the embodiment of the present application provides a device authentication device 800, which is applied to the first terminal, and the device includes:
  • the first acquiring module 801 is configured to acquire the identification information of the second terminal
  • the first sending module 802 is configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger authentication of the second terminal rights process.
  • the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  • the first sending module is configured to send the first message through a non-access stratum NAS connection between the first terminal and the first network element.
  • the first message further includes at least one of the following:
  • Non-3GPP equipment indication information
  • the non-3GPP device indication information is non-3GPP device registration type information.
  • the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
  • the identification information of the second terminal includes at least one of the following:
  • the device identification of the second terminal is the device identification of the second terminal
  • the subscription permanent identification SUPI of the second terminal The subscription permanent identification SUPI of the second terminal
  • the subscription encryption identity SUCI of the second terminal
  • the general public subscription identity GPSI of the second terminal The general public subscription identity GPSI of the second terminal.
  • the first network element is a mobility management network element or a session management network element.
  • the first terminal is a personal Internet of Things gateway.
  • the second terminal is a non-3GPP device or a personal Internet of Things device.
  • the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
  • the device authentication apparatus in the embodiment of the present application may be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip.
  • the electronic device may be a terminal, or other devices other than the terminal.
  • the terminal may include, but not limited to, the types of terminal 11 listed above, and other devices may be servers, Network Attached Storage (NAS), etc., which are not specifically limited in this embodiment of the present application.
  • NAS Network Attached Storage
  • the device authentication device provided by the embodiment of the present application can realize each process realized by the method embodiment in FIG. 2 and achieve the same technical effect. To avoid repetition, details are not repeated here.
  • this embodiment of the present application also provides a communication device 900, including a processor 901 and a memory 902, and the memory 902 stores programs or instructions that can run on the processor 901, such as , when the communication device 900 is a terminal, the program or instruction is executed by the processor 901 During execution, each step of the above embodiment of the device authentication method applied to the first terminal is realized, and the same technical effect can be achieved.
  • the communication device 900 is a network-side device (such as a first network element)
  • the program or instruction is executed by the processor 901
  • each step of the above-mentioned embodiment of the device authentication method applied to the first network element can be achieved, and the same To avoid repetition, the technical effects will not be repeated here.
  • the embodiment of the present application also provides a terminal, including a processor and a communication interface, the processor is used to obtain the identification information of the second terminal; the communication interface is used to send a first message to the first network element, and the first message includes the The identification information of the second terminal, and the first message is used to trigger an authentication process for the second terminal.
  • This terminal embodiment corresponds to the above-mentioned terminal-side method embodiment, and each implementation process and implementation mode of the above-mentioned method embodiment can be applied to this terminal embodiment, and can achieve the same technical effect.
  • FIG. 10 is a schematic diagram of a hardware structure of a terminal implementing an embodiment of the present application.
  • the terminal 1000 includes, but is not limited to: a radio frequency unit 1001, a network module 1002, an audio output unit 1003, an input unit 1004, a sensor 1005, a display unit 1006, a user input unit 1007, an interface unit 1008, a memory 1009, and a processor 1010. At least some parts.
  • the terminal 1000 can also include a power supply (such as a battery) for supplying power to various components, and the power supply can be logically connected to the processor 1010 through the power management system, so as to manage charging, discharging, and power consumption through the power management system. Management and other functions.
  • a power supply such as a battery
  • the terminal structure shown in FIG. 10 does not constitute a limitation on the terminal, and the terminal may include more or fewer components than shown in the figure, or combine certain components, or arrange different components, which will not be repeated here.
  • the input unit 1004 may include a graphics processing unit (Graphics Processing Unit, GPU) 10041 and a microphone 10042, and the graphics processor 10041 can be used by the image capture device (such as the image data of the still picture or video obtained by the camera) for processing.
  • the display unit 1006 may include a display panel 10061, and the display panel 10061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like.
  • the user input unit 1007 includes at least one of a touch panel 10071 and other input devices 10072 .
  • the touch panel 10071 is also called a touch screen.
  • the touch panel 10071 may include two parts, a touch detection device and a touch controller.
  • Other input devices 10072 may include, but are not limited to, physical keyboards, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, and joysticks, which will not be repeated here.
  • the radio frequency unit 1001 after the radio frequency unit 1001 receives the downlink data from the network side equipment, it can The data is transmitted to the processor 1010 for processing; in addition, the radio frequency unit 1001 may send uplink data to the network side device.
  • the radio frequency unit 1001 includes, but is not limited to, an antenna, an amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like.
  • the memory 1009 can be used to store software programs or instructions as well as various data.
  • the memory 1009 may mainly include a first storage area for storing programs or instructions and a second storage area for storing data, wherein the first storage area may store an operating system, an application program or instructions required by at least one function (such as a sound playing function, image playback function, etc.), etc.
  • memory 1009 may include volatile memory or nonvolatile memory, or, memory 1009 may include both volatile and nonvolatile memory.
  • the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electronically programmable Erase Programmable Read-Only Memory (Electrically EPROM, EEPROM) or Flash.
  • ROM Read-Only Memory
  • PROM programmable read-only memory
  • Erasable PROM Erasable PROM
  • EPROM erasable programmable read-only memory
  • Electrical EPROM Electrical EPROM
  • EEPROM electronically programmable Erase Programmable Read-Only Memory
  • Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (Synch link DRAM , SLDRAM) and Direct Memory Bus Random Access Memory (Direct Rambus RAM, DRRAM).
  • RAM Random Access Memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM double data rate synchronous dynamic random access memory
  • Double Data Rate SDRAM Double Data Rate SDRAM
  • DDRSDRAM double data rate synchronous dynamic random access memory
  • Enhanced SDRAM, ESDRAM enhanced synchronous dynamic random access memory
  • Synch link DRAM , SLDRAM
  • Direct Memory Bus Random Access Memory Direct Rambus
  • the processor 1010 may include one or more processing units; optionally, the processor 1010 integrates an application processor and a modem processor, wherein the application processor mainly processes operations related to the operating system, user interface, and application programs, etc., Modem processors mainly process wireless communication signals, such as baseband processors. It can be understood that the foregoing modem processor may not be integrated into the processor 1010 .
  • the processor 1010 is configured to acquire identification information of the second terminal
  • a radio frequency unit 1001 configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger an authentication process for the second terminal .
  • the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  • the radio frequency unit 1001 is configured to send the first message through a non-access stratum NAS connection between the first terminal and the first network element.
  • the first message further includes at least one of the following:
  • Non-3GPP equipment indication information
  • the non-3GPP device indication information is non-3GPP device registration type information.
  • the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
  • the identification information of the second terminal includes at least one of the following:
  • the device identification of the second terminal is the device identification of the second terminal
  • the subscription permanent identification SUPI of the second terminal The subscription permanent identification SUPI of the second terminal
  • the subscription encryption identity SUCI of the second terminal
  • the general public subscription identity GPSI of the second terminal The general public subscription identity GPSI of the second terminal.
  • the first network element is a mobility management network element or a session management network element.
  • the first terminal is a personal Internet of Things gateway.
  • the second terminal is a non-3GPP device or a personal Internet of Things device.
  • the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
  • the embodiment of the present application also provides a device authentication apparatus 1100, including:
  • the first receiving module 1101 is configured to receive a first message sent by a first terminal, the first message including identification information of the second terminal;
  • the processing module 1102 is configured to trigger an authentication procedure for the second terminal according to the first message.
  • the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  • the first receiving module is configured to receive the first message through a NAS connection between the first terminal and the first network element.
  • the first message further includes at least one of the following:
  • Non-3GPP equipment indication information
  • the non-3GPP device indication information is non-3GPP device registration type information.
  • the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
  • the identification information of the second terminal includes at least one of the following:
  • the device identification of the second terminal is the device identification of the second terminal
  • the subscription permanent identification SUPI of the second terminal The subscription permanent identification SUPI of the second terminal
  • the subscription encryption identity SUCI of the second terminal
  • the general public subscription identity GPSI of the second terminal The general public subscription identity GPSI of the second terminal.
  • the processing module is configured to send a second message to a second network element according to the first message, where the second message is used to request authentication of the second terminal.
  • the first network element is a mobility management network element
  • the second network element is an authentication server network element
  • the first network element is a session management network element
  • the second network element is a mobility management network element
  • the first terminal is a personal Internet of Things gateway.
  • the second terminal is a non-3GPP device or a personal Internet of Things device.
  • the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
  • the embodiment of the present application also provides a network side device (that is, the above-mentioned first network element), including a processor and a communication interface, the communication interface is used to receive a first message sent by the first terminal, and the first message includes the first message.
  • the identification information of the second terminal; the processor is configured to trigger an authentication procedure for the second terminal according to the first message.
  • the network-side device embodiment corresponds to the above-mentioned network-side device method embodiment, and each implementation process and implementation mode of the above-mentioned method embodiment can be applied to this network-side device embodiment, and can achieve the same technical effect.
  • the embodiment of the present application further provides a network side device (the above-mentioned first network element).
  • the network side device 1300 includes: a processor 1301 , a network interface 1302 and a memory 1303 .
  • the network interface 1302 is, for example, a common public radio interface (common public radio interface, CPRI).
  • the network side device 1300 in this embodiment of the present invention further includes: instructions or programs stored in the memory 1303 and executable on the processor 1301, and the processor 1301 invokes the instructions or programs in the memory 1303 to execute the various programs shown in FIG.
  • the method of module execution achieves the same technical effect, so in order to avoid repetition, it is not repeated here.
  • the embodiment of the present application also provides a readable storage medium, the readable storage medium stores a program or an instruction, and when the program or instruction is executed by a processor, each process of the above embodiment of the device authentication method is implemented, and can achieve The same technical effects are not repeated here to avoid repetition.
  • the processor is the processor in the terminal described in the foregoing embodiments.
  • the readable storage medium includes a computer-readable storage medium, such as a computer read-only memory ROM, a random access memory RAM, a magnetic disk or an optical disk, and the like.
  • the embodiment of the present application further provides a chip, the chip includes a processor and a communication interface, the The communication interface is coupled with the processor, and the processor is used to run programs or instructions to implement the various processes of the above device authentication method embodiments, and can achieve the same technical effect. To avoid repetition, details are not repeated here.
  • the chip mentioned in the embodiment of the present application may also be called a system-on-chip, a system-on-chip, a system-on-a-chip, or a system-on-a-chip.
  • An embodiment of the present application further provides a computer program product, the computer program product is stored in a storage medium, and the computer program product is executed by at least one processor to implement the various processes in the above embodiments of the device authentication method, and The same technical effect can be achieved, so in order to avoid repetition, details will not be repeated here.
  • the embodiment of the present application also provides a device authentication system, including: a terminal and a network-side device, the terminal can be used to perform the steps of the above-mentioned device authentication method applied to the first terminal, and the network-side device It can be used to execute the steps of the device authentication method applied to the first network element as described above.
  • the term “comprising”, “comprising” or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase “comprising a " does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element.
  • the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions are performed, for example, the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
  • the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation.
  • the technical solution of the present application can be embodied in the form of computer software products, which are stored in a storage medium (such as ROM/RAM, magnetic disk, etc.) , CD-ROM), including several instructions to make a terminal (which can be a mobile phone, a computer, a service server, air conditioner, or network equipment, etc.) to execute the methods described in the various embodiments of the present application.

Abstract

The present application belongs to the technical field of communications. Disclosed are device authentication methods, an apparatus and a communication device. A device authentication method in an embodiment of the present application comprises: a first terminal acquires identification information of a second terminal; and the first terminal sends a first message to a first network element, the first message comprising the identification information of the second terminal, and the first message being used for triggering an authentication process for the second terminal.

Description

设备鉴权方法、装置及通信设备Device authentication method, device and communication device
相关申请的交叉引用Cross References to Related Applications
本申请主张在2022年01月27日在中国提交的中国专利申请No.202210102685.5的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202210102685.5 filed in China on January 27, 2022, the entire contents of which are hereby incorporated by reference.
技术领域technical field
本申请属于通信技术领域,具体涉及一种设备鉴权方法、装置及通信设备。The present application belongs to the technical field of communication, and in particular relates to a device authentication method, device and communication device.
背景技术Background technique
相关技术中,手机可以为其他设备开设WiFi热点,如使得笔记本通过手机上网。但是笔记本是个非第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)设备,通信网络并不能知晓笔记本正在上网,因此无法验证笔记本的合法性。如果非法设备通过手机接入网络,则手机和网络的安全通信存在风险。相关技术中并未描述非3GPP设备如何通过一个3GPP设备接入核心网。在个人物联网和固移融合的场景中,如何安全地让非3GPP设备接入核心网,是亟待解决的问题。In related technologies, the mobile phone can set up a WiFi hotspot for other devices, such as enabling a notebook to access the Internet through the mobile phone. But the notebook is a non-third generation partnership project (3rd Generation Partnership Project, 3GPP) device, and the communication network cannot know that the notebook is surfing the Internet, so the legitimacy of the notebook cannot be verified. If a rogue device accesses the network through a mobile phone, the secure communication between the mobile phone and the network is at risk. The related art does not describe how the non-3GPP equipment accesses the core network through a 3GPP equipment. In the scenario of personal IoT and fixed-mobile convergence, how to securely connect non-3GPP devices to the core network is an urgent problem to be solved.
发明内容Contents of the invention
本申请实施例提供一种设备鉴权方法、装置及通信设备,能够解决如何安全地让非3GPP设备接入核心网的问题。The embodiment of the present application provides a device authentication method, device and communication device, which can solve the problem of how to securely allow non-3GPP devices to access the core network.
第一方面,提供了一种设备鉴权方法,包括:In the first aspect, a device authentication method is provided, including:
第一终端获取第二终端的标识信息;The first terminal acquires the identification information of the second terminal;
所述第一终端向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。The first terminal sends a first message to the first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger an authentication procedure for the second terminal.
第二方面,提供了一种设备鉴权方法,包括:In the second aspect, a device authentication method is provided, including:
第一网元接收第一终端发送的第一消息,所述第一消息包括所述第二终端的标识信息; receiving, by the first network element, a first message sent by the first terminal, where the first message includes identification information of the second terminal;
所述第一网元根据所述第一消息,触发对所述第二终端的鉴权流程。The first network element triggers an authentication procedure for the second terminal according to the first message.
第三方面,提供了一种设备鉴权装置,包括:In a third aspect, a device authentication device is provided, including:
第一获取模块,用于获取第二终端的标识信息;a first obtaining module, configured to obtain identification information of the second terminal;
第一发送模块,用于向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。A first sending module, configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger authentication of the second terminal process.
第四方面,提供了一种设备鉴权装置,包括:In a fourth aspect, a device authentication device is provided, including:
第一接收模块,用于接收第一终端发送的第一消息,所述第一消息包括所述第二终端的标识信息;A first receiving module, configured to receive a first message sent by a first terminal, where the first message includes identification information of the second terminal;
处理模块,用于根据所述第一消息,触发对所述第二终端的鉴权流程。A processing module, configured to trigger an authentication procedure for the second terminal according to the first message.
第五方面,提供了一种终端,该终端包括处理器和存储器,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如第一方面所述的方法的步骤。In a fifth aspect, a terminal is provided, the terminal includes a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the programs or instructions are executed by the processor, the following The steps of the method in one aspect.
第六方面,提供了一种终端,包括处理器及通信接口,其中,所述处理器用于获取第二终端的标识信息,所述通信接口用于向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。In a sixth aspect, a terminal is provided, including a processor and a communication interface, wherein the processor is configured to obtain identification information of a second terminal, and the communication interface is configured to send a first message to a first network element, the The first message includes identification information of the second terminal, and the first message is used to trigger an authentication procedure for the second terminal.
第七方面,提供了一种网络侧设备,该网络侧设备包括处理器和存储器,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如第二方面所述的方法的步骤。In a seventh aspect, a network-side device is provided, the network-side device includes a processor and a memory, the memory stores programs or instructions that can run on the processor, and the programs or instructions are executed by the processor When realizing the steps of the method as described in the second aspect.
第八方面,提供了一种网络侧设备,包括处理器及通信接口,其中,所述通信接口用于接收第一终端发送的第一消息,所述第一消息包括所述第二终端的标识信息;所述处理器用于根据所述第一消息,触发对所述第二终端的鉴权流程。In an eighth aspect, there is provided a network side device, including a processor and a communication interface, wherein the communication interface is used to receive a first message sent by a first terminal, and the first message includes an identifier of the second terminal Information; the processor is configured to trigger an authentication procedure for the second terminal according to the first message.
第九方面,提供了一种设备鉴权系统,包括:终端及网络侧设备,所述终端可用于执行如第一方面所述的设备鉴权方法的步骤,所述网络侧设备可用于执行如第二方面所述的设备鉴权方法的步骤。A ninth aspect provides a device authentication system, including: a terminal and a network-side device, the terminal can be used to perform the steps of the device authentication method described in the first aspect, and the network-side device can be used to perform steps such as The steps of the device authentication method described in the second aspect.
第十方面,提供了一种可读存储介质,所述可读存储介质上存储程序或指令,所述程序或指令被处理器执行时实现如第一方面所述的方法的步骤,或者实现如第二方面所述的方法的步骤。 In a tenth aspect, a readable storage medium is provided, and a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the steps of the method described in the first aspect are implemented, or the steps of the method as described in the first aspect are implemented, or the The steps of the method described in the second aspect.
第十一方面,提供了一种芯片,所述芯片包括处理器和通信接口,所述通信接口和所述处理器耦合,所述处理器用于运行程序或指令,实现如第一方面所述的方法,或实现如第二方面所述的方法。In an eleventh aspect, a chip is provided, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run a program or an instruction to implement the method described in the first aspect. method, or implement the method as described in the second aspect.
第十二方面,提供了一种计算机程序产品,所述计算机程序产品被存储在存储介质中,所述计算机程序产品被至少一个处理器执行以实现如第一方面所述的方法的步骤,或实现如第二方面所述的方法。In a twelfth aspect, a computer program product is provided, the computer program product is stored in a storage medium, and the computer program product is executed by at least one processor to implement the steps of the method described in the first aspect, or Implement the method as described in the second aspect.
在本申请实施例中,第一终端获取第二终端的标识信息,并向第一网元发送包含第二终端的标识信息的第一消息,通过该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In this embodiment of the present application, the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers the authentication of the second terminal through the first message In order to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication, in the scenario where the non-3GPP device accesses the communication network through the personal Internet of Things network or home network In this way, the security of communication can be effectively guaranteed.
附图说明Description of drawings
图1表示本申请实施例可应用的一种通信系统的结构图;FIG. 1 shows a structural diagram of a communication system applicable to an embodiment of the present application;
图2表示本申请实施例的设备鉴权方法的流程示意图之一;FIG. 2 shows one of the schematic flow diagrams of the device authentication method in the embodiment of the present application;
图3表示本申请实施例的设备鉴权方法的流程示意图之二;FIG. 3 shows the second schematic flow diagram of the device authentication method in the embodiment of the present application;
图4表示本申请实施例的设备鉴权方法的交互示意图之一;FIG. 4 shows one of the interactive schematic diagrams of the device authentication method in the embodiment of the present application;
图5表示本申请实施例的设备鉴权方法的交互示意图之二;FIG. 5 shows the second interactive schematic diagram of the device authentication method according to the embodiment of the present application;
图6表示本申请实施例的设备鉴权方法的交互示意图之三;FIG. 6 shows the third interactive schematic diagram of the device authentication method according to the embodiment of the present application;
图7表示本申请实施例的设备鉴权方法的交互示意图之四;FIG. 7 shows the fourth interactive schematic diagram of the device authentication method according to the embodiment of the present application;
图8表示本申请实施例的设备鉴权装置的模块示意图之一;FIG. 8 shows one of the module schematic diagrams of the device authentication device according to the embodiment of the present application;
图9表示本申请实施例的通信设备的结构框图;FIG. 9 shows a structural block diagram of a communication device according to an embodiment of the present application;
图10表示本申请实施例的终端的结构框图;FIG. 10 shows a structural block diagram of a terminal in an embodiment of the present application;
图11表示本申请实施例的设备鉴权装置的模块示意图之二;FIG. 11 shows the second schematic diagram of the modules of the device authentication device according to the embodiment of the present application;
图12表示本申请实施例的网络侧设备的结构框图之二。FIG. 12 shows the second structural block diagram of the network side device according to the embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实 施例。基于本申请中的实施例,本领域普通技术人员所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the application will be clearly described below in conjunction with the accompanying drawings in the embodiments of the application. Obviously, the described embodiments are part of the embodiments of the application, not all of them. Example. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments in this application belong to the protection scope of this application.
本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不用于描述特定的顺序或先后次序。应该理解这样使用的术语在适当情况下可以互换,以便本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施,且“第一”、“第二”所区别的对象通常为一类,并不限定对象的个数,例如第一对象可以是一个,也可以是多个。此外,说明书以及权利要求中“和/或”表示所连接对象的至少其中之一,字符“/”一般表示前后关联对象是一种“或”的关系。The terms "first", "second" and the like in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific sequence or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or described herein and that "first" and "second" distinguish objects. It is usually one category, and the number of objects is not limited. For example, there may be one or more first objects. In addition, "and/or" in the description and claims means at least one of the connected objects, and the character "/" generally means that the related objects are an "or" relationship.
值得指出的是,本申请实施例所描述的技术不限于长期演进型(Long Term Evolution,LTE)/LTE的演进(LTE-Advanced,LTE-A)系统,还可用于其他无线通信系统,诸如码分多址(Code Division Multiple Access,CDMA)、时分多址(Time Division Multiple Access,TDMA)、频分多址(Frequency Division Multiple Access,FDMA)、正交频分多址(Orthogonal Frequency Division Multiple Access,OFDMA)、单载波频分多址(Single-carrier Frequency Division Multiple Access,SC-FDMA)和其他系统。本申请实施例中的术语“系统”和“网络”常被可互换地使用,所描述的技术既可用于以上提及的系统和无线电技术,也可用于其他系统和无线电技术。以下描述出于示例目的描述了新空口(New Radio,NR)系统,并且在以下大部分描述中使用NR术语,但是这些技术也可应用于NR系统应用以外的应用,如第6代(6th Generation,6G)通信系统。It is worth noting that the technology described in the embodiment of this application is not limited to the Long Term Evolution (Long Term Evolution, LTE)/LTE-Advanced (LTE-Advanced, LTE-A) system, and can also be used in other wireless communication systems, such as code Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access, OFDMA), Single-carrier Frequency Division Multiple Access (Single-carrier Frequency Division Multiple Access, SC-FDMA) and other systems. The terms "system" and "network" in the embodiments of the present application are often used interchangeably, and the described technology can be used for the above-mentioned system and radio technology, and can also be used for other systems and radio technologies. The following description describes the New Radio (New Radio, NR) system for example purposes, and uses NR terminology in most of the following descriptions, but these techniques can also be applied to applications other than NR system applications, such as the 6th generation (6th Generation , 6G) communication system.
图1示出本申请实施例可应用的一种无线通信系统的框图。无线通信系统包括终端11和网络侧设备12。其中,终端11可以是手机、平板电脑(Tablet Personal Computer)、膝上型电脑(Laptop Computer)或称为笔记本电脑、个人数字助理(Personal Digital Assistant,PDA)、掌上电脑、上网本、超级移动个人计算机(ultra-mobile personal computer,UMPC)、移动上网装置(Mobile Internet Device,MID)、增强现实(augmented reality,AR)/虚拟现实(virtual reality,VR)设备、机器人、可穿戴式设备(Wearable Device)、车载设备(Vehicle User Equipment,VUE)、行人终端(Pedestrian User Equipment,PUE)、智能 家居(具有无线通信功能的家居设备,如冰箱、电视、洗衣机或者家具等)、游戏机、个人计算机(personal computer,PC)、柜员机或者自助机等终端侧设备,可穿戴式设备包括:智能手表、智能手环、智能耳机、智能眼镜、智能首饰(智能手镯、智能手链、智能戒指、智能项链、智能脚镯、智能脚链等)、智能腕带、智能服装等。需要说明的是,在本申请实施例并不限定终端11的具体类型。网络侧设备12可以包括接入网设备或核心网设备,其中,接入网设备12也可以称为无线接入网设备、无线接入网(Radio Access Network,RAN)、无线接入网功能或无线接入网单元。接入网设备12可以包括基站、无线局域网(Wireless Local Area Networks,WLAN)接入点或WiFi节点等,基站可被称为节点B、演进节点B(eNB)、接入点、基收发机站(Base Transceiver Station,BTS)、无线电基站、无线电收发机、基本服务集(Basic Service Set,BSS)、扩展服务集(Extended Service Set,ESS)、家用B节点、家用演进型B节点、发送接收点(Transmitting Receiving Point,TRP)或所述领域中其他某个合适的术语,只要达到相同的技术效果,所述基站不限于特定技术词汇,需要说明的是,在本申请实施例中仅以NR系统中的基站为例进行介绍,并不限定基站的具体类型。核心网设备可以包含但不限于如下至少一项:核心网节点、核心网功能、移动管理实体(Mobility Management Entity,MME)、接入移动管理功能(Access and Mobility Management Function,AMF)、会话管理功能(Session Management Function,SMF)、用户平面功能(User Plane Function,UPF)、策略控制功能(Policy Control Function,PCF)、策略与计费规则功能单元(Policy and Charging Rules Function,PCRF)、边缘应用服务发现功能(Edge Application Server Discovery Function,EASDF)、统一数据管理(Unified Data Management,UDM),统一数据仓储(Unified Data Repository,UDR)、归属用户服务器(Home Subscriber Server,HSS)、集中式网络配置(Centralized network configuration,CNC)、网络存储功能(Network Repository Function,NRF),网络开放功能(Network Exposure Function,NEF)、本地NEF(Local NEF,或L-NEF)、绑定支持功能(Binding Support Function,BSF)、应用功能(Application Function,AF)等。需要说明的是,在本申请实施例中仅以NR系统中的核心网设备为例进行介绍,并不限定核心网设备 的具体类型。值得说明的是,上述核心网设备的功能可以由多个设备共同实现,也可以多个核心网设备的功能由一个设备实现,本申请实施例对此不做限定。在本申请实施例中,如果多个核心网设备的功能由一个设备实现,则本申请实施例中该多个核心网设备之间的交互为该设备内部操作。Fig. 1 shows a block diagram of a wireless communication system to which the embodiment of the present application is applicable. The wireless communication system includes a terminal 11 and a network side device 12 . Wherein, the terminal 11 can be a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer) or a notebook computer, a personal digital assistant (Personal Digital Assistant, PDA), a palmtop computer, a netbook, a super mobile personal computer (ultra-mobile personal computer, UMPC), mobile Internet device (Mobile Internet Device, MID), augmented reality (augmented reality, AR) / virtual reality (virtual reality, VR) equipment, robot, wearable device (Wearable Device) , Vehicle User Equipment (VUE), Pedestrian User Equipment (PUE), intelligent Home (household equipment with wireless communication functions, such as refrigerators, TVs, washing machines or furniture, etc.), game consoles, personal computers (personal computers, PCs), teller machines or self-service machines and other terminal-side devices, wearable devices include: smart watches , smart bracelets, smart headphones, smart glasses, smart jewelry (smart bracelets, smart bracelets, smart rings, smart necklaces, smart anklets, smart anklets, etc.), smart wristbands, smart clothing, etc. It should be noted that, the embodiment of the present application does not limit the specific type of the terminal 11 . The network side device 12 may include an access network device or a core network device, where the access network device 12 may also be called a radio access network device, a radio access network (Radio Access Network, RAN), a radio access network function, or Wireless access network unit. The access network device 12 may include a base station, a wireless local area network (Wireless Local Area Networks, WLAN) access point or a WiFi node, etc., and the base station may be called a node B, an evolved node B (eNB), an access point, or a base transceiver station (Base Transceiver Station, BTS), radio base station, radio transceiver, Basic Service Set (BSS), Extended Service Set (Extended Service Set, ESS), Home Node B, Home Evolved Node B, sending and receiving point (Transmitting Receiving Point, TRP) or some other appropriate term in the field, as long as the same technical effect is achieved, the base station is not limited to specific technical terms. It should be noted that in the embodiment of this application, only the NR system The base station in the example is introduced as an example, and the specific type of the base station is not limited. The core network equipment may include but not limited to at least one of the following: core network node, core network function, mobility management entity (Mobility Management Entity, MME), access mobility management function (Access and Mobility Management Function, AMF), session management function (Session Management Function, SMF), user plane function (User Plane Function, UPF), policy control function (Policy Control Function, PCF), policy and charging rules function unit (Policy and Charging Rules Function, PCRF), edge application service Discovery function (Edge Application Server Discovery Function, EASDF), unified data management (Unified Data Management, UDM), unified data warehouse (Unified Data Repository, UDR), home subscriber server (Home Subscriber Server, HSS), centralized network configuration ( Centralized network configuration, CNC), network storage function (Network Repository Function, NRF), network exposure function (Network Exposure Function, NEF), local NEF (Local NEF, or L-NEF), binding support function (Binding Support Function, BSF), Application Function (Application Function, AF), etc. It should be noted that in the embodiment of this application, only the core network equipment in the NR system is introduced as an example, and the core network equipment is not limited. specific type of . It should be noted that the functions of the above-mentioned core network device may be realized by multiple devices, or the functions of multiple core network devices may be realized by one device, which is not limited in this embodiment of the present application. In the embodiment of the present application, if the functions of multiple core network devices are implemented by one device, the interaction among the multiple core network devices in the embodiment of the present application is an internal operation of the device.
为使本领域技术人员能够更好地理解本申请实施例,先进行如下说明。In order to enable those skilled in the art to better understand the embodiments of the present application, the following descriptions are given first.
1、个人物联网(Personal IoT Network,PIN)。1. Personal IoT Network (PIN).
PIN是一个由至少一个PIN元素(PIN Element,PINE)构成的组,其中至少一个PIN元素为一个终端(User Equipment,UE)。PIN元素之间彼此通信。两个PIN元素可以通过它们之间的直接连接进行通信,也可以通过通信网络进行间接通信。PIN is a group consisting of at least one PIN element (PIN Element, PINE), wherein at least one PIN element is a terminal (User Equipment, UE). PIN elements communicate with each other. Two PIN elements can communicate through a direct connection between them, or indirectly through a communication network.
一个PIN元素为一个UE或一个非3GPP设备。一个PIN元素还可以为一个在无线局域网无5G能力的(Non-5G-Capable over WLAN,N5CW)设备。非3GPP设备指未使用3GPP定义的凭证的设备,不支持3GPP定义的NAS协议的设备,或者不支持3GPP接入技术(如3G/4G/5G空口技术)而只支持非3GPP接入技术(如WiFi,固网,蓝牙等接入技术)的设备。值得说明的是,当PIN元素为UE时,当它通过PEGC接入通信网络时,也可以执行非3GPP设备或N5CW设备的流程,例如,不使用UE的NAS与通信网络交互。也可以使用本申请实施例所描述的方案。A PIN element is a UE or a non-3GPP device. A PIN element can also be a non-5G-Capable over WLAN (N5CW) device on a wireless local area network. Non-3GPP devices refer to devices that do not use credentials defined by 3GPP, devices that do not support NAS protocols defined by 3GPP, or devices that do not support 3GPP access technologies (such as 3G/4G/5G air interface technology) but only support non-3GPP access technologies (such as WiFi, fixed network, Bluetooth and other access technologies) equipment. It is worth noting that when the PIN element is UE, when it accesses the communication network through PEGC, it can also execute the process of non-3GPP equipment or N5CW equipment, for example, the NAS of UE is not used to interact with the communication network. The solutions described in the embodiments of this application can also be used.
一个PIN中可以有一个或多个具有网关能力的PIN元素(PIN Element With Gateway Capability,PEGC)。该PIN中的PIN元素互相之间可以直接交互通信或者通过PEGC进行通信。该PIN中的PIN元素和该PIN外的其他设备或应用服务器可以通过PEGC进行通信。PEGC可以是智能家居场景中的网关,也可以是可穿戴设备场景中的手机。A PIN can have one or more PIN elements with gateway capability (PIN Element With Gateway Capability, PEGC). The PIN elements in the PIN can communicate with each other directly or through PEGC. The PIN element in the PIN can communicate with other devices or application servers outside the PIN through the PEGC. PEGC can be a gateway in a smart home scenario, or a mobile phone in a wearable device scenario.
2、固移融合(Wireline Wireless Convergence,WWC)。2. Fixed-Mobile Convergence (Wireline Wireless Convergence, WWC).
当前的3GPP 5G核心网支持固定网络接入,包括支持家庭网关(Residential Gateway,RG)通过固定网络和3GPP网络接入5G核心网,也包括3GPP终端设备通过家庭网关接入到5G核心网。The current 3GPP 5G core network supports fixed network access, including support for residential gateways (Residential Gateway, RG) to access the 5G core network through fixed networks and 3GPP networks, and also includes 3GPP terminal devices accessing 5G core networks through residential gateways.
下面结合附图,通过一些实施例及其应用场景对本申请实施例提供的设备鉴权方法进行详细地说明。 The device authentication method provided by the embodiment of the present application will be described in detail below through some embodiments and application scenarios with reference to the accompanying drawings.
如图2所示,本申请实施例提供了一种设备鉴权方法,包括:As shown in Figure 2, the embodiment of this application provides a device authentication method, including:
步骤201:第一终端获取第二终端的标识信息。Step 201: the first terminal acquires the identification information of the second terminal.
本申请实施例中,第一终端为个人物联网网关,第二终端为无法使用NAS协议的设备。作为一种可选地实现方式,第二终端为非3GPP设备或者为个人物联网设备,作为另外一种可选地实现方式,第二终端为3GPP设备,第二终端与第一终端之间的连接不支持NAS协议的传输。In this embodiment of the application, the first terminal is a personal Internet of Things gateway, and the second terminal is a device that cannot use the NAS protocol. As an optional implementation, the second terminal is a non-3GPP device or a personal Internet of Things device. As another optional implementation, the second terminal is a 3GPP device, and the connection between the second terminal and the first terminal The connection does not support NAS protocol transfers.
可选地,上述第一终端也可以为家庭网关。该第一终端和第二终端之间可以通过WiFi蓝牙或无源物联网(例如,无源物联网(Passive IoT))技术等建立连接。值得说明的是,当第一终端和第二终端通过无源物联网建立连接时,第二终端可以为3GPP设备或非3GPP设备,无源物联网技术也可以为3GPP接入技术或非3GPP接入技术。Optionally, the above-mentioned first terminal may also be a home gateway. A connection may be established between the first terminal and the second terminal through WiFi, Bluetooth or passive Internet of Things (for example, passive Internet of Things (Passive IoT)) technology. It is worth noting that when the first terminal and the second terminal establish a connection through the passive Internet of Things, the second terminal can be a 3GPP device or a non-3GPP device, and the passive Internet of Things technology can also be a 3GPP access technology or a non-3GPP access technology. into technology.
步骤202:所述第一终端向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一信息用于触发对所述第二终端的鉴权流程。Step 202: The first terminal sends a first message to the first network element, the first message includes identification information of the second terminal, and the first information is used to trigger authentication of the second terminal rights process.
其中,所述第一网元为移动性管理网元或会话管理网元,如该移动性管理网元为接入和移动性管理功能(Access and Mobility Management Function,AMF),该会话管理网元为会话管理功能(Session Management Function,SMF)。Wherein, the first network element is a mobility management network element or a session management network element, if the mobility management network element is an access and mobility management function (Access and Mobility Management Function, AMF), the session management network element It is the Session Management Function (SMF).
本申请实施例中,第一终端获取第二终端的标识信息,并向第一网元发送包含第二终端的标识信息的第一消息,通过该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In the embodiment of the present application, the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
可选地,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。Optionally, the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
可选地,所述第一终端向第一网元发送第一请求,包括:Optionally, the first terminal sends a first request to the first network element, including:
所述第一终端通过所述第一终端和所述第一网元之间的非接入层(Non Access Stratum,NAS)连接发送所述第一消息。The first terminal sends the first message through a non-access stratum (Non Access Stratum, NAS) connection between the first terminal and the first network element.
可选地,所述第一消息还包括以下至少一项:Optionally, the first message further includes at least one of the following:
所述第一终端的标识信息; Identification information of the first terminal;
非3GPP设备指示信息;Non-3GPP equipment indication information;
N5CW指示;N5CW instruction;
为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
个人物联网指示信息;Personal IoT indication information;
无源物联网指示信息。Passive IoT Instructions.
可选地,所述非3GPP设备指示信息为非3GPP设备注册类型信息。Optionally, the non-3GPP device indication information is non-3GPP device registration type information.
可选地,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。Optionally, the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
可选地,所述第二终端的标识信息包括以下至少一项:Optionally, the identification information of the second terminal includes at least one of the following:
第二终端的媒体接入控制(Medium Access Control,MAC)地址;The Media Access Control (Medium Access Control, MAC) address of the second terminal;
第二终端的设备标识;The device identification of the second terminal;
第二终端的国际移动用户识别码(International Mobile Subscriber Identity,IMSI);International Mobile Subscriber Identity (IMSI) of the second terminal;
第二终端的签约永久标识(Subscription Permanent Identifier,SUPI);Subscription Permanent Identifier (SUPI) of the second terminal;
第二终端的签约加密标识(Subscription Concealed Identifier,SUCI);Subscription Concealed Identifier (SUCI) of the second terminal;
第二终端的一般公共签约标识(Generic Public Subscription Identifier,GPSI)。The general public subscription identifier (Generic Public Subscription Identifier, GPSI) of the second terminal.
作为第一种可选的实现方式,所述第一终端获取第二终端的标识信息,包括:As a first optional implementation manner, the acquisition of the identification information of the second terminal by the first terminal includes:
第一终端在与第二终端建立连接(如L2连接)的过程中,获取第二终端的标识信息。During the process of establishing a connection (for example, an L2 connection) with the second terminal, the first terminal acquires the identification information of the second terminal.
或者,第一终端通过对第二终端的鉴权流程获取第二终端的标识信息。可选地,第二终端关联或连接第一终端的无线局域网(Wireless Local Area Network,WLAN)。示例性的,第一终端和第二终端使用EAP鉴权流程。Alternatively, the first terminal acquires the identification information of the second terminal through an authentication procedure for the second terminal. Optionally, the second terminal is associated with or connected to a wireless local area network (Wireless Local Area Network, WLAN) of the first terminal. Exemplarily, the first terminal and the second terminal use an EAP authentication process.
示例性地,上述鉴权流程可具体包括:Exemplarily, the above authentication process may specifically include:
第一终端向第二终端发送EAP-Req/Identity消息,第二终端向第一终端发送EAP-Res/Identity消息,该EAP-Res/Identity消息中包含第二终端的标识信息。其中,第二终端的标识信息可以通过网络接入标识(Network Access Identity,NAI)发送。可选地,第二终端可以指示其不支持使用NAS接入核 心网,或者,希望不用NAS接入核心网,例如,NAI中可以包含字段5gc-nn表示它不支持NAS接入5GC,或者它希望不用NAS接入5GC。The first terminal sends an EAP-Req/Identity message to the second terminal, and the second terminal sends an EAP-Res/Identity message to the first terminal, where the EAP-Res/Identity message includes identification information of the second terminal. Wherein, the identity information of the second terminal may be sent through a network access identity (Network Access Identity, NAI). Optionally, the second terminal may indicate that it does not support using the NAS access core The core network, or wants to access the core network without NAS. For example, the NAI can contain the field 5gc-nn to indicate that it does not support NAS access to 5GC, or it wishes to access 5GC without NAS.
第二终端的标识信息可以用于在PIN中或5G系统中标识该第二终端。The identification information of the second terminal may be used to identify the second terminal in the PIN or in the 5G system.
作为第二种可选的实现方式,所述第一终端获取第二终端的标识信息,包括:As a second optional implementation manner, the acquisition of the identification information of the second terminal by the first terminal includes:
第一终端获取第二终端发送的第一目标请求消息,所述第一目标请求消息用于与第一终端设备建立安全连接。示例性的,第一目标请求消息可为网络密钥交换(Internet Key Exchange,IKE)_AUTH请求消息,所述第一目标请求消息包括所述第二终端的标识信息。The first terminal obtains the first target request message sent by the second terminal, where the first target request message is used to establish a secure connection with the first terminal device. Exemplarily, the first target request message may be an Internet Key Exchange (Internet Key Exchange, IKE)_AUTH request message, and the first target request message includes the identification information of the second terminal.
该实现方式中,在第一终端获取第二终端发送的第一目标请求消息之前,第一终端与第二终端之间建立L2连接,第二终端获取一个IP地址,且第一终端与第二终端建立IP安全联结(IPsec Security Association,IPSec SA)。In this implementation, before the first terminal obtains the first target request message sent by the second terminal, an L2 connection is established between the first terminal and the second terminal, the second terminal obtains an IP address, and the first terminal and the second The terminal establishes an IP security association (IPsec Security Association, IPSec SA).
示例性的,第二终端关联或连接上第一终端的WLAN,并从第一终端的WLAN中获得一个IP地址,第二终端可以用动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)请求或其他请求消息请求获取IP地址。Exemplarily, the second terminal associates or connects to the WLAN of the first terminal, and obtains an IP address from the WLAN of the first terminal, and the second terminal may use a Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, DHCP) request or other The request message requests to obtain an IP address.
可选地,第一终端可以先对第二终端进行鉴权,在进行鉴权后再为所述第二终端分配一个IP地址。Optionally, the first terminal may authenticate the second terminal first, and then assign an IP address to the second terminal after authentication.
该实现方式中,作为一种可能的实施方式,第二终端向第一终端发送第二目标请求消息,该第二目标请求消息可具体为IKE_AUTH请求消息,且该第二目标请求消息中不携带AUTH参数,表示需要使用EAP鉴权。第一终端向第二终端发送响应消息,如IKE_AUTH响应消息,该响应消息中包含EAP请求消息。第二终端向第一终端发送IKE_AUTH请求消息,其中包括EAP响应消息,包括第二终端的标识信息。In this implementation, as a possible implementation, the second terminal sends a second target request message to the first terminal, the second target request message may be specifically an IKE_AUTH request message, and the second target request message does not carry The AUTH parameter indicates that EAP authentication is required. The first terminal sends a response message, such as an IKE_AUTH response message, to the second terminal, and the response message includes the EAP request message. The second terminal sends an IKE_AUTH request message to the first terminal, which includes an EAP response message, including identification information of the second terminal.
本申请实施例中,第一终端获取第二终端的标识信息,并向第一网元发送包含第二终端的标识信息的第一消息,通过该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In the embodiment of the present application, the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
如图3所示,本申请实施例还提供了一种设备鉴权方法,包括: As shown in Figure 3, the embodiment of the present application also provides a device authentication method, including:
步骤301:第一网元接收第一终端发送的第一消息,所述第一消息包括所述第二终端的标识信息。Step 301: The first network element receives a first message sent by a first terminal, where the first message includes identification information of the second terminal.
其中,所述第一网元为移动性管理网元或会话管理网元,如该移动性管理网元为接入和移动性管理功能(Access and Mobility Management Function,AMF),该会话管理网元为会话管理功能(Session Management Function,SMF)。Wherein, the first network element is a mobility management network element or a session management network element, if the mobility management network element is an access and mobility management function (Access and Mobility Management Function, AMF), the session management network element It is the Session Management Function (SMF).
步骤302:所述第一网元根据所述第一消息,触发对所述第二终端的鉴权流程。Step 302: The first network element triggers an authentication procedure for the second terminal according to the first message.
示例性地,第一终端为个人物联网网关,第二终端为无法使用NAS协议的设备。作为一种可选地实现方式,第二终端为非3GPP设备或者为个人物联网设备。,作为另外一种可选地实现方式,第二终端为3GPP设备,第二终端与第一终端之间的连接不支持NAS协议的传输。上述第一终端也可以为家庭网关。该第一终端和第二终端之间可以通过WiFi蓝牙或无源物联网(Passive IoT)技术等建立连接。值得说明的是,当第一终端和第二终端通过无源物联网建立连接时,第二终端可以为3GPP设备或非3GPP设备,无源物联网技术也可以为3GPP接入技术或非3GPP接入技术。Exemplarily, the first terminal is a personal Internet of Things gateway, and the second terminal is a device that cannot use the NAS protocol. As an optional implementation manner, the second terminal is a non-3GPP device or a personal Internet of Things device. , as another optional implementation manner, the second terminal is a 3GPP device, and the connection between the second terminal and the first terminal does not support NAS protocol transmission. The above-mentioned first terminal may also be a home gateway. A connection can be established between the first terminal and the second terminal through WiFi, Bluetooth or passive Internet of Things (Passive IoT) technology. It is worth noting that when the first terminal and the second terminal establish a connection through the passive Internet of Things, the second terminal can be a 3GPP device or a non-3GPP device, and the passive Internet of Things technology can also be a 3GPP access technology or a non-3GPP access technology. into technology.
本申请实施例中,第一网元接收第一终端发送的包含第二终端的标识信息的第一消息,并基于该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In this embodiment of the present application, the first network element receives the first message containing the identification information of the second terminal sent by the first terminal, and triggers an authentication procedure for the second terminal based on the first message, so as to realize the authentication through the first terminal. The purpose of the terminal (3GPP terminal) assisting the second terminal (non-3GPP terminal) to access the core network for authentication is to effectively guarantee the security of communication in the scenario where a non-3GPP device accesses the communication network through a personal IoT network or a home network sex.
可选地,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。Optionally, the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
可选地,所述第一网元接收第一终端发送的第一消息,包括:Optionally, the first network element receiving the first message sent by the first terminal includes:
所述第一网元通过所述第一终端和所述第一网元之间的NAS连接接收所述第一消息。The first network element receives the first message through the NAS connection between the first terminal and the first network element.
可选地,所述第一消息还包括以下至少一项:Optionally, the first message further includes at least one of the following:
所述第一终端的标识信息;Identification information of the first terminal;
非3GPP设备指示信息;Non-3GPP equipment indication information;
个人物联网指示信息; Personal IoT indication information;
N5CW指示;N5CW instruction;
为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
无源物联网指示信息。Passive IoT Instructions.
可选地,所述非3GPP设备指示信息为非3GPP设备注册类型信息。Optionally, the non-3GPP device indication information is non-3GPP device registration type information.
可选地,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。Optionally, the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
可选地,所述第二终端的标识信息包括以下至少一项:Optionally, the identification information of the second terminal includes at least one of the following:
第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
第二终端的设备标识;The device identification of the second terminal;
第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
可选地,所述第一网元根据所述第一消息,触发对所述第二终端的鉴权流程,包括:Optionally, the first network element triggers an authentication procedure for the second terminal according to the first message, including:
所述第一网元根据所述第一消息,向第二网元发送第二消息,所述第二消息用于请求对所述第二终端进行鉴权。The first network element sends a second message to a second network element according to the first message, where the second message is used to request authentication of the second terminal.
可选地,所述第一网元为移动性管理网元,所述第二网元为鉴权服务器网元;Optionally, the first network element is a mobility management network element, and the second network element is an authentication server network element;
或者,所述第一网元为会话管理网元,所述第二网元为移动性管理网元。Alternatively, the first network element is a session management network element, and the second network element is a mobility management network element.
在本申请的一实施例中,假设上述第一终端为PEGC,上述第二终端为PINE,如图4所示,上述设备鉴权方法包括:In an embodiment of the present application, it is assumed that the above-mentioned first terminal is PEGC, and the above-mentioned second terminal is PINE. As shown in FIG. 4, the above-mentioned device authentication method includes:
步骤401:PINE与PEGC之间建立L2连接。Step 401: An L2 connection is established between PINE and PEGC.
示例性的,PINE关联或连接上PEGC的WLAN。Exemplarily, the PINE is associated with or connected to the WLAN of the PEGC.
步骤402:PEGC发起鉴权流程,以获取PINE的标识信息。Step 402: The PEGC initiates an authentication process to obtain the identification information of the PINE.
PINE向PEGC发送自己的标识信息。PINE sends its own identification information to PEGC.
示例性的,PEGC和PINE使用EAP鉴权流程。例如,PEGC向PINE发送EAP-Req/Identity消息。PINE向PEGC发送EAP-Res/Identity消息,其中包括自己的标识。PINE的标识可以以网络接入标识(Network Access Identity, NAI)的形式发送。可选的,PINE可以指示它不支持NAS接入5GC,或者它希望不用NAS接入5 GC。例如,NAI中可以包括字段5gc-nn表示它不支持NAS接入5GC,或者它希望不用NAS接入5 GC。Exemplarily, PEGC and PINE use the EAP authentication process. For example, PEGC sends an EAP-Req/Identity message to PINE. PINE sends an EAP-Res/Identity message to PEGC, which includes its own identity. The identifier of PINE may be a Network Access Identity (Network Access Identity, sent in the form of NAI). Optionally, PINE can indicate that it does not support NAS access to 5GC, or that it wishes to access 5GC without NAS. For example, the field 5gc-nn may be included in the NAI to indicate that it does not support NAS access to 5GC, or it wishes to access 5GC without NAS.
示例性的,PINE发送的NAI可以为type1.rid678.schid0.useriduser17@nai.5gc-nn.mnc123.mcc45.3gppnetwork.org。Exemplarily, the NAI sent by PINE may be type1.rid678.schid0.useriduser17@nai.5gc-nn.mnc123.mcc45.3gppnetwork.org.
PINE的标识信息用于在PIN中或5G系统中标识该PINE,例如可以为PINE的MAC地址,PINE的设备标识,IMSI,SUPI,SUCI,或GPSI等。The identification information of the PINE is used to identify the PINE in the PIN or in the 5G system, for example, it may be the MAC address of the PINE, the device identifier of the PINE, IMSI, SUPI, SUCI, or GPSI.
步骤403:PEGC向AMF发送NAS消息,指示将PINE接入核心网。Step 403: The PEGC sends a NAS message to the AMF, indicating to connect the PINE to the core network.
示例性的,PEGC向AMF发送注册请求消息,其中包括注册类型,PEGC的标识、PINE的标识中至少一个。其中,注册类型可以指示为PINE注册,或者指示为非3GPP设备注册。注册请求消息也可以为PINE注册请求消息或非3GPP设备注册请求消息,指示将PINE接入核心网。PINE的标识本身也可以指示需要将PINE接入核心网。或者,NAS消息中还可以携带N5CW指示,或者无源物联网指示,指示为N5CW设备或无源物联网设备请求接入。或者NAS消息中还可以包括为不支持NAS的终端请求接入的指示,指示为通过PEGC接入5GC时不支持NAS的设备请求接入。Exemplarily, the PEGC sends a registration request message to the AMF, including at least one of the registration type, the ID of the PEGC, and the ID of the PINE. Wherein, the registration type may indicate PINE registration, or indicate non-3GPP device registration. The registration request message may also be a PINE registration request message or a non-3GPP device registration request message, indicating to access the PINE to the core network. The identity of the PINE itself may also indicate that the PINE needs to be connected to the core network. Alternatively, the N5CW indication or the passive IoT indication may also be carried in the NAS message, indicating that the N5CW device or the passive IoT device requests access. Or the NAS message may also include an indication of requesting access for a terminal that does not support NAS, indicating that a device that does not support NAS requests access when accessing the 5GC through the PEGC.
PEGC可以通过自身与AMF之间的NAS连接发送上述NAS消息。该AMF为服务于PEGC的AMF。The PEGC can send the above NAS message through the NAS connection between itself and the AMF. The AMF is an AMF serving PEGC.
步骤404:AMF接收到步骤3中的NAS消息后,触发核心网对PINE的鉴权流程。Step 404: After receiving the NAS message in step 3, the AMF triggers the core network's authentication procedure for the PINE.
示例性的,AMF向AUSF发送鉴权请求,其中包括PIN指示或非3GPP指示。PINE和鉴权服务功能(Authentication Server Function,AUSF)之间执行EAP鉴权流程。鉴权成功后,AUSF向AMF发送EAP-Success消息。Exemplarily, the AMF sends an authentication request to the AUSF, which includes a PIN indication or a non-3GPP indication. The EAP authentication process is executed between PINE and the Authentication Server Function (AUSF). After successful authentication, AUSF sends EAP-Success message to AMF.
步骤405:AMF向PEGC发送NAS消息,用以指示PINE成功接入核心网。Step 405: The AMF sends a NAS message to the PEGC to instruct the PINE to successfully access the core network.
本申请实施例中,上述注册请求消息也可以为其他NAS消息,此处不做具体限定。In the embodiment of the present application, the above registration request message may also be other NAS messages, which are not specifically limited here.
本实施例中PEGC可以换成家庭网关(Residential Gateway,RG),PINE也可以换成其他非3GPP设备。另,本申请实施例中,核心网有时也称5G核 心网(5G Core network,5GC)或5G系统(5G System,5GS)。接入核心网也可以称为接入通信网络。In this embodiment, the PEGC can be replaced by a residential gateway (Residential Gateway, RG), and the PINE can also be replaced by other non-3GPP devices. In addition, in the embodiment of this application, the core network is sometimes called 5G core Heart network (5G Core network, 5GC) or 5G system (5G System, 5GS). The access core network may also be referred to as an access communication network.
值得说明的是,通信系统对PINE的鉴权也可以是可选的。例如,在通信系统信任PEGC的情况下,通信系统也可以不对通过PEGC接入的PINE进行鉴权。因此,步骤404是可选的。可选的,步骤404可以替换成,AMF接收到NAS消息后,根据其中将PINE接入核心网的指示确定不执行对PINE的鉴权。本申请实施例中步骤2中PEGC也可以只是获得PINE的标识信息,而不是为了发起对PINE的鉴权流程。It should be noted that the authentication of the PINE by the communication system may also be optional. For example, if the communication system trusts the PEGC, the communication system may not authenticate the PINE accessed through the PEGC. Therefore, step 404 is optional. Optionally, step 404 may be replaced by, after receiving the NAS message, the AMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network. In the embodiment of the present application, in step 2, the PEGC may only obtain the identification information of the PINE, instead of initiating an authentication process for the PINE.
在本申请的另一实施例中,假设上述第一终端为PEGC,上述第二终端为PINE,如图5所示,上述设备鉴权方法包括:In another embodiment of the present application, it is assumed that the above-mentioned first terminal is PEGC, and the above-mentioned second terminal is PINE. As shown in FIG. 5, the above-mentioned device authentication method includes:
步骤501:PINE与PEGC之间建立连接,并获得一个IP地址。Step 501: A connection is established between PINE and PEGC, and an IP address is obtained.
示例性的,PINE关联或连接上PEGC的WLAN,并从PEGC的WLAN中获得一个IP地址。PINE可以用DHCP请求或其他消息请求获取IP地址,对此本申请实施例不做具体限定。Exemplarily, the PINE associates or connects to the WLAN of the PEGC, and obtains an IP address from the WLAN of the PEGC. The PINE may use a DHCP request or other messages to request to obtain an IP address, which is not specifically limited in this embodiment of the present application.
可选的,PEGC可以先对PINE鉴权再为PINE分配一个IP地址。PEGC使用什么信息对PINE鉴权本申请实施例不做具体限制。Optionally, the PEGC may first authenticate the PINE and then assign an IP address to the PINE. What information is used by the PEGC to authenticate the PINE is not specifically limited in this embodiment of the application.
步骤502:PINE与PEGC建立IP安全联结。Step 502: PINE establishes IP security association with PEGC.
示例性的,PINE与PEGC之间交互IKE initial消息以建立IP安全联结。Exemplarily, IKE initial messages are exchanged between PINE and PEGC to establish an IP security association.
步骤503:PINE向PEGC发送IKE_AUTH请求消息。Step 503: PINE sends an IKE_AUTH request message to PEGC.
作为一种可能的实施方式,IKE_AUTH请求消息中包括PINE的标识信息。PINE的标识信息可以参考步骤402中的描述。As a possible implementation manner, the IKE_AUTH request message includes the identification information of the PINE. For the identification information of PINE, reference may be made to the description in step 402 .
作为另一种可能的实施方式,PINE向PEGC发送IKE_AUTH请求消息,其中不携带AUTH参数,表示需要使用EAP鉴权。PEGC向PINE发送IKE_AUTH响应消息,其中包括EAP请求消息。PINE向PEGC发送IKE_AUTH请求消息,其中包括EAP响应消息,包括PINE的标识信息。As another possible implementation manner, the PINE sends an IKE_AUTH request message to the PEGC, which does not carry the AUTH parameter, indicating that EAP authentication is required. PEGC sends IKE_AUTH response message to PINE, which includes EAP request message. The PINE sends an IKE_AUTH request message to the PEGC, which includes an EAP response message, including the identification information of the PINE.
步骤504:PEGC向AMF发送NAS消息,用以将PINE接入核心网。Step 504: The PEGC sends a NAS message to the AMF to connect the PINE to the core network.
具体参见上述实施例中步骤403的描述。For details, refer to the description of step 403 in the foregoing embodiment.
步骤505:AMF接收到NAS消息后,触发核心网对PINE的鉴权流程。Step 505: After receiving the NAS message, the AMF triggers the core network's authentication procedure for the PINE.
该步骤可参考上述步骤404的描述,不同的是,PINE与PEGC之间使用 IKE消息传递鉴权流程交互信息。This step can refer to the description of the above step 404, the difference is that PINE and PEGC use The IKE message transmits authentication process interaction information.
步骤506:AMF向PEGC发送NAS消息,用以指示PINE成功接入核心网。Step 506: The AMF sends a NAS message to the PEGC to indicate that the PINE has successfully accessed the core network.
本实施例中的注册请求消息也可以替换成其它的NAS消息,本实施例对此不做具体限定。The registration request message in this embodiment may also be replaced with other NAS messages, which is not specifically limited in this embodiment.
值得说明的是,通信系统对PINE的鉴权也可以是可选的。例如,在通信系统信任PEGC的情况下,通信系统也可以不对通过PEGC接入的PINE进行鉴权。因此,步骤505是可选的。可选的,步骤404可以替换成,AMF接收到NAS消息后,根据其中将PINE接入核心网的指示确定不执行对PINE的鉴权。It should be noted that the authentication of the PINE by the communication system may also be optional. For example, if the communication system trusts the PEGC, the communication system may not authenticate the PINE accessed through the PEGC. Therefore, step 505 is optional. Optionally, step 404 may be replaced by, after receiving the NAS message, the AMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network.
在本申请的又一实施例中,假设上述第一终端为PEGC,上述第二终端为PINE,如图6所示,上述设备鉴权方法包括:In yet another embodiment of the present application, it is assumed that the above-mentioned first terminal is PEGC, and the above-mentioned second terminal is PINE. As shown in FIG. 6, the above-mentioned device authentication method includes:
步骤601:PINE与PEGC之间建立L2连接。Step 601: An L2 connection is established between PINE and PEGC.
步骤602:PEGC发起鉴权流程,以获取PINE的标识信息。Step 602: The PEGC initiates an authentication process to obtain the identification information of the PINE.
步骤601和602可以参考步骤401和402的描述,此处不再赘述。For steps 601 and 602, reference may be made to the description of steps 401 and 402, which will not be repeated here.
步骤603:PEGC向AMF发送NAS消息,用以将PINE接入核心网。Step 603: The PEGC sends a NAS message to the AMF to connect the PINE to the core network.
NAS消息中包括注册类型,PEGC的标识、PINE的标识中至少一个。其中,注册类型可以指示为PINE注册,或者指示为非3GPP设备注册。NAS消息也可以为PINE注册请求消息或非3GPP设备注册请求消息。PINE的标识本身也可以指示需要将PINE接入核心网。或者,NAS消息中还可以携带N5CW指示,或者无源物联网指示,指示为N5CW设备或无源物联网设备请求接入。或者NAS消息中还可以包括为不支持NAS的终端请求接入的指示,指示为通过PEGC接入5GC时不支持NAS的设备请求接入。The NAS message includes the registration type, at least one of the identifier of the PEGC and the identifier of the PINE. Wherein, the registration type may indicate PINE registration, or indicate non-3GPP device registration. The NAS message may also be a PINE registration request message or a non-3GPP device registration request message. The identity of the PINE itself may also indicate that the PINE needs to be connected to the core network. Alternatively, the N5CW indication or the passive IoT indication may also be carried in the NAS message, indicating that the N5CW device or the passive IoT device requests access. Or the NAS message may also include an indication of requesting access for a terminal that does not support NAS, indicating that a device that does not support NAS requests access when accessing the 5GC through the PEGC.
可选地,NAS消息中包括N1会话管理(Session Management,SM)消息。用以向SMF指示将PINE接入核心网。Optionally, the NAS message includes an N1 session management (Session Management, SM) message. It is used to instruct the SMF to connect the PINE to the core network.
N1 SM消息可以为PDU会话建立请求消息,也可以为其他N1 SM消息。The N1 SM message can be a PDU session establishment request message or other N1 SM messages.
上述注册类型,PEGC的标识、PINE的标识中的至少一项可以包括在N1 SM消息中。The above registration type, at least one of the PEGC identifier and the PINE identifier may be included in the N1 SM message.
PEGC可以通过自身与AMF之间的NAS连接发送上述NAS消息。该 AMF为服务于PEGC的AMF。The PEGC can send the above NAS message through the NAS connection between itself and the AMF. Should AMF is an AMF serving PEGC.
步骤604:AMF向SMF发送N11消息,用以将PINE接入核心网。Step 604: The AMF sends an N11 message to the SMF to connect the PINE to the core network.
N11消息中包括注册类型,PEGC的标识、PINE的标识中的至少一项。The N11 message includes at least one of the registration type, the ID of the PEGC, and the ID of the PINE.
如果步骤603中包括N1 SM消息,则AMF向SMF发送N1 SM消息。If the N1 SM message is included in step 603, the AMF sends the N1 SM message to the SMF.
示例性的,N11消息可以为PINE会话建立请求消息。Exemplarily, the N11 message may be a PINE session establishment request message.
本步骤的N11消息也可以表示为PINE建立会话通道或分配网络资源。The N11 message in this step may also indicate establishing a session channel or allocating network resources for PINE.
步骤605:SMF向AMF发送N11消息的响应消息,用以触发对PINE的鉴权流程。Step 605: The SMF sends a response message of the N11 message to the AMF, so as to trigger the authentication procedure for the PINE.
该N11消息的响应消息中可以包括PINE的标识。可选的,还可以包括PEGC的标识。The PINE identifier may be included in the response message of the N11 message. Optionally, the logo of PEGC may also be included.
SMF可以为服务于PEGC的会话管理网元。可以根据PEGC的签约,运营商策略等确定需要对PINE鉴权。The SMF may be a session management network element serving the PEGC. It can be determined that the PINE needs to be authenticated according to the PEGC subscription and the operator's policy.
示例性的,该N11消息的响应消息可以为PINE鉴权请求消息。Exemplarily, the response message of the N11 message may be a PINE authentication request message.
步骤606:AMF触发核心网对PINE的鉴权流程。Step 606: The AMF triggers the core network to authenticate the PINE.
步骤606可以参考步骤404的描述。For step 606, reference may be made to the description of step 404.
步骤607:AMF向SMF发送N11消息,指示PINE鉴权成功。Step 607: AMF sends N11 message to SMF, indicating PINE authentication is successful.
示例性的,该N11消息可以为PINE鉴权响应消息。Exemplarily, the N11 message may be a PINE authentication response message.
本申请实施例中,步骤605至步骤607为可选步骤。In this embodiment of the application, steps 605 to 607 are optional steps.
可选的,SMF向AMF发送N11消息,指示PINE会话建立成功。Optionally, the SMF sends an N11 message to the AMF, indicating that the PINE session is established successfully.
示例性的,该N11消息可以为PINE会话建立响应消息。Exemplarily, the N11 message may be a PINE session establishment response message.
可选的,AMF向PEGC发送NAS消息,指示PINE接入成功。Optionally, the AMF sends a NAS message to the PEGC, indicating that the PINE access is successful.
示例性的,该NAS消息可以为PINE注册或非3GPP设备注册请求消息。Exemplarily, the NAS message may be a PINE registration or a non-3GPP device registration request message.
可选的,SMF为PINE分配用户面资源或者分配会话资源。该方案可以由步骤603中的一条NAS消息同时触发鉴权和会话建立,节约网络资源。Optionally, the SMF allocates user plane resources or session resources to the PINE. In this solution, a NAS message in step 603 can simultaneously trigger authentication and session establishment, saving network resources.
通过上述步骤,PINE成功接入5GC。也可以认为PINE的会话通道建立完毕或网络成功为PINE分配了资源。Through the above steps, PINE successfully connected to 5GC. It can also be considered that the session channel of the PINE is established or the network has successfully allocated resources for the PINE.
值得说明的是,通信系统对PINE的鉴权也可以是可选的。例如,在通信系统信任PEGC的情况下,通信系统也可以不对通过PEGC接入的PINE进行鉴权。因此,步骤605-607可以不执行,或者,步骤606不执行。可选 的,步骤605可以替换成,SMF接收到N11消息后,根据其中将PINE接入核心网的指示确定不执行对PINE的鉴权。或者,步骤606可以替换成,AMF接收N11消息的响应消息后,根据其中PINE的标识和/或PEGC的标识确定不执行对PINE的鉴权。本申请实施例中步骤602中PEGC也可以只是获得PINE的标识信息,而不是为了发起对PINE的鉴权流程。It should be noted that the authentication of the PINE by the communication system may also be optional. For example, if the communication system trusts the PEGC, the communication system may not authenticate the PINE accessed through the PEGC. Therefore, steps 605-607 may not be performed, or step 606 may not be performed. optional Yes, step 605 may be replaced by, after receiving the N11 message, the SMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network. Alternatively, step 606 may be replaced by, after receiving the response message of the N11 message, the AMF determines not to perform authentication on the PINE according to the identifier of the PINE and/or the identifier of the PEGC. In the embodiment of the present application, the PEGC in step 602 may also just obtain the identification information of the PINE, rather than initiating an authentication process for the PINE.
在本申请的再一实施例中,假设上述第一终端为PEGC,上述第二终端为PINE,如图7所示,上述设备鉴权方法包括:In yet another embodiment of the present application, it is assumed that the above-mentioned first terminal is PEGC, and the above-mentioned second terminal is PINE. As shown in FIG. 7, the above-mentioned device authentication method includes:
步骤701:PINE与PEGC之间建立连接,并获得一个IP地址。Step 701: A connection is established between PINE and PEGC, and an IP address is obtained.
具体可以参考步骤501的描述。For details, refer to the description of step 501 .
步骤702:PINE与PEGC建立IP安全联结。Step 702: PINE establishes IP security association with PEGC.
示例性的,PINE与PEGC之间交互IKE initial消息以建立IP安全联结。Exemplarily, IKE initial messages are exchanged between PINE and PEGC to establish an IP security association.
步骤703:PINE向PEGC发送IKE_AUTH请求消息。Step 703: PINE sends an IKE_AUTH request message to PEGC.
具体可以参考步骤503的描述。For details, refer to the description of step 503 .
步骤704:PEGC向AMF发送NAS消息,用以将PINE接入核心网。Step 704: The PEGC sends a NAS message to the AMF to connect the PINE to the core network.
步骤705:AMF向SMF发送N11消息,用以将PINE接入核心网。Step 705: The AMF sends an N11 message to the SMF to connect the PINE to the core network.
步骤706:SMF向AMF发送N11消息的响应消息,用以触发对PINE的鉴权流程。Step 706: The SMF sends a response message of the N11 message to the AMF to trigger the authentication procedure for the PINE.
步骤707:AMF触发核心网对PINE的鉴权流程。Step 707: The AMF triggers the core network to authenticate the PINE.
步骤708:AMF向SMF发送N11消息,指示PINE鉴权成功。Step 708: The AMF sends an N11 message to the SMF, indicating that the PINE authentication is successful.
本申请实施例中,上述步骤706至步骤708为可选步骤。In this embodiment of the present application, the foregoing steps 706 to 708 are optional steps.
上述步骤704至步骤708可以参考上述步骤603至步骤607的描述。For the above step 704 to step 708, reference may be made to the description of the above step 603 to step 607.
可选的,SMF向AMF发送N11消息,指示PINE会话建立成功。Optionally, the SMF sends an N11 message to the AMF, indicating that the PINE session is established successfully.
示例性的,该N11消息可以为PINE会话建立响应消息。Exemplarily, the N11 message may be a PINE session establishment response message.
可选的,AMF向PEGC发送NAS消息,指示PINE接入成功。Optionally, the AMF sends a NAS message to the PEGC, indicating that the PINE access is successful.
示例性的,该NAS消息可以为PINE注册或非3GPP设备注册请求消息。Exemplarily, the NAS message may be a PINE registration or a non-3GPP device registration request message.
可选的,SMF为PINE分配用户面资源或者分配会话资源。该方案可以由步骤703中的一条NAS消息同时触发鉴权和会话建立,节约网络资源。Optionally, the SMF allocates user plane resources or session resources to the PINE. In this solution, a NAS message in step 703 can simultaneously trigger authentication and session establishment, saving network resources.
通过上述步骤,PINE成功接入5GC。也可以认为PINE的会话通道建立完毕或网络成功为PINE分配了资源。 Through the above steps, PINE successfully connected to 5GC. It can also be considered that the session channel of the PINE is established or the network has successfully allocated resources for the PINE.
本申请实施例中,通过3GPP终端设备辅助非3GPP设备接入5G核心网进行鉴权,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,保障了通信安全。In the embodiment of this application, the 3GPP terminal device assists the non-3GPP device to access the 5G core network for authentication, and the communication security is guaranteed in the scenario where the non-3GPP device accesses the communication network through a personal Internet of Things network or a home network.
值得说明的是,通信系统对PINE的鉴权也可以是可选的。例如,在通信系统信任PEGC的情况下,通信系统也可以不对通过PEGC接入的PINE进行鉴权。因此,步骤706-708可以不执行,或者,步骤707不执行。可选的,步骤706可以替换成,SMF接收到N11消息后,根据其中将PINE接入核心网的指示确定不执行对PINE的鉴权。或者,步骤707可以替换成,AMF接收N11消息的响应消息后,根据其中PINE的标识和/或PEGC的标识确定不执行对PINE的鉴权。It should be noted that the authentication of the PINE by the communication system may also be optional. For example, if the communication system trusts the PEGC, the communication system may not authenticate the PINE accessed through the PEGC. Therefore, steps 706-708 may not be performed, or step 707 may not be performed. Optionally, step 706 may be replaced by, after receiving the N11 message, the SMF determines not to perform authentication on the PINE according to the instruction to access the PINE to the core network. Alternatively, step 707 may be replaced by, after receiving the response message of the N11 message, the AMF determines not to perform authentication on the PINE according to the identifier of the PINE and/or the identifier of the PEGC.
本申请实施例提供的设备鉴权方法,执行主体可以为设备鉴权装置。本申请实施例中以设备鉴权装置执行设备鉴权方法为例,说明本申请实施例提供的设备鉴权装置。The device authentication method provided in the embodiment of the present application may be executed by a device authentication device. In the embodiment of the present application, the device authentication method performed by the device authentication device is taken as an example to illustrate the device authentication device provided in the embodiment of the present application.
如图8所示,本申请实施例提供了一种设备鉴权装置800,应用于第一终端,该装置包括:As shown in Figure 8, the embodiment of the present application provides a device authentication device 800, which is applied to the first terminal, and the device includes:
第一获取模块801,用于获取第二终端的标识信息;The first acquiring module 801 is configured to acquire the identification information of the second terminal;
第一发送模块802,用于向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。The first sending module 802 is configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger authentication of the second terminal rights process.
可选地,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。Optionally, the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
可选地,所述第一发送模块用于通过所述第一终端和所述第一网元之间的非接入层NAS连接发送所述第一消息。Optionally, the first sending module is configured to send the first message through a non-access stratum NAS connection between the first terminal and the first network element.
可选地,所述第一消息还包括以下至少一项:Optionally, the first message further includes at least one of the following:
所述第一终端的标识信息;Identification information of the first terminal;
非3GPP设备指示信息;Non-3GPP equipment indication information;
个人物联网指示信息;Personal IoT indication information;
N5CW指示;N5CW instruction;
为不支持NAS的终端请求接入的指示; An indication to request access for a terminal that does not support NAS;
无源物联网指示信息。Passive IoT Instructions.
可选地,所述非3GPP设备指示信息为非3GPP设备注册类型信息。Optionally, the non-3GPP device indication information is non-3GPP device registration type information.
可选地,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。Optionally, the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
可选地,所述第二终端的标识信息包括以下至少一项:Optionally, the identification information of the second terminal includes at least one of the following:
第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
第二终端的设备标识;The device identification of the second terminal;
第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
可选地,所述第一网元为移动性管理网元或会话管理网元。Optionally, the first network element is a mobility management network element or a session management network element.
可选地,所述第一终端为个人物联网网关。Optionally, the first terminal is a personal Internet of Things gateway.
可选地,所述第二终端为非3GPP设备或者为个人物联网设备。Optionally, the second terminal is a non-3GPP device or a personal Internet of Things device.
本申请实施例中,第一终端获取第二终端的标识信息,并向第一网元发送包含第二终端的标识信息的第一消息,通过该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In the embodiment of the present application, the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
本申请实施例中的设备鉴权装置可以是电子设备,例如具有操作系统的电子设备,也可以是电子设备中的部件,例如集成电路或芯片。该电子设备可以是终端,也可以为除终端之外的其他设备。示例性的,终端可以包括但不限于上述所列举的终端11的类型,其他设备可以为服务器、网络附属存储器(Network Attached Storage,NAS)等,本申请实施例不作具体限定。The device authentication apparatus in the embodiment of the present application may be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device may be a terminal, or other devices other than the terminal. Exemplarily, the terminal may include, but not limited to, the types of terminal 11 listed above, and other devices may be servers, Network Attached Storage (NAS), etc., which are not specifically limited in this embodiment of the present application.
本申请实施例提供的设备鉴权装置能够实现图2的方法实施例实现的各个过程,并达到相同的技术效果,为避免重复,这里不再赘述。The device authentication device provided by the embodiment of the present application can realize each process realized by the method embodiment in FIG. 2 and achieve the same technical effect. To avoid repetition, details are not repeated here.
可选的,如图9所示,本申请实施例还提供一种通信装置900,包括处理器901和存储器902,存储器902上存储有可在所述处理器901上运行的程序或指令,例如,该通信装置900为终端时,该程序或指令被处理器901 执行时实现上述应用于第一终端的设备鉴权方法实施例的各个步骤,且能达到相同的技术效果。该通信装置900为网络侧设备(如第一网元)时,该程序或指令被处理器901执行时实现上述应用于第一网元的设备鉴权方法实施例的各个步骤,且能达到相同的技术效果,为避免重复,这里不再赘述。Optionally, as shown in FIG. 9 , this embodiment of the present application also provides a communication device 900, including a processor 901 and a memory 902, and the memory 902 stores programs or instructions that can run on the processor 901, such as , when the communication device 900 is a terminal, the program or instruction is executed by the processor 901 During execution, each step of the above embodiment of the device authentication method applied to the first terminal is realized, and the same technical effect can be achieved. When the communication device 900 is a network-side device (such as a first network element), when the program or instruction is executed by the processor 901, each step of the above-mentioned embodiment of the device authentication method applied to the first network element can be achieved, and the same To avoid repetition, the technical effects will not be repeated here.
本申请实施例还提供一种终端,包括处理器和通信接口,处理器用于获取第二终端的标识信息;通信接口用于向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。该终端实施例与上述终端侧方法实施例对应,上述方法实施例的各个实施过程和实现方式均可适用于该终端实施例中,且能达到相同的技术效果。具体地,图10为实现本申请实施例的一种终端的硬件结构示意图。The embodiment of the present application also provides a terminal, including a processor and a communication interface, the processor is used to obtain the identification information of the second terminal; the communication interface is used to send a first message to the first network element, and the first message includes the The identification information of the second terminal, and the first message is used to trigger an authentication process for the second terminal. This terminal embodiment corresponds to the above-mentioned terminal-side method embodiment, and each implementation process and implementation mode of the above-mentioned method embodiment can be applied to this terminal embodiment, and can achieve the same technical effect. Specifically, FIG. 10 is a schematic diagram of a hardware structure of a terminal implementing an embodiment of the present application.
该终端1000包括但不限于:射频单元1001、网络模块1002、音频输出单元1003、输入单元1004、传感器1005、显示单元1006、用户输入单元1007、接口单元1008、存储器1009以及处理器1010等中的至少部分部件。The terminal 1000 includes, but is not limited to: a radio frequency unit 1001, a network module 1002, an audio output unit 1003, an input unit 1004, a sensor 1005, a display unit 1006, a user input unit 1007, an interface unit 1008, a memory 1009, and a processor 1010. At least some parts.
本领域技术人员可以理解,终端1000还可以包括给各个部件供电的电源(比如电池),电源可以通过电源管理系统与处理器1010逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。图10中示出的终端结构并不构成对终端的限定,终端可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置,在此不再赘述。Those skilled in the art can understand that the terminal 1000 can also include a power supply (such as a battery) for supplying power to various components, and the power supply can be logically connected to the processor 1010 through the power management system, so as to manage charging, discharging, and power consumption through the power management system. Management and other functions. The terminal structure shown in FIG. 10 does not constitute a limitation on the terminal, and the terminal may include more or fewer components than shown in the figure, or combine certain components, or arrange different components, which will not be repeated here.
应理解的是,本申请实施例中,输入单元1004可以包括图形处理单元(Graphics Processing Unit,GPU)10041和麦克风10042,图形处理器10041对在视频捕获模式或图像捕获模式中由图像捕获装置(如摄像头)获得的静态图片或视频的图像数据进行处理。显示单元1006可包括显示面板10061,可以采用液晶显示器、有机发光二极管等形式来配置显示面板10061。用户输入单元1007包括触控面板10071以及其他输入设备10072中的至少一种。触控面板10071,也称为触摸屏。触控面板10071可包括触摸检测装置和触摸控制器两个部分。其他输入设备10072可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆,在此不再赘述。It should be understood that, in the embodiment of the present application, the input unit 1004 may include a graphics processing unit (Graphics Processing Unit, GPU) 10041 and a microphone 10042, and the graphics processor 10041 can be used by the image capture device ( Such as the image data of the still picture or video obtained by the camera) for processing. The display unit 1006 may include a display panel 10061, and the display panel 10061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1007 includes at least one of a touch panel 10071 and other input devices 10072 . The touch panel 10071 is also called a touch screen. The touch panel 10071 may include two parts, a touch detection device and a touch controller. Other input devices 10072 may include, but are not limited to, physical keyboards, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, and joysticks, which will not be repeated here.
本申请实施例中,射频单元1001接收来自网络侧设备的下行数据后,可 以传输给处理器1010进行处理;另外,射频单元1001可以向网络侧设备发送上行数据。通常,射频单元1001包括但不限于天线、放大器、收发信机、耦合器、低噪声放大器、双工器等。In the embodiment of this application, after the radio frequency unit 1001 receives the downlink data from the network side equipment, it can The data is transmitted to the processor 1010 for processing; in addition, the radio frequency unit 1001 may send uplink data to the network side device. Generally, the radio frequency unit 1001 includes, but is not limited to, an antenna, an amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like.
存储器1009可用于存储软件程序或指令以及各种数据。存储器1009可主要包括存储程序或指令的第一存储区和存储数据的第二存储区,其中,第一存储区可存储操作系统、至少一个功能所需的应用程序或指令(比如声音播放功能、图像播放功能等)等。此外,存储器1009可以包括易失性存储器或非易失性存储器,或者,存储器1009可以包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synch link DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DRRAM)。本申请实施例中的存储器1009包括但不限于这些和任意其它适合类型的存储器。The memory 1009 can be used to store software programs or instructions as well as various data. The memory 1009 may mainly include a first storage area for storing programs or instructions and a second storage area for storing data, wherein the first storage area may store an operating system, an application program or instructions required by at least one function (such as a sound playing function, image playback function, etc.), etc. Furthermore, memory 1009 may include volatile memory or nonvolatile memory, or, memory 1009 may include both volatile and nonvolatile memory. Among them, the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electronically programmable Erase Programmable Read-Only Memory (Electrically EPROM, EEPROM) or Flash. Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (Synch link DRAM , SLDRAM) and Direct Memory Bus Random Access Memory (Direct Rambus RAM, DRRAM). The memory 1009 in the embodiment of the present application includes but is not limited to these and any other suitable types of memory.
处理器1010可包括一个或多个处理单元;可选的,处理器1010集成应用处理器和调制解调处理器,其中,应用处理器主要处理涉及操作系统、用户界面和应用程序等的操作,调制解调处理器主要处理无线通信信号,如基带处理器。可以理解的是,上述调制解调处理器也可以不集成到处理器1010中。The processor 1010 may include one or more processing units; optionally, the processor 1010 integrates an application processor and a modem processor, wherein the application processor mainly processes operations related to the operating system, user interface, and application programs, etc., Modem processors mainly process wireless communication signals, such as baseband processors. It can be understood that the foregoing modem processor may not be integrated into the processor 1010 .
其中,处理器1010,用于获取第二终端的标识信息;Wherein, the processor 1010 is configured to acquire identification information of the second terminal;
射频单元1001,用于向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。A radio frequency unit 1001, configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger an authentication process for the second terminal .
可选地,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。 Optionally, the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
可选地,射频单元1001,用于通过所述第一终端和所述第一网元之间的非接入层NAS连接发送所述第一消息。Optionally, the radio frequency unit 1001 is configured to send the first message through a non-access stratum NAS connection between the first terminal and the first network element.
可选地,所述第一消息还包括以下至少一项:Optionally, the first message further includes at least one of the following:
所述第一终端的标识信息;Identification information of the first terminal;
非3GPP设备指示信息;Non-3GPP equipment indication information;
个人物联网指示信息;Personal IoT indication information;
N5CW指示;N5CW instruction;
为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
无源物联网指示信息。Passive IoT Instructions.
可选地,所述非3GPP设备指示信息为非3GPP设备注册类型信息。Optionally, the non-3GPP device indication information is non-3GPP device registration type information.
可选地,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。Optionally, the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
可选地,所述第二终端的标识信息包括以下至少一项:Optionally, the identification information of the second terminal includes at least one of the following:
第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
第二终端的设备标识;The device identification of the second terminal;
第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
可选地,所述第一网元为移动性管理网元或会话管理网元。Optionally, the first network element is a mobility management network element or a session management network element.
可选地,所述第一终端为个人物联网网关。Optionally, the first terminal is a personal Internet of Things gateway.
可选地,所述第二终端为非3GPP设备或者为个人物联网设备。Optionally, the second terminal is a non-3GPP device or a personal Internet of Things device.
本申请实施例中,第一终端获取第二终端的标识信息,并向第一网元发送包含第二终端的标识信息的第一消息,通过该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In the embodiment of the present application, the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
如图11所示,本申请实施例还提供了一种设备鉴权装置1100,包括:As shown in Figure 11, the embodiment of the present application also provides a device authentication apparatus 1100, including:
第一接收模块1101,用于接收第一终端发送的第一消息,所述第一消息 包括所述第二终端的标识信息;The first receiving module 1101 is configured to receive a first message sent by a first terminal, the first message including identification information of the second terminal;
处理模块1102,用于根据所述第一消息,触发对所述第二终端的鉴权流程。The processing module 1102 is configured to trigger an authentication procedure for the second terminal according to the first message.
可选地,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。Optionally, the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
可选地,所述第一接收模块用于通过所述第一终端和所述第一网元之间的NAS连接接收所述第一消息。Optionally, the first receiving module is configured to receive the first message through a NAS connection between the first terminal and the first network element.
可选地,所述第一消息还包括以下至少一项:Optionally, the first message further includes at least one of the following:
所述第一终端的标识信息;Identification information of the first terminal;
非3GPP设备指示信息;Non-3GPP equipment indication information;
个人物联网指示信息;Personal IoT indication information;
N5CW指示;N5CW instruction;
为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
无源物联网指示信息。Passive IoT Instructions.
可选地,所述非3GPP设备指示信息为非3GPP设备注册类型信息。Optionally, the non-3GPP device indication information is non-3GPP device registration type information.
可选地,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。Optionally, the personal Internet of Things indication information is registration type information of a personal Internet of Things element PINE.
可选地,所述第二终端的标识信息包括以下至少一项:Optionally, the identification information of the second terminal includes at least one of the following:
第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
第二终端的设备标识;The device identification of the second terminal;
第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
可选地,所述处理模块用于根据所述第一消息,向第二网元发送第二消息,所述第二消息用于请求对所述第二终端进行鉴权。Optionally, the processing module is configured to send a second message to a second network element according to the first message, where the second message is used to request authentication of the second terminal.
可选地,所述第一网元为移动性管理网元,所述第二网元为鉴权服务器网元;Optionally, the first network element is a mobility management network element, and the second network element is an authentication server network element;
或者,所述第一网元为会话管理网元,所述第二网元为移动性管理网元。 Alternatively, the first network element is a session management network element, and the second network element is a mobility management network element.
可选地,所述第一终端为个人物联网网关。Optionally, the first terminal is a personal Internet of Things gateway.
可选地,所述第二终端为非3GPP设备或者为个人物联网设备。Optionally, the second terminal is a non-3GPP device or a personal Internet of Things device.
本申请实施例中,第一终端获取第二终端的标识信息,并向第一网元发送包含第二终端的标识信息的第一消息,通过该第一消息触发对第二终端的鉴权流程,从而实现通过该第一终端(3GPP终端)辅助第二终端(非3GPP终端)接入核心网进行鉴权的目的,在非3GPP设备通过个人物联网络或家庭网络接入通信网络的场景中,能够有效保障通信的安全性。In the embodiment of the present application, the first terminal obtains the identification information of the second terminal, and sends a first message containing the identification information of the second terminal to the first network element, and triggers an authentication process for the second terminal through the first message , so as to achieve the purpose of assisting the second terminal (non-3GPP terminal) to access the core network through the first terminal (3GPP terminal) to perform authentication. , which can effectively guarantee the security of communication.
本申请实施例还提供一种网络侧设备(即上述第一网元),包括处理器和通信接口,通信接口用于接收第一终端发送的第一消息,所述第一消息包括所述第二终端的标识信息;处理器用于根据所述第一消息,触发对所述第二终端的鉴权流程。The embodiment of the present application also provides a network side device (that is, the above-mentioned first network element), including a processor and a communication interface, the communication interface is used to receive a first message sent by the first terminal, and the first message includes the first message. The identification information of the second terminal; the processor is configured to trigger an authentication procedure for the second terminal according to the first message.
该网络侧设备实施例与上述网络侧设备方法实施例对应,上述方法实施例的各个实施过程和实现方式均可适用于该网络侧设备实施例中,且能达到相同的技术效果。The network-side device embodiment corresponds to the above-mentioned network-side device method embodiment, and each implementation process and implementation mode of the above-mentioned method embodiment can be applied to this network-side device embodiment, and can achieve the same technical effect.
具体地,本申请实施例还提供了一种网络侧设备(上述第一网元)。如图12所示,该网络侧设备1300包括:处理器1301、网络接口1302和存储器1303。其中,网络接口1302例如为通用公共无线接口(common public radio interface,CPRI)。Specifically, the embodiment of the present application further provides a network side device (the above-mentioned first network element). As shown in FIG. 12 , the network side device 1300 includes: a processor 1301 , a network interface 1302 and a memory 1303 . Wherein, the network interface 1302 is, for example, a common public radio interface (common public radio interface, CPRI).
具体地,本发明实施例的网络侧设备1300还包括:存储在存储器1303上并可在处理器1301上运行的指令或程序,处理器1301调用存储器1303中的指令或程序执行图11所示各模块执行的方法,并达到相同的技术效果,为避免重复,故不在此赘述。Specifically, the network side device 1300 in this embodiment of the present invention further includes: instructions or programs stored in the memory 1303 and executable on the processor 1301, and the processor 1301 invokes the instructions or programs in the memory 1303 to execute the various programs shown in FIG. The method of module execution achieves the same technical effect, so in order to avoid repetition, it is not repeated here.
本申请实施例还提供一种可读存储介质,所述可读存储介质上存储有程序或指令,该程序或指令被处理器执行时实现上述设备鉴权方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。The embodiment of the present application also provides a readable storage medium, the readable storage medium stores a program or an instruction, and when the program or instruction is executed by a processor, each process of the above embodiment of the device authentication method is implemented, and can achieve The same technical effects are not repeated here to avoid repetition.
其中,所述处理器为上述实施例中所述的终端中的处理器。所述可读存储介质,包括计算机可读存储介质,如计算机只读存储器ROM、随机存取存储器RAM、磁碟或者光盘等。Wherein, the processor is the processor in the terminal described in the foregoing embodiments. The readable storage medium includes a computer-readable storage medium, such as a computer read-only memory ROM, a random access memory RAM, a magnetic disk or an optical disk, and the like.
本申请实施例另提供了一种芯片,所述芯片包括处理器和通信接口,所 述通信接口和所述处理器耦合,所述处理器用于运行程序或指令,实现上述设备鉴权方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。The embodiment of the present application further provides a chip, the chip includes a processor and a communication interface, the The communication interface is coupled with the processor, and the processor is used to run programs or instructions to implement the various processes of the above device authentication method embodiments, and can achieve the same technical effect. To avoid repetition, details are not repeated here.
应理解,本申请实施例提到的芯片还可以称为系统级芯片,系统芯片,芯片系统或片上系统芯片等。It should be understood that the chip mentioned in the embodiment of the present application may also be called a system-on-chip, a system-on-chip, a system-on-a-chip, or a system-on-a-chip.
本申请实施例另提供了一种计算机程序产品,所述计算机程序产品被存储在存储介质中,所述计算机程序产品被至少一个处理器执行以实现上述设备鉴权方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。An embodiment of the present application further provides a computer program product, the computer program product is stored in a storage medium, and the computer program product is executed by at least one processor to implement the various processes in the above embodiments of the device authentication method, and The same technical effect can be achieved, so in order to avoid repetition, details will not be repeated here.
本申请实施例还提供了一种设备鉴权系统,包括:终端及网络侧设备,所述终端可用于执行如上所述的应用于第一终端的设备鉴权方法的步骤,所述网络侧设备可用于执行如上所述的应用于第一网元的设备鉴权方法的步骤。The embodiment of the present application also provides a device authentication system, including: a terminal and a network-side device, the terminal can be used to perform the steps of the above-mentioned device authentication method applied to the first terminal, and the network-side device It can be used to execute the steps of the device authentication method applied to the first network element as described above.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。此外,需要指出的是,本申请实施方式中的方法和装置的范围不限按示出或讨论的顺序来执行功能,还可包括根据所涉及的功能按基本同时的方式或按相反的顺序来执行功能,例如,可以按不同于所描述的次序来执行所描述的方法,并且还可以添加、省去、或组合各种步骤。另外,参照某些示例所描述的特征可在其他示例中被组合。It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions are performed, for example, the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以计算机软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端(可以是手机,计算机,服 务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present application can be embodied in the form of computer software products, which are stored in a storage medium (such as ROM/RAM, magnetic disk, etc.) , CD-ROM), including several instructions to make a terminal (which can be a mobile phone, a computer, a service server, air conditioner, or network equipment, etc.) to execute the methods described in the various embodiments of the present application.
上面结合附图对本申请的实施例进行了描述,但是本申请并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本申请的启示下,在不脱离本申请宗旨和权利要求所保护的范围情况下,还可做出很多形式,均属于本申请的保护之内。 The embodiments of the present application have been described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Under the inspiration of this application, without departing from the purpose of this application and the scope of protection of the claims, many forms can also be made, all of which belong to the protection of this application.

Claims (35)

  1. 一种设备鉴权方法,包括:A device authentication method, comprising:
    第一终端获取第二终端的标识信息;The first terminal acquires the identification information of the second terminal;
    所述第一终端向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。The first terminal sends a first message to the first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger an authentication procedure for the second terminal.
  2. 根据权利要求1所述的方法,其中,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。The method according to claim 1, wherein the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  3. 根据权利要求1所述的方法,其中,所述第一终端向第一网元发送第一请求,包括:The method according to claim 1, wherein the first terminal sending the first request to the first network element comprises:
    所述第一终端通过所述第一终端和所述第一网元之间的非接入层NAS连接发送所述第一消息。The first terminal sends the first message through a non-access stratum NAS connection between the first terminal and the first network element.
  4. 根据权利要求1所述的方法,其中,所述第一消息还包括以下至少一项:The method according to claim 1, wherein the first message further includes at least one of the following:
    所述第一终端的标识信息;Identification information of the first terminal;
    非3GPP设备指示信息;Non-3GPP equipment indication information;
    个人物联网指示信息;Personal IoT indication information;
    在无线局域网无5G能力N5CW指示;There is no 5G capability N5CW indication in the wireless LAN;
    为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
    无源物联网指示信息。Passive IoT Instructions.
  5. 根据权利要求4所述的方法,其中,所述非3GPP设备指示信息为非3GPP设备注册类型信息。The method according to claim 4, wherein the non-3GPP device indication information is non-3GPP device registration type information.
  6. 根据权利要求4所述的方法,其中,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。The method according to claim 4, wherein the personal internet of things indication information is PINE registration type information of personal internet of things elements.
  7. 根据权利要求1所述的方法,其中,所述第二终端的标识信息包括以下至少一项:The method according to claim 1, wherein the identification information of the second terminal includes at least one of the following:
    第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
    第二终端的设备标识;The device identification of the second terminal;
    第二终端的国际移动用户识别码IMSI; the International Mobile Subscriber Identity IMSI of the second terminal;
    第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
    第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
    第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
  8. 根据权利要求1所述的方法,其中,所述第一网元为移动性管理网元或会话管理网元。The method according to claim 1, wherein the first network element is a mobility management network element or a session management network element.
  9. 根据权利要求1所述的方法,其中,所述第一终端为个人物联网网关。The method according to claim 1, wherein the first terminal is a personal internet of things gateway.
  10. 根据权利要求1所述的方法,其中,所述第二终端为非3GPP设备或者为个人物联网设备。The method according to claim 1, wherein the second terminal is a non-3GPP device or a personal Internet of Things device.
  11. 一种设备鉴权方法,包括:A device authentication method, comprising:
    第一网元接收第一终端发送的第一消息,所述第一消息包括第二终端的标识信息;receiving, by the first network element, a first message sent by the first terminal, where the first message includes identification information of the second terminal;
    所述第一网元根据所述第一消息,触发对所述第二终端的鉴权流程。The first network element triggers an authentication procedure for the second terminal according to the first message.
  12. 根据权利要求11所述的方法,其中,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。The method according to claim 11, wherein the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  13. 根据权利要求11所述的方法,其中,所述第一网元接收第一终端发送的第一消息,包括:The method according to claim 11, wherein the first network element receiving the first message sent by the first terminal comprises:
    所述第一网元通过所述第一终端和所述第一网元之间的NAS连接接收所述第一消息。The first network element receives the first message through the NAS connection between the first terminal and the first network element.
  14. 根据权利要求13所述的方法,其中,所述第一消息还包括以下至少一项:The method according to claim 13, wherein the first message further includes at least one of the following:
    所述第一终端的标识信息;Identification information of the first terminal;
    非3GPP设备指示信息;Non-3GPP equipment indication information;
    个人物联网指示信息;Personal IoT indication information;
    N5CW指示;N5CW instruction;
    为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
    无源物联网指示信息。Passive IoT Instructions.
  15. 根据权利要求14所述的方法,其中,所述非3GPP设备指示信息为非3GPP设备注册类型信息。 The method according to claim 14, wherein the non-3GPP device indication information is non-3GPP device registration type information.
  16. 根据权利要求14所述的方法,其中,所述个人物联网指示信息为个人物联网元素PINE注册类型信息。The method according to claim 14, wherein the personal internet of things indicating information is PINE registration type information of personal internet of things elements.
  17. 根据权利要求11所述的方法,其中,所述第二终端的标识信息包括以下至少一项:The method according to claim 11, wherein the identification information of the second terminal includes at least one of the following:
    第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
    第二终端的设备标识;The device identification of the second terminal;
    第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
    第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
    第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
    第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
  18. 根据权利要求11所述的方法,其中,所述第一网元根据所述第一消息,触发对所述第二终端的鉴权流程,包括:The method according to claim 11, wherein the first network element triggers an authentication procedure for the second terminal according to the first message, comprising:
    所述第一网元根据所述第一消息,向第二网元发送第二消息,所述第二消息用于请求对所述第二终端进行鉴权。The first network element sends a second message to a second network element according to the first message, where the second message is used to request authentication of the second terminal.
  19. 根据权利要求18所述的方法,其中,所述第一网元为移动性管理网元,所述第二网元为鉴权服务器网元;The method according to claim 18, wherein the first network element is a mobility management network element, and the second network element is an authentication server network element;
    或者,所述第一网元为会话管理网元,所述第二网元为移动性管理网元。Alternatively, the first network element is a session management network element, and the second network element is a mobility management network element.
  20. 根据权利要求11所述的方法,其中,所述第一终端为个人物联网网关。The method according to claim 11, wherein the first terminal is a personal internet of things gateway.
  21. 根据权利要求11所述的方法,其中,所述第二终端为非3GPP设备或者为个人物联网设备。The method according to claim 11, wherein the second terminal is a non-3GPP device or a personal Internet of Things device.
  22. 一种设备鉴权装置,包括:A device authentication device, comprising:
    第一获取模块,用于获取第二终端的标识信息;a first obtaining module, configured to obtain identification information of the second terminal;
    第一发送模块,用于向第一网元发送第一消息,所述第一消息包括所述第二终端的标识信息,且所述第一消息用于触发对所述第二终端的鉴权流程。A first sending module, configured to send a first message to a first network element, where the first message includes identification information of the second terminal, and the first message is used to trigger authentication of the second terminal process.
  23. 根据权利要求22所述的装置,其中,所述第一消息指示所述第二终端请求接入所述第一网元,或者,所述第一消息请求为所述第二终端建立会话。The apparatus according to claim 22, wherein the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  24. 根据权利要求22所述的装置,其中,所述第一发送模块用于通过第 一终端和所述第一网元之间的非接入层NAS连接发送所述第一消息。The device according to claim 22, wherein the first sending module is configured to A non-access stratum NAS connection between a terminal and the first network element sends the first message.
  25. 根据权利要求22所述的装置,其中,所述第一消息还包括以下至少一项:The apparatus according to claim 22, wherein the first message further includes at least one of the following:
    第一终端的标识信息;Identification information of the first terminal;
    非3GPP设备指示信息;Non-3GPP equipment indication information;
    个人物联网指示信息;Personal IoT indication information;
    N5CW指示;N5CW instruction;
    为不支持NAS的终端请求接入的指示;An indication to request access for a terminal that does not support NAS;
    无源物联网指示信息。Passive IoT Instructions.
  26. 根据权利要求22所述的装置,其中,所述第二终端的标识信息包括以下至少一项:The apparatus according to claim 22, wherein the identification information of the second terminal includes at least one of the following:
    第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
    第二终端的设备标识;The device identification of the second terminal;
    第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
    第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
    第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
    第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
  27. 一种设备鉴权装置,应用于第一网元,包括:An apparatus for authenticating equipment, applied to a first network element, comprising:
    第一接收模块,用于接收第一终端发送的第一消息,所述第一消息包括第二终端的标识信息;A first receiving module, configured to receive a first message sent by the first terminal, where the first message includes identification information of the second terminal;
    处理模块,用于根据所述第一消息,触发对所述第二终端的鉴权流程。A processing module, configured to trigger an authentication procedure for the second terminal according to the first message.
  28. 根据权利要求27所述的装置,其中,所述第一消息指示所述第二终端请求接入第一网元,或者,所述第一消息请求为所述第二终端建立会话。The apparatus according to claim 27, wherein the first message indicates that the second terminal requests to access the first network element, or the first message requests to establish a session for the second terminal.
  29. 根据权利要求27所述的装置,其中,所述第一接收模块用于通过所述第一终端和第一网元之间的NAS连接接收所述第一消息。The apparatus according to claim 27, wherein the first receiving module is configured to receive the first message through a NAS connection between the first terminal and the first network element.
  30. 根据权利要求27所述的装置,其中,所述第二终端的标识信息包括以下至少一项:The apparatus according to claim 27, wherein the identification information of the second terminal includes at least one of the following:
    第二终端的媒体接入控制MAC地址;The media access control MAC address of the second terminal;
    第二终端的设备标识; The device identification of the second terminal;
    第二终端的国际移动用户识别码IMSI;the International Mobile Subscriber Identity IMSI of the second terminal;
    第二终端的签约永久标识SUPI;The subscription permanent identification SUPI of the second terminal;
    第二终端的签约加密标识SUCI;The subscription encryption identity SUCI of the second terminal;
    第二终端的一般公共签约标识GPSI。The general public subscription identity GPSI of the second terminal.
  31. 根据权利要求27所述的装置,其中,所述处理模块用于根据所述第一消息,向第二网元发送第二消息,所述第二消息用于请求对所述第二终端进行鉴权。The device according to claim 27, wherein the processing module is configured to send a second message to a second network element according to the first message, and the second message is used to request authentication of the second terminal right.
  32. 根据权利要求31所述的装置,其中,所述第一网元为移动性管理网元,所述第二网元为鉴权服务器网元;The device according to claim 31, wherein the first network element is a mobility management network element, and the second network element is an authentication server network element;
    或者,所述第一网元为会话管理网元,所述第二网元为移动性管理网元。Alternatively, the first network element is a session management network element, and the second network element is a mobility management network element.
  33. 一种终端,包括处理器和存储器,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如权利要求1至10任一项所述的设备鉴权方法的步骤。A terminal, including a processor and a memory, the memory stores programs or instructions that can be run on the processor, and when the programs or instructions are executed by the processor, the process described in any one of claims 1 to 10 is implemented. Steps of the device authentication method described above.
  34. 一种网络侧设备,包括处理器和存储器,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如权利要求11至21任一项所述的设备鉴权方法的步骤。A network side device, comprising a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the programs or instructions are executed by the processor, any one of claims 11 to 21 can be implemented. The steps of the device authentication method described in item.
  35. 一种可读存储介质,所述可读存储介质上存储程序或指令,所述程序或指令被处理器执行时实现如权利要求1至10任一项所述的设备鉴权方法的步骤,或者,实现如权利要求11至21任一项所述的设备鉴权方法的步骤。 A readable storage medium, on which a program or instruction is stored, and when the program or instruction is executed by a processor, the steps of the device authentication method according to any one of claims 1 to 10 are implemented, or , realizing the steps of the device authentication method according to any one of claims 11 to 21.
PCT/CN2023/073272 2022-01-27 2023-01-20 Device authentication methods, apparatus and communication device WO2023143411A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210102685.5 2022-01-27
CN202210102685.5A CN116567626A (en) 2022-01-27 2022-01-27 Equipment authentication method and device and communication equipment

Publications (1)

Publication Number Publication Date
WO2023143411A1 true WO2023143411A1 (en) 2023-08-03

Family

ID=87470799

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/073272 WO2023143411A1 (en) 2022-01-27 2023-01-20 Device authentication methods, apparatus and communication device

Country Status (2)

Country Link
CN (1) CN116567626A (en)
WO (1) WO2023143411A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108738013A (en) * 2017-04-18 2018-11-02 华为技术有限公司 Method for network access, device and the network equipment
CN109391941A (en) * 2017-08-03 2019-02-26 华为技术有限公司 A kind of method and device of access authentication
CN109819440A (en) * 2017-11-20 2019-05-28 华为技术有限公司 The method and apparatus of authentication
CN113711288A (en) * 2019-04-18 2021-11-26 华为技术有限公司 Authentication method and device for unmanned aerial vehicle

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108738013A (en) * 2017-04-18 2018-11-02 华为技术有限公司 Method for network access, device and the network equipment
CN113923650A (en) * 2017-04-18 2022-01-11 华为技术有限公司 Network access method, device and communication system
CN109391941A (en) * 2017-08-03 2019-02-26 华为技术有限公司 A kind of method and device of access authentication
CN109819440A (en) * 2017-11-20 2019-05-28 华为技术有限公司 The method and apparatus of authentication
CN113711288A (en) * 2019-04-18 2021-11-26 华为技术有限公司 Authentication method and device for unmanned aerial vehicle

Also Published As

Publication number Publication date
CN116567626A (en) 2023-08-08

Similar Documents

Publication Publication Date Title
JP6770189B2 (en) Connectivity to the core network via the access network
US20160242033A1 (en) Communication service using method and electronic device supporting the same
EP4128858B1 (en) Relocating an access gateway
WO2023116786A1 (en) Registration method and apparatus of internet of things device, communication device, core network device, storage medium and system
US20190200226A1 (en) Method of authenticating access to a wireless communication network and corresponding apparatus
WO2023143411A1 (en) Device authentication methods, apparatus and communication device
WO2023143412A1 (en) Ip address assignment method, device, and readable storage medium
US20230156650A1 (en) Relocating an access gateway
RU2760872C1 (en) Local network service control method and communication device
WO2024022182A1 (en) Information query method and apparatus, terminal, and network side device
WO2023143418A1 (en) Device authentication method and apparatus, and terminal and network function
WO2023143453A1 (en) Direct-connectivity air interface configuration method, and terminal and network-side device
WO2023143554A1 (en) Pin establishment method and device
WO2024017181A1 (en) Device authorization method and apparatus, and network-side device
WO2023179595A1 (en) Session channel establishment method and apparatus for non-3gpp device, and device
WO2023165480A1 (en) Data transmission method and apparatus, and terminal, device and storage medium
WO2022257878A1 (en) Key material sending method, key material obtaining method, and information transmission method and device
WO2023202631A1 (en) Subscription method and apparatus, and communication device, internet of things device and network element
WO2024017167A1 (en) Rule processing method, communication device, and network side device
WO2024061091A1 (en) Network communication method and apparatus, and network-side device, terminal and medium
WO2022257876A1 (en) Key material processing method, acquisition method, information transmission method, and device
WO2023143414A1 (en) Data transmission method and apparatus, configuration method and apparatus, and terminal and network-side device
WO2023185728A1 (en) Service processing method and apparatus, and terminal, network-side devices and readable storage medium
WO2024022210A1 (en) Pegc registration methods, apparatus, and communication device
WO2023143436A1 (en) Data forwarding method and apparatus, and terminal device and network device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23746290

Country of ref document: EP

Kind code of ref document: A1