WO2023143418A1

WO2023143418A1 - Device authentication method and apparatus, and terminal and network function

Info

Publication number: WO2023143418A1
Application number: PCT/CN2023/073279
Authority: WO
Inventors: 谢振华
Original assignee: 维沃移动通信有限公司
Priority date: 2022-01-27
Filing date: 2023-01-20
Publication date: 2023-08-03
Also published as: CN116567625A

Abstract

The present application belongs to the technical field of communications. Disclosed are a device authentication method and apparatus, and a terminal and a network function. The device authentication method in the embodiments of the present application comprises: a first terminal receiving first authentication-related information, which is sent by a network side, and sending the first authentication-related information to a second terminal; and the first terminal receiving second authentication-related information, which is sent by the second terminal, and sending the second authentication-related information to the network side.

Description

Device authentication method, device, terminal and network function

Cross References to Related Applications

This application claims priority to Chinese Patent Application No. 202210101704.2 filed in China on January 27, 2022, the entire contents of which are hereby incorporated by reference.

technical field

The present application belongs to the technical field of communication, and in particular relates to a device authentication method, device, terminal and network function.

Background technique

In related technologies, the network side cannot know the status of the devices behind the gateway. In some specific scenarios, such as the personal Internet of Things scenario, the personal IoT gateway can be a gateway in a smart home scenario, or a gateway in a wearable device scenario. When the communication device behind the gateway accesses the fifth-generation mobile communication technology (5th-Generation, 5G) network through the gateway, the 5G network may need to identify the device and authenticate it. However, due to the various types of communication devices behind the gateway, when the communication devices do not support the Non-Access Stratum (NAS) protocol process, the 5G network cannot authenticate them.

Contents of the invention

Embodiments of the present application provide a device authentication method, device, terminal, and network function, which can solve the problem of how to authenticate a device that does not support the NAS protocol process.

In the first aspect, a device authentication method is provided, including:

The first terminal receives the first authentication-related information sent by the network side, and sends the first authentication-related information to the second terminal;

The first terminal receives the second authentication related information sent by the second terminal, and sends the second authentication related information to the network side.

In the second aspect, a device authentication method is provided, including:

The first network function receives the indication information sent by the second network function, and the indication information includes At least one of the following: relevant information of the first terminal, relevant information of the second terminal, an indication of stopping authentication, and an indication of authentication;

The first network function performs or stops performing a first operation according to the instruction information, and the first operation includes:

Sending first authentication-related information to the first terminal, where the first authentication-related information is used by the first terminal to send to the second terminal;

The first network function receives second authentication-related information sent by the first terminal, where the second authentication-related information is received by the first terminal from the second terminal;

The first network function sends the second authentication-related information to a third network function.

In a third aspect, a device authentication method is provided, including:

The second network function sends instruction information to the first network function, and the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, and authentication instruction;

The indication information is used to send the first authentication-related information to the first terminal when the first network function is executed or stopped, and the first authentication-related information is used for the first terminal to send to the second terminal.

In a fourth aspect, a device authentication method is provided, including:

The third network function executes an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process with the third network function through the first terminal.

In the fifth aspect, a device authentication method is provided, including:

The second terminal completes the authentication process with the first terminal;

After receiving the first authentication-related information from the first terminal, the second terminal sends to the first terminal second authentication-related information carrying a first identifier, wherein the first identifier is used to communicate with the network side to perform Authentication process.

In a sixth aspect, a device authentication device is provided, including:

The first transceiver module is configured to receive the first authentication related information sent by the network side, and send the first authentication related information to the second terminal;

The second transceiver module is configured to receive the second authentication-related information sent by the second terminal, and send the second authentication-related information to the network side.

In the seventh aspect, a device authentication device is provided, including:

The third transceiver module is configured to receive the instruction information sent by the second network function, the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, authentication instruction ;

The fourth transceiver module is configured to perform or stop performing a first operation according to the indication information, and the first operation includes:

receiving second authentication-related information sent by the first terminal, where the second authentication-related information is received by the first terminal from the second terminal;

Send the second authentication-related information to a third network function.

In an eighth aspect, a device authentication device is provided, including:

The fifth transceiver module is configured to send instruction information to the first network function, where the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, and authentication instruction;

In the ninth aspect, a device authentication device is provided, including:

The first processing module is configured to execute an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process through the first terminal and the third network function.

In a tenth aspect, a device authentication device is provided, including:

The second processing module is used to complete the authentication process with the first terminal;

The sixth transceiver module is configured to receive the first authentication-related information from the first terminal, and send the second authentication-related information carrying the first identification to the first terminal, wherein the first identification is used to communicate with the network side Execute the authentication process.

In an eleventh aspect, a terminal is provided, the terminal includes a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the programs or instructions are executed by the processor, the following is implemented: The steps of the method described in the first aspect or the fifth aspect.

In a twelfth aspect, a terminal is provided, including a processor and a communication interface, wherein the communication interface is used to receive the first authentication-related information sent by the network side, and send the first authentication-related information to the second The terminal: receiving the second authentication-related information sent by the second terminal, and sending the second authentication-related information to the network side.

Alternatively, the processor is configured to complete the authentication process with the first terminal; the communication interface is configured to send a message carrying the first identifier to the first terminal after receiving the first authentication-related information from the first terminal. The second authentication-related information, wherein the first identifier is used to perform an authentication process with the network side.

In a thirteenth aspect, a network function is provided, the network function includes a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the program or instructions are executed by the processor The steps of the method described in the second aspect, the third aspect or the fourth aspect are implemented.

In a fourteenth aspect, a network function is provided, including a processor and a communication interface, wherein the communication interface is used to receive indication information sent by a second network function, and the indication information includes at least one of the following: first Related information of the terminal, related information of the second terminal, stop authentication instruction, authentication instruction; perform or stop performing the first operation according to the instruction information, the first operation includes: sending the first authentication related information to the first terminal information, the first authentication-related information is used by the first terminal to send to the second terminal; the second authentication-related information sent by the first terminal is received, and the second authentication-related information is sent from the first terminal to the second terminal; Received by the second terminal; sending the second authentication-related information to a third network function;

Alternatively, the communication interface is used to send instruction information to the first network function, and the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, authentication instruction ; The indication information is used for the execution or stop of the first network function to send first authentication related information to the first terminal, and the first authentication related information is used for the first terminal to send to the second terminal;

Alternatively, the processor is configured to execute an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process through the first terminal and the third network function.

A fifteenth aspect provides a device authentication system, including: a terminal and a network side, the terminal includes a first terminal and a second terminal, and the network side includes a first network function, a second network function, and a third A network function, the terminal can be used to perform the device authentication described in the first aspect or the fifth aspect The steps of the device authentication method described in the second aspect, the third aspect or the fourth aspect can be executed by the network side.

In a sixteenth aspect, a readable storage medium is provided, where programs or instructions are stored on the readable storage medium, and when the programs or instructions are executed by a processor, the first aspect, the second aspect, the third aspect, and The steps of the method described in the fourth aspect or the fifth aspect.

In a seventeenth aspect, a chip is provided, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the first aspect and the second Aspect, the step of the method described in the third aspect, the fourth aspect or the fifth aspect.

In an eighteenth aspect, a computer program/program product is provided, the computer program/program product is stored in a storage medium, and the computer program/program product is executed by at least one processor to implement the first aspect, the first The steps of the method described in the second aspect, the third aspect, the fourth aspect or the fifth aspect.

In this embodiment of the present application, the first terminal receives the first authentication-related information sent by the network side, and sends the first authentication-related information to the second terminal, and the first terminal receives the first authentication-related information sent by the second terminal. Two authentication-related information, and send the second authentication-related information to the network side, so that the second terminal (such as a non-3GPP terminal, that is, does not support the NAS protocol process) is realized through the first terminal (such as a personal Internet of Things gateway) device) for authentication.

Description of drawings

FIG. 1 shows a structural diagram of a communication system applicable to an embodiment of the present application;

FIG. 2 shows one of the schematic flow diagrams of the device authentication method in the embodiment of the present application;

FIG. 3 shows the second schematic flow diagram of the device authentication method in the embodiment of the present application;

FIG. 4 shows the third schematic flow diagram of the device authentication method in the embodiment of the present application;

FIG. 5 shows the fourth schematic flow diagram of the device authentication method according to the embodiment of the present application;

FIG. 6 shows the fifth schematic flow diagram of the device authentication method according to the embodiment of the present application;

FIG. 7 shows one of the module schematic diagrams of the device authentication device according to the embodiment of the present application;

FIG. 8 shows the second schematic diagram of the modules of the device authentication device according to the embodiment of the present application;

FIG. 9 shows a structural block diagram of a communication device according to an embodiment of the present application;

FIG. 10 shows a structural block diagram of a terminal in an embodiment of the present application;

Fig. 11 shows the third schematic diagram of the modules of the device authentication device according to the embodiment of the present application;

FIG. 12 shows the fourth schematic diagram of the modules of the device authentication device according to the embodiment of the present application;

Fig. 13 shows the fifth schematic diagram of the modules of the device authentication device according to the embodiment of the present application;

Fig. 14 represents one of the structural block diagrams of the network function of the embodiment of the present application;

FIG. 15 shows the second structural block diagram of the network function of the embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of them. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments in this application belong to the protection scope of this application.

The terms "first", "second" and the like in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific sequence or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or described herein and that "first" and "second" distinguish objects. It is usually one category, and the number of objects is not limited. For example, there may be one or more first objects. In addition, "and/or" in the description and claims means at least one of the connected objects, and the character "/" generally means that the related objects are an "or" relationship.

It is worth pointing out that the technology described in the embodiment of this application is not limited to the Long Term Evolution (Long Term Evolution, LTE)/LTE-Advanced (LTE-Advanced, LTE-A) system, and can also be used in other wireless communication systems, such as code Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access, OFDMA), Single-carrier Frequency Division Multiple Access (Single-carrier Frequency Division Multiple Access, SC-FDMA) and other systems. The terms "system" and "network" in the embodiments of the present application are often used interchangeably, and the described technology can be used for the above-mentioned system and radio technology, and can also be used for other systems and radio technologies. The following description describes the New Radio (New Radio, NR) system for illustrative purposes, and uses NR terminology in most of the following descriptions, but these techniques can also be applied to applications other than NR system applications, such as the 6th generation (6th generation Generation, 6G) communication system.

It should be noted that in this application, the network side may also be referred to as a network side device.

Fig. 1 shows a block diagram of a wireless communication system to which the embodiment of the present application is applicable. The wireless communication system includes a terminal 11 and a network side device 12 . Wherein, the terminal 11 can be a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer) or a notebook computer, a personal digital assistant (Personal Digital Assistant, PDA), a palmtop computer, a netbook, a super mobile personal computer (ultra-mobile personal computer, UMPC), mobile Internet device (Mobile Internet Device, MID), augmented reality (augmented reality, AR) / virtual reality (virtual reality, VR) equipment, robot, wearable device (Wearable Device) , Vehicle User Equipment (VUE), Pedestrian User Equipment (PUE), smart home (home equipment with wireless communication functions, such as refrigerators, TVs, washing machines or furniture, etc.), game consoles, personal computers (personal computer, PC), teller machine or self-service machine and other terminal side devices, wearable devices include: smart watches, smart bracelets, smart headphones, smart glasses, smart jewelry (smart bracelets, smart bracelets, smart rings, smart necklaces, smart feet bracelets, smart anklets, etc.), smart wristbands, smart clothing, etc. It should be noted that, the embodiment of the present application does not limit the specific type of the terminal 11 . The network side device 12 may include an access network device or a core network device, where the access network device 12 may also be called a radio access network device, a radio access network (Radio Access Network, RAN), a radio access network function, or Wireless access network unit. The access network device 12 may include a base station, a wireless local area network (Wireless Local Area Network, WLAN) access point or a WiFi node, etc., and the base station may be called a node B, an evolved node B (eNB), an access point, or a base transceiver station (Base Transceiver Station, BTS), radio base station, radio transceiver, Basic Service Set (BSS), Extended Service Set (Extended Service Set, ESS), Home Node B, Home Evolved Node B, sending and receiving point (Transmitting Receiving Point, TRP) or some other appropriate term in the field, as long as the same technical effect is achieved, the base station is not limited to specific technical terms. It should be noted that in the embodiment of this application, only the NR system The base station in the example is introduced as an example, and the specific type of the base station is not limited. The core network equipment may include but not limited to at least one of the following: core network node, core network function, mobility management entity (Mobility Management Entity, MME), access mobility management function (Access and Mobility Management Function, AMF), session management function (Session Management Function, SMF), user plane function (User Plane Function, UPF), Policy Control Function (Policy Control Function, PCF), Policy and Charging Rules Function (PCRF), Edge Application Server Discovery Function (EASDF) , Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Centralized network configuration (Centralized network configuration, CNC), network storage function ( Network Repository Function, NRF), Network Exposure Function (NEF), Local NEF (Local NEF, or L-NEF), Binding Support Function (Binding Support Function, BSF), Application Function (Application Function, AF) wait. It should be noted that, in the embodiment of the present application, only the core network equipment in the NR system is used as an example for introduction, and the specific type of the core network equipment is not limited.

In order to enable those skilled in the art to better understand the embodiments of the present application, the following descriptions are given first.

Personal IoT Network (PIN):

PIN is a group consisting of at least one PIN element (PIN Element, PINE), wherein at least one PIN element is a terminal (User Equipment, UE). PIN elements communicate with each other. Two PIN elements can communicate through a direct connection between them, or indirectly through a communication network.

A PIN element can be a 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) device (such as UE) or a non-3GPP device. Non-3GPP devices refer to devices that do not use credentials defined by 3GPP, devices that do not support NAS protocols defined by 3GPP, or devices that do not support 3GPP access technologies, such as third-generation mobile communication technology (3th-Generation, 3G)/fourth-generation mobile Communication technology (4th-Generation, 4G)/5G air interface technology, but only supports non-3GPP access technologies (such as WiFi, fixed network, Bluetooth and other access technologies).

One or more PIN elements with gateway capability (PIN Element With Gateway Capability, PEGC) can be included in one PIN. The PIN elements in the PIN can communicate with each other directly or through PEGC. The PIN element in the PIN can communicate with other devices or application servers outside the PIN through the PEGC. PEGC devices can be different types of devices. For example, PEGC can be a gateway in a smart home scenario, or a mobile phone as a gateway for wearable devices in a wearable device scenario.

The device authentication method provided by the embodiment of the present application will be described in detail below through some embodiments and application scenarios with reference to the accompanying drawings.

As shown in Figure 2, the embodiment of this application provides a device authentication method, including:

Step 201: The first terminal receives the first authentication related information sent by the network side, and sends the first authentication related information to the second terminal.

The above-mentioned first terminal is a terminal with gateway capability in the Personal Internet of Things, and the second terminal is a non-3GPP device or a Personal Internet of Things device. Optionally, the above-mentioned first terminal may also be a home gateway.

A direct connection is established between the first terminal and the second terminal, and the direct connection includes the following items:

Non-3GPP connection;

Sidelink PC5/Sidelink connection;

WiFi connection;

Bluetooth connection.

The aforementioned network side may also be described as a first network function, or a device capable of realizing the first network function, and the first network function may specifically be an access and mobility management function (Access and Mobility Management Function, AMF) or session management Function (Session Management Function, SMF). For example, the first authentication-related information is sent by the AMF or the SMF, and the second authentication-related information is sent by the second terminal and arrives at the AMF or the SMF.

Step 202: The first terminal receives the second authentication related information sent by the second terminal, and sends the second authentication related information to the network side.

In this embodiment of the present application, the first terminal receives the first authentication-related information sent by the network side, and sends the first authentication-related information to the second terminal, and the first terminal receives the second authentication-related information sent by the second terminal. Authentication-related information, and sending the second authentication-related information to the network side, so that the second terminal (such as a non-3GPP terminal, that is, that does not support the NAS protocol process) is implemented through the first terminal (such as a personal Internet of Things gateway) device) for the purpose of authentication.

Optionally, before receiving the first authentication-related information sent by the network side, the first terminal further performs at least one of the following:

an authentication process between the first terminal and the second terminal;

The first terminal configures a first IP address for the second terminal.

Optionally, the first authentication-related information is not protected.

Optionally, the method of the embodiment of the present application further includes:

When the first terminal receives the first authentication-related information sent by the network side, the first terminal stops initiating or stopping the authentication process between the first terminal and the second terminal.

Specifically, when the first terminal receives the first authentication-related information sent by the network side, if the first terminal is performing an authentication process between the first terminal and the second terminal , then the current authentication process may be continued, and after the current authentication process is completed, the execution of the authentication process between the first terminal and the second terminal may be stopped or initiated.

Optionally, after the first terminal sends the second authentication-related information to the network side, it further includes:

The first terminal sends a second Internet Protocol (Internet Protocol, IP) address to the second terminal, or the first terminal no longer executes the operation of configuring the IP address for the second terminal.

Optionally, the second IP address is indicated by the network side, or the second IP address is selected by the second terminal.

Here, the second IP address may be the same as the first IP address.

Optionally, the first authentication-related information or the second authentication-related information is information using an extensible authentication protocol (Extensible Authentication Protocol, EAP protocol).

For example, the above-mentioned first authentication-related information may specifically be an Extensible Identity Authentication Protocol Request-Identity EAP-req/Identity message, and the above-mentioned second authentication-related information may specifically be an EAP-res/Identity message.

Optionally, in this embodiment of the present application, the first authentication-related information received by the first terminal and sent by the network side is carried by a first non-access stratum NAS message, and the first terminal sends the network The second authentication-related information sent by the side is carried by a second non-access stratum NAS message;

The first authentication-related information sent by the first terminal to the second terminal is not carried in a non-access stratum NAS message, and the second authentication-related information sent by the second terminal received by the first terminal Information is not carried by non-access stratum NAS messages.

Optionally, the first authentication-related information sent by the first terminal to the second terminal is transmitted through a direct link layer protocol or a network key exchange protocol (Internet Key Exchange, IKE) Transmission, the second authentication-related information sent by the second terminal received by the first terminal is transmitted through a direct transmission link layer protocol or a network key exchange protocol IKE.

For example, the first authentication-related information received by the first terminal is carried in the NAS message, and the second authentication-related information received by the first terminal and the first authentication-related information sent to the second terminal are carried in the direct transmission link layer On the protocol (the protocol layer under the outermost IP protocol stack of the data message, such as the local area network (Local Area Network, LAN) network layer 2 protocol, Bluetooth connection layer 2 protocol, PC5 protocol).

Optionally, the first NAS message carries related information of the second terminal.

Optionally, the relevant information of the second terminal includes at least one of the following:

Control plane identification information, for example, the identification assigned by the network side to the second terminal or the identification assigned by the first terminal to the second terminal, or the identification configured by the second terminal;

User plane identification information.

The user plane identification information includes at least one of the following:

An IP address, where the IP address may be specifically assigned by the network side or assigned by the first terminal;

IP address and port number;

Media Access Control (MAC) address;

Direct connection information between the first terminal and the second terminal, optionally, the direct connection information includes a direct connection identifier between the first terminal and the second terminal, such as information identifying a connection under the MAC layer , Connection ID (Link ID), Transaction ID (Transaction ID), etc.

Optionally, the authentication process between the first terminal and the second terminal is carried by at least one of the following protocol messages:

Directly connected transmission link layer protocol (layer 2 protocol);

The network key exchange protocol IKE, here, the layer 2 authentication can be completed first, and then the layer 3 authentication carried by the IKE protocol can be completed.

As shown in Figure 3, the embodiment of the present application also provides a device authentication method, including:

Step 301: The first network function receives the instruction information sent by the second network function, and the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, authentication instruction .

The foregoing first network function may also be described as a first network element, and the first network function may specifically be an Access and Mobility Management Function (Access and Mobility Management Function, AMF) or a Session Management Function (Session Management Function, SMF).

The above-mentioned second network function may also be described as a second network element, for example, the second network function is a Network Exposure Function (Network Exposure Function, NEF) or an Application Function (Application Function, AF).

Non-3GPP connection;

Sidelink PC5/Sidelink connection;

WiFi connection;

Bluetooth connection.

Here, the first network function determines the identification information of the first terminal according to at least one of the related information of the first terminal and the related information of the second terminal.

Step 302: The first network function performs or stops performing the first operation according to the indication information.

For example, if the instruction information includes an authentication stop instruction, then the first network function stops performing the first operation, or if the instruction information includes an authentication instruction, then the first network function executes the first operation.

Wherein, the first operation includes:

Sending first authentication-related information to the first terminal, where the first authentication-related information is used by the first terminal to send to the second terminal.

The first network function receives the second authentication-related information sent by the first terminal, and the first The second authentication-related information is received by the first terminal from the second terminal.

The third network function here can be specifically unified data management entity (Unified Data Management, UDM), authentication service function (Authentication Server Function, AUSF) or verification, authorization and accounting (Authentication, Authorization, Accounting, AAA) equipment .

In this embodiment of the present application, the first network function receives the indication information sent by the second network function, so that the first network function can send the first authentication-related information to the first terminal according to the indication information, and the first The authentication-related information is used by the first terminal to send to the second terminal, and the first network function receives the second authentication-related information sent by the first terminal, and the second authentication-related information is sent by the first terminal from The second terminal receives, and the first network function sends the second authentication-related information to the third network function, so that the second terminal (such as a non-3GPP terminal, that is, a device that does not support the NAS protocol process) ) for the purpose of authentication.

Optionally, when the first network function performs the first operation, the first network function further performs at least one of the following:

instructing said third network function to stop key derivation or to stop sending key information;

Stop sending key information to the first terminal.

Optionally, the method in this embodiment of the present application, when the first network function performs the first operation, further includes:

The first network function forwards subsequent authentication-related information between the second terminal and the third network function, and the subsequent authentication-related information is used to perform a communication between the second terminal and the third network function certification.

Control plane identification information;

User plane identification information.

Optionally, the user plane identification information includes at least one of the following:

IP address;

IP address and port number;

MAC address;

Direct connection information between the first terminal and the second terminal.

It should be noted that the relevant information of the second terminal has been described in detail in the above-mentioned embodiment of the method at the side of the first terminal, and will not be repeated here.

Optionally, the first authentication related information sent by the first network function to the first terminal is carried by a first NAS message, and the second authentication sent by the first terminal received by the first network function Related information is carried by the second NAS message.

Optionally, the first authentication-related information or the second authentication-related information is EAP protocol information.

Optionally, the first authentication-related information is used to request an identifier of the first terminal.

In this embodiment of the present application, the first network function receives the instruction information sent by the second network function, and the first network function executes or stops performing the first operation according to the instruction information, for example, sends the first authentication to the first terminal Related information, the first authentication related information is used by the first terminal to send to the second terminal, the first network function receives the second authentication related information sent by the first terminal, the second authentication The relevant information is received by the first terminal from the second terminal, and the first network function sends the second authentication related information to the third network function, thereby realizing the authentication of the second terminal (such as a non-3GPP terminal, that is, Devices that do not support the NAS protocol process) for the purpose of authentication.

As shown in Figure 4, the embodiment of the present application also provides a device authentication method, including:

Step 401: The second network function sends instruction information to the first network function, and the instruction information includes at least one of the following items: related information of the first terminal, related information of the second terminal, an instruction to stop authentication, and an instruction to authenticate;

For example, if the indication information includes an indication of stopping authentication, the indication information is used for the first network function to stop executing and send the first authentication-related information to the first terminal. For another example, the indication information includes stopping authentication at least, Then the indication information is used for the first network function to send the first authentication related information to the first terminal.

Here, the second network function sends indication information to the first network function, so that the first network function The identification information of the first terminal can be determined according to the indication information, so as to send the first authentication related information to the first terminal, and make the first terminal send the first authentication related information to the second terminal.

In the embodiment of the present application, the above-mentioned second network function is a network exposure function (Network Exposure Function, NEF) or an application function (Application Function, AF).

Non-3GPP connection;

Sidelink PC5/Sidelink connection;

WiFi connection;

Bluetooth connection.

In this embodiment of the present application, the second network function sends indication information to the first network function, so that the first network function determines the identification information of the first terminal according to the indication information, thereby sends the first authentication-related information to the first terminal, and The first terminal is made to send the first authentication-related information to the second terminal, so as to accomplish the purpose of authenticating the second terminal (such as a non-3GPP terminal, that is, a device that does not support the NAS protocol process).

Optionally, the second authentication-related information is EAP information.

The second authentication-related information has been described in detail in the foregoing embodiments, and will not be repeated here.

As shown in Figure 5, the embodiment of the present application also provides a device authentication method, including:

Step 501: The third network function executes an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process with the third network function through the first terminal.

Non-3GPP connection;

Sidelink PC5/Sidelink connection;

WiFi connection;

Bluetooth connection.

In this embodiment of the present application, the third network function executes the authentication process between the second terminal and the third network function, and the second terminal executes the authentication process through the first terminal and the third network function, thereby realizing The purpose of authenticating the second terminal (such as a non-3GPP terminal, that is, a device that does not support the NAS protocol process).

Optionally, the third network function performs at least one of the following during the authentication process or after the authentication process succeeds:

stop key derivation;

Stop sending key information to the first network function.

Optionally, before performing the authentication process, the third network function further includes:

The third network function receives second authentication-related information sent by the first network function, the second authentication-related information is received by the first network function from the first terminal, and the first terminal receives from the second terminal Received.

Specifically, after the first terminal sends the first authentication-related information to the second terminal, the second terminal sends the second authentication-related information to the first terminal, and after the first terminal receives the second authentication-related information sent by the second terminal, The second authentication-related information is sent to the first network function, and the first network function sends the second authentication-related information to the third network function.

Optionally, the third network function performs an authentication process between the second terminal and the third network function, including:

The third network function selects or uses the EAP protocol to perform the authentication based on at least one of the following: Certification process:

the information of the first network function, such as the third network function is based on information from the SMF instead of the AMF;

The second authentication-related information, for example, the second authentication-related information is sent using the EAP protocol.

The third network function receives an instruction from the first network function, and the third network function performs at least one of the following during the authentication process or after the authentication process is successful according to the instruction:

stop key derivation;

stop sending key information to said first network function;

The instructions include at least one of the following:

Information about the first network function, an instruction related to stopping key derivation or sending key information, and the second authentication-related information.

Optionally, the second authentication-related information is information of the EAP protocol.

Optionally, the selecting or using the EAP protocol to perform the authentication process includes:

When the second authentication-related information is information of the EAP protocol, the EAP protocol is selected to execute the authentication process.

As shown in Figure 6, the embodiment of the present application also provides a device authentication method, including:

Step 601: the second terminal completes the authentication process with the first terminal.

Step 602: After receiving the first authentication-related information from the first terminal, the second terminal sends to the first terminal second authentication-related information carrying a first identifier, wherein the first identifier is used to communicate with the first terminal. The network side executes the authentication process.

In the embodiment of the present application, the above-mentioned first terminal is a terminal capable of gateway in the Personal Internet of Things, and the second terminal is a non-3GPP device or a Personal Internet of Things device. Optionally, the above-mentioned first terminal may also be a home gateway.

Non-3GPP connection;

Sidelink PC5/Sidelink connection;

WiFi connection;

Bluetooth connection.

In this embodiment of the application, after the second terminal completes the authentication process with the first terminal, it receives the first authentication-related information from the first terminal, and sends the second authentication-related information carrying the first identifier to the first terminal. Information, so that the subsequent network side can perform the authentication process on the second terminal based on the first identifier, so as to achieve the purpose of authenticating the second terminal (such as a non-3GPP terminal, that is, a device that does not support the NAS protocol process).

The second terminal stops key derivation during the authentication process with the network side or after successfully completing the authentication process with the network side.

The second terminal completes the authentication process with the first terminal by using the second identifier.

The second identifier may be the same as or different from the first identifier.

The second terminal uses the first identifier based on the security protection of the first authentication-related information.

Optionally, the second terminal using the first identifier based on the security protection of the first authentication-related information includes:

When the first authentication-related information is for security protection, the second terminal uses the first identifier.

The device authentication method provided in the embodiment of the present application may be executed by a device authentication device. Book In the embodiment of the application, the device authentication method performed by the device authentication device is taken as an example to illustrate the device authentication device provided in the embodiment of the present application.

As shown in Figure 7, the embodiment of the present application provides a device authentication apparatus 700, which is applied to the first terminal, including:

The first transceiver module 701 is configured to receive the first authentication-related information sent by the network side, and send the first authentication-related information to the second terminal;

The second transceiving module 702 is configured to receive the second authentication related information sent by the second terminal, and send the second authentication related information to the network side.

Optionally, the device of the embodiment of the present application further includes:

The third processing module is configured to perform at least one of the following before the first transceiver module receives the first authentication-related information sent by the network side:

an authentication process between the first terminal and the second terminal;

The first terminal configures a first IP address for the second terminal.

Optionally, the first authentication-related information is not protected.

The fourth processing module is configured to, when the first terminal receives the first authentication-related information sent by the network side, stop the first terminal from initiating or stop executing the communication between the first terminal and the second Authentication process between endpoints.

The fifth processing module is configured to send the second IP address from the first terminal to the second terminal after the second transceiver module sends the second authentication-related information to the network side, or the first terminal sends the second IP address to the second terminal, or the first The terminal no longer performs the operation of configuring the IP address for the second terminal.

Optionally, the first authentication-related information or the second authentication-related information is information using an Extensible Authentication Protocol (EAP) protocol.

Optionally, the first authentication-related information sent by the network side received by the first terminal is carried in a first non-access stratum NAS message, and the first authentication-related information sent by the first terminal to the network side 2. Authentication-related information is carried by a second non-access stratum NAS message;

Optionally, the first authentication-related information sent by the first terminal to the second terminal is transmitted through a direct link layer protocol or a network key exchange protocol IKE, and the first terminal receives the The second authentication-related information sent by the second terminal is transmitted through the direct link layer protocol or the network key exchange protocol IKE.

Control plane identification information;

User plane identification information.

IP address;

IP address and port number;

MAC address;

Directly connected to the transport link layer protocol;

Network key exchange protocol IKE.

Optionally, a direct connection is established between the first terminal and the second terminal, and the direct connection includes the following item:

Non-3GPP connection;

Sidelink PC5 connection;

WiFi connection;

Bluetooth connection.

Optionally, the first terminal is a terminal capable of gateway in the Personal Internet of Things, and the second terminal is a non-3GPP device or a Personal Internet of Things device.

In this embodiment of the application, the first terminal receives the first authentication-related information sent by the network side, and sends The first authentication-related information is sent to the second terminal, the first terminal receives the second authentication-related information sent by the second terminal, and sends the second authentication-related information to the network side, thereby realizing The purpose of authenticating the second terminal (such as a non-3GPP terminal, that is, a device that does not support the NAS protocol process) through the first terminal (such as a personal Internet of Things gateway).

As shown in Figure 8, the embodiment of the present application also provides a device authentication device 800, which is applied to the second terminal, and the device includes:

The second processing module 801 is used for the second terminal to complete the authentication process with the first terminal;

The sixth transceiver module 802 is configured to send the second authentication-related information carrying the first identifier to the first terminal after the second terminal receives the first authentication-related information from the first terminal, wherein the first An identity is used to perform an authentication process with the network side.

The sixth processing module is used for the second terminal to stop key derivation during the authentication process with the network side or after successfully completing the authentication process with the network side.

A seventh processing module, configured to use the second identifier to complete the authentication process with the first terminal.

An eighth processing module, configured to use the first identifier based on the security protection status of the first authentication-related information.

Optionally, the eighth processing module is configured to use the first identifier by the second terminal when the first authentication-related information is for security protection.

The device authentication apparatus in the embodiment of the present application may be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device may be a terminal, or other devices other than the terminal. Exemplary, the terminal can include but It is not limited to the type of the terminal 11 listed above, and other devices may be a server, a network attached storage (Network Attached Storage, NAS), etc., which are not specifically limited in this embodiment of the present application.

The device authentication device provided in the embodiment of the present application can realize each process realized by the method embodiment in FIG. 2 or FIG. 6 , and achieve the same technical effect. To avoid repetition, details are not repeated here.

Optionally, as shown in FIG. 9 , this embodiment of the present application also provides a communication device 900, including a processor 901 and a memory 902, and the memory 902 stores programs or instructions that can run on the processor 901, such as When the communication device 900 is the first terminal, when the program or instruction is executed by the processor 901, each step of the above embodiment of the device authentication method applied to the first terminal can be implemented, and the same technical effect can be achieved. When the communication device 900 is the second terminal, when the program or instruction is executed by the processor 901, each step of the above embodiment of the device authentication method applied to the second terminal can be implemented, and the same technical effect can be achieved. When the communication device 900 is a network function (such as a first network function, a second network function, or a third network function), when the program or instruction is executed by the processor 901, the above embodiment of the device authentication method applied to the network function is implemented. Each step can achieve the same technical effect, so in order to avoid repetition, it will not be repeated here.

The embodiment of the present application also provides a terminal, including a processor and a communication interface, the communication interface is used to receive the first authentication-related information sent by the network side, and send the first authentication-related information to the second terminal; receive the The second terminal sends the second authentication-related information, and sends the second authentication-related information to the network side.

The embodiment of the present application also provides a terminal, including a processor and a communication interface, the processor is used to complete the authentication process with the first terminal; the communication interface is used to receive the first authentication-related information from the first terminal, Sending the second authentication-related information carrying the first identifier to the first terminal, where the first identifier is used to perform an authentication process with the network side.

This terminal embodiment corresponds to the above-mentioned terminal-side method embodiment, and each implementation process and implementation mode of the above-mentioned method embodiment can be applied to this terminal embodiment, and can achieve the same technical effect. Specifically, FIG. 10 is a schematic diagram of a hardware structure of a terminal implementing an embodiment of the present application.

The terminal 1000 includes, but is not limited to: a radio frequency unit 1001, a network module 1002, an audio output unit 1003, an input unit 1004, a sensor 1005, a display unit 1006, a user input unit 1007, an interface unit 1008, a memory 1009, and a processor 1010. At least some parts.

Those skilled in the art can understand that the terminal 1000 may also include a power supply for supplying power to each component (such as a battery), the power supply can be logically connected to the processor 1010 through the power management system, so that functions such as management of charging, discharging, and power consumption management can be realized through the power management system. The terminal structure shown in FIG. 10 does not constitute a limitation on the terminal, and the terminal may include more or fewer components than shown in the figure, or combine certain components, or arrange different components, which will not be repeated here.

It should be understood that, in the embodiment of the present application, the input unit 1004 may include a graphics processing unit (Graphics Processing Unit, GPU) 10041 and a microphone 10042, and the graphics processor 10041 can be used by the image capture device ( Such as the image data of the still picture or video obtained by the camera) for processing. The display unit 1006 may include a display panel 10061, and the display panel 10061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1007 includes at least one of a touch panel 10071 and other input devices 10072 . The touch panel 10071 is also called a touch screen. The touch panel 10071 may include two parts, a touch detection device and a touch controller. Other input devices 10072 may include, but are not limited to, physical keyboards, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, and joysticks, which will not be repeated here.

In the embodiment of the present application, after the radio frequency unit 1001 receives the downlink data from the network side device, it may transmit it to the processor 1010 for processing; in addition, the radio frequency unit 1001 may send the uplink data to the network side device. Generally, the radio frequency unit 1001 includes, but is not limited to, an antenna, an amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like.

The memory 1009 can be used to store software programs or instructions as well as various data. The memory 1009 may mainly include a first storage area for storing programs or instructions and a second storage area for storing data, wherein the first storage area may store an operating system, an application program or instructions required by at least one function (such as a sound playing function, image playback function, etc.), etc. Furthermore, memory 1009 may include volatile memory or nonvolatile memory, or, memory 1009 may include both volatile and nonvolatile memory. Wherein, the non-volatile memory may be a read-only memory (Read-Only Memory, ROM), a programmable read-only memory (Programmable ROM, PROM), an erasable programmable read-only memory (Erasable PROM, EPROM), an electronically programmable Erase Programmable Read-Only Memory (Electrically EPROM, EEPROM) or Flash. Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (Synch link DRAM , SLDRAM) and Direct Memory Bus Random Access Memory (Direct Rambus RAM, DRRAM). The memory 1009 in the embodiment of the present application includes but is not limited to these and any other suitable types of memory.

The processor 1010 may include one or more processing units; optionally, the processor 1010 integrates an application processor and a modem processor, wherein the application processor mainly processes operations related to the operating system, user interface, and application programs, etc., Modem processors mainly process wireless communication signals, such as baseband processors. It can be understood that the foregoing modem processor may not be integrated into the processor 1010 .

In an embodiment of the present application, the radio frequency unit 1001 is configured to receive the first authentication-related information sent by the network side, and send the first authentication-related information to the second terminal; receive the first authentication-related information sent by the second terminal; 2. Authentication related information, and sending the second authentication related information to the network side.

Optionally, the processor 1010 is configured to perform at least one of the following:

an authentication process between the first terminal and the second terminal;

The first terminal configures a first IP address for the second terminal.

Optionally, the first authentication-related information is not protected.

Optionally, the processor 1010 is configured to, when the first terminal receives the first authentication-related information sent by the network side, stop initiating or stopping execution of the communication between the first terminal and the second terminal. authentication process.

Optionally, the processor 1010 is configured to send the second IP address to the second terminal through the radio frequency unit, or the operation of configuring the IP address for the second terminal is no longer performed.

Control plane identification information;

User plane identification information.

IP address;

IP address and port number;

MAC address;

Directly connected to the transport link layer protocol;

Network key exchange protocol IKE.

Non-3GPP connection;

Sidelink PC5 connection;

WiFi connection;

Bluetooth connection.

In yet another embodiment of the present application, the processor 1010 is configured to complete authentication with the first terminal Process; the radio frequency unit 1001 is configured to send the second authentication-related information carrying the first identification to the first terminal after receiving the first authentication-related information from the first terminal, wherein the first identification is used to communicate with the network The authentication process is performed on the side.

Optionally, the processor 1010 is configured to stop the key derivation during the authentication process with the network side or after successfully completing the authentication process with the network side.

Optionally, the processor 1010 is configured to use the second identifier to complete an authentication process with the first terminal.

Optionally, the processor 1010 is configured to use the first identifier based on a security protection situation of the first authentication-related information.

Optionally, the processor 1010 is configured to, when the first authentication-related information is for security protection, use the first identifier by the second terminal.

As shown in Figure 11, the embodiment of the present application also provides a device authentication device 1100, which is applied to the first network function, and the device includes:

The third transceiver module 1101 is configured to receive the indication information sent by the second network function, the indication information includes at least one of the following: related information of the first terminal, related information of the second terminal, indication of stopping authentication, authentication instruct;

The fourth transceiver module 1102 is configured to perform or stop performing a first operation according to the indication information, the first operation includes:

Send the second authentication-related information to a third network function.

The ninth processing module is configured to perform at least one of the following when the fourth transceiver module performs the first operation:

Stop sending key information to the first terminal.

A first forwarding module, configured to forward subsequent authentication-related information between the second terminal and the third network function when the fourth transceiver module performs the first operation, the subsequent authentication-related information is used for performing authentication between the second terminal and the third network function.

Control plane identification information;

User plane identification information.

IP address;

IP address and port number;

MAC address;

In this embodiment of the present application, the first network function receives the indication information sent by the second network function, so that the first network function can send the first authentication-related information to the first terminal according to the indication information, and the first The authentication-related information is used by the first terminal to send to the second terminal, and the first network function receives the second authentication-related information sent by the first terminal, and the second authentication-related information is sent by the first terminal from received by the second terminal, the first network function sends the second authentication The certificate-related information is sent to the third network function, thereby achieving the purpose of authenticating the second terminal (such as a non-3GPP terminal, that is, a device that does not support the NAS protocol process).

As shown in Figure 12, the embodiment of the present application also provides a device authentication device 1200, which is applied to the second network function, and the device includes:

The fifth transceiver module 1201 is configured to send instruction information to the first network function, where the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, and authentication instruction ;

Optionally, the device in this embodiment of the present application further includes: a first determining module, configured to determine the indication information.

Optionally, the first authentication-related information is EAP information.

As shown in Figure 13, the embodiment of the present application also provides a device authentication apparatus 1300, which is applied to the third network function, including:

The first processing module 1301 is configured to execute an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process through the first terminal and the third network function.

stop key derivation;

Stop sending key information to the first network function.

A seventh transceiver module, configured to receive second authentication-related information sent by the first network function, the second authentication-related information is received by the first network function from the first terminal, and the first terminal terminal received from the second terminal.

Optionally, the first processing module is configured to select or use the EAP protocol to perform the authentication process based on at least one of the following:

information about the capabilities of the first network;

The second authentication-related information.

An eighth transceiver module, configured to receive an instruction from the first network function;

A tenth processing module, configured to perform at least one of the following during the authentication process or after the authentication process succeeds according to the instruction:

stop key derivation;

stop sending key information to said first network function;

The instructions include at least one of the following:

Optionally, the first processing module is configured to select an EAP protocol to execute the authentication process when the second authentication-related information is information of an EAP protocol.

The embodiment of the present application also provides a network function (which can also be described as a network side device), including a processor and a communication interface, the communication interface is used to receive instruction information sent by the second network function, and the instruction information includes at least one of the following Items: related information of the first terminal, related information of the second terminal, stop authentication instruction, authentication instruction; perform or stop performing the first operation according to the instruction information, and the first operation includes: sending to the first terminal First authentication-related information, the first authentication-related information is used by the first terminal to send to the second terminal; receiving second authentication-related information sent by the first terminal, the second authentication-related information is Received by the first terminal from the second terminal; sending the second authentication-related information to a third network function.

Alternatively, the communication interface is used to send instruction information to the first network function, and the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, authentication instruction ; The indication information is used for the execution or stop of the first network function to send first authentication related information to the first terminal, and the first authentication related information is used for the first terminal to send to the second terminal.

This network function embodiment corresponds to the above network function method embodiment, and each implementation process and implementation mode of the above method embodiment can be applied to this network function embodiment, and can achieve the same technical effect.

Specifically, the embodiment of the present application also provides a network function (that is, the above-mentioned first network function, second network function or third network function), as shown in FIG. 14 , the network function 1400 includes: an antenna 141, a radio frequency device 142 , baseband device 143 , processor 144 and memory 145 . The antenna 141 is connected to the radio frequency device 142 . In the uplink direction, the radio frequency device 142 receives information through the antenna 141, and sends the received information to the baseband device 143 for processing. In the downlink direction, the baseband device 143 processes the information to be sent and sends it to the radio frequency device 142 , and the radio frequency device 142 processes the received information and sends it out through the antenna 141 .

The method for executing the network function in the above embodiments may be implemented in the baseband device 143, where the baseband device 143 includes a baseband processor.

The baseband device 143 can include at least one baseband board, for example, a plurality of chips are arranged on the baseband board, as shown in FIG. The program executes the network device operations shown in the above method embodiments.

The network function may also include a network interface 146, such as a common public radio interface (CPRI).

Specifically, the network function 1400 in this embodiment of the present invention also includes: instructions or programs stored in the memory 145 and operable on the processor 144, and the processor 144 calls the instructions or programs in the memory 145 to execute FIG. 11 , 12 or 13 The methods executed by each module shown in the figure achieve the same technical effect, so in order to avoid repetition, they are not repeated here.

Specifically, the embodiment of the present application further provides a network function (the above-mentioned first network function, second network function, or third network function). As shown in FIG. 15 , the network function 1500 includes: a processor 1501 , a network interface 1502 and a memory 1503 . Wherein, the network interface 1502 is, for example, a common public radio interface (common public radio interface, CPRI).

Specifically, the network function 1500 in this embodiment of the present invention also includes: instructions or programs stored in the memory 1503 and operable on the processor 1501, and the processor 1501 invokes the instructions or programs in the memory 1503 to execute FIG. 11 , 12 or 13 The methods executed by each module shown in the figure achieve the same technical effect, so in order to avoid repetition, they are not repeated here.

The embodiment of the present application also provides a readable storage medium, the readable storage medium stores a program or an instruction, and when the program or instruction is executed by a processor, each process of the above embodiment of the device authentication method is implemented, and can achieve The same technical effects are not repeated here to avoid repetition.

Wherein, the processor is the processor in the terminal described in the foregoing embodiments. The readable storage medium includes a computer-readable storage medium, such as a computer read-only memory ROM, a random access memory RAM, a magnetic disk or an optical disk, and the like.

The embodiment of the present application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the above embodiment of the device authentication method Each process, and can achieve the same technical effect, in order to avoid repetition, will not repeat them here.

It should be understood that the chip mentioned in the embodiment of the present application may also be called a system-on-chip, a system-on-chip, a system-on-a-chip, or a system-on-a-chip.

The embodiment of the present application further provides a computer program/program product, the computer program/program product is stored in a storage medium, and the computer program/program product is executed by at least one processor to implement the above device authentication method Each process of the example, and can achieve the same technical effect, in order to avoid repetition, will not repeat them here.

The embodiment of the present application also provides a device authentication system, including: a terminal and a network side, the terminal includes a first terminal and a second terminal, and the network side includes a first network function, a second network function, and a third A network function, the terminal can be used to perform the above-mentioned steps of the device authentication method applied to the first terminal or the second terminal, and each network function in the network side can be used to perform the above-mentioned steps applied to the first terminal Device authentication method for network function, second network function or third network function A step of.

It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions are performed, for example, the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present application can be embodied in the form of computer software products, which are stored in a storage medium (such as ROM/RAM, magnetic disk, etc.) , CD-ROM), including several instructions to make a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present application.

The embodiments of the present application have been described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Under the inspiration of this application, without departing from the purpose of this application and the scope of protection of the claims, many forms can also be made, all of which belong to the protection of this application.

Claims

A device authentication method, comprising:

The first terminal receives the first authentication-related information sent by the network side, and sends the first authentication-related information to the second terminal;

The first terminal receives the second authentication related information sent by the second terminal, and sends the second authentication related information to the network side.
The method according to claim 1, wherein, before the first terminal receives the first authentication-related information sent by the network side, it further performs at least one of the following:

an authentication process between the first terminal and the second terminal;

The first terminal configures a first IP address for the second terminal.
The method according to claim 1, wherein the first authentication-related information is not protected.
The method according to claim 1, further comprising:

When the first terminal receives the first authentication-related information sent by the network side, the first terminal stops initiating or stopping the authentication process between the first terminal and the second terminal.
The method according to claim 1, wherein after the first terminal sends the second authentication-related information to the network side, further comprising:

The first terminal sends the second IP address to the second terminal, or the first terminal no longer performs the operation of configuring the IP address for the second terminal.
The method according to claim 5, wherein the second IP address is indicated by the network side, or the second IP address is selected by the second terminal.
The method according to claim 1, wherein the first authentication-related information or the second authentication-related information is information using an Extensible Authentication Protocol (EAP) protocol.
The method according to claim 1, wherein,

The first authentication-related information sent by the network side received by the first terminal is carried in a first non-access stratum NAS message, and the second authentication-related information sent by the first terminal to the network side carried by the second non-access stratum NAS message;

The first authentication-related information sent by the first terminal to the second terminal is not carried in a non-access stratum NAS message, and the second authentication-related information sent by the second terminal received by the first terminal Information is not carried by non-access stratum NAS messages.
The method according to claim 1, wherein the first authentication-related information sent by the first terminal to the second terminal is transmitted through a direct link layer protocol or a network key exchange protocol (IKE), and the The second authentication-related information sent by the second terminal received by the first terminal is transmitted through a direct link layer protocol or a network key exchange protocol IKE.
The method according to claim 8, wherein the first NAS message carries related information of the second terminal.
The method according to claim 10, wherein the relevant information of the second terminal includes at least one of the following:

Control plane identification information;

User plane identification information.
The method according to claim 11, wherein the user plane identification information includes at least one of the following:

IP address;

IP address and port number;

MAC address;

Direct connection information between the first terminal and the second terminal.
The method according to claim 2, wherein the authentication process between the first terminal and the second terminal is carried by at least one of the following protocol messages:

Directly connected to the transport link layer protocol;

Network key exchange protocol IKE.
The method according to claim 1, wherein a direct connection is established between the first terminal and the second terminal, and the direct connection includes one of the following items:

Non-3GPP connection;

Sidelink PC5 connection;

WiFi connection;

Bluetooth connection.
The method according to claim 1, wherein the first terminal is a terminal capable of gateway in the Personal Internet of Things, and the second terminal is a non-3GPP device or a Personal Internet of Things device.
A device authentication method, comprising:

The first network function receives the indication information sent by the second network function, and the indication information includes at least one of the following: related information of the first terminal, related information of the second terminal, an indication of stopping authentication, and an indication of authentication;

The first network function performs or stops performing a first operation according to the instruction information, and the first operation includes:

Sending first authentication-related information to the first terminal, where the first authentication-related information is used by the first terminal to send to the second terminal;

The first network function receives second authentication-related information sent by the first terminal, where the second authentication-related information is received by the first terminal from the second terminal;

The first network function sends the second authentication-related information to a third network function.
The method according to claim 16, wherein, where the first network function performs the first operation, the first network function further performs at least one of the following:

instructing said third network function to stop key derivation or to stop sending key information;

Stop sending key information to the first terminal.
The method according to claim 16, wherein, in case the first network function performs the first operation, further comprising:

The first network function forwards subsequent authentication-related information between the second terminal and the third network function, and the subsequent authentication-related information is used to perform a communication between the second terminal and the third network function certification.
The method according to claim 16, wherein the relevant information of the second terminal includes at least one of the following:

Control plane identification information;

User plane identification information.
The method according to claim 19, wherein the user plane identification information includes at least one of the following:

IP address;

IP address and port number;

MAC address;

Direct connection information between the first terminal and the second terminal.
The method according to claim 16, wherein the first authentication-related information sent by the first network function to the first terminal is carried by a first NAS message, and the first authentication-related information received by the first network function The second authentication-related information sent by a terminal is carried in a second NAS message.
The method according to claim 21, wherein the first NAS message carries related information of the second terminal.
The method according to claim 16, wherein the first authentication-related information or the second authentication-related information is information of an EAP protocol.
The method according to claim 16, wherein the first authentication-related information is used to request an identification of the first terminal.
A device authentication method, comprising:

The second network function sends instruction information to the first network function, and the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, and authentication instruction;

The indication information is used to send the first authentication-related information to the first terminal when the first network function is executed or stopped, and the first authentication-related information is used for the first terminal to send to the second terminal.
The method according to claim 25, wherein the first authentication-related information is EAP information.
A device authentication method, comprising:

The third network function executes an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process with the third network function through the first terminal.
The method of claim 27, wherein the third network function performs at least one of the following during or after the authentication process is successful:

stop key derivation;

Stop sending key information to the first network function.
The method of claim 27, wherein said third network function performs said Before the certification process, also include:

The third network function receives second authentication-related information sent by the first network function, the second authentication-related information is received by the first network function from the first terminal, and the first terminal receives from the second terminal Received.
The method according to claim 29, wherein the third network function performs an authentication process between the second terminal and the third network function, comprising:

The third network function selects or uses the EAP protocol to perform the authentication process based on at least one of the following:

information about the capabilities of the first network;

The second authentication-related information.
The method according to claim 27 or 29, further comprising:

The third network function receives an instruction from the first network function, and the third network function performs at least one of the following during the authentication process or after the authentication process is successful according to the instruction:

stop key derivation;

stop sending key information to said first network function;

The instructions include at least one of the following:

Information about the first network function, an instruction related to stopping key derivation or sending key information, and the second authentication-related information.
The method according to claim 29 or 31, wherein the second authentication-related information is information of the EAP protocol.
The method according to claim 30, wherein said selecting or using the EAP protocol to perform said authentication process comprises:

When the second authentication-related information is information of the EAP protocol, the EAP protocol is selected to execute the authentication process.
A device authentication method, comprising:

The second terminal completes the authentication process with the first terminal;

After receiving the first authentication-related information from the first terminal, the second terminal sends to the first terminal second authentication-related information carrying a first identifier, wherein the first identifier is used to communicate with the network side to perform Authentication process.
The method of claim 34, further comprising:

The second terminal stops key derivation during the authentication process with the network side or after successfully completing the authentication process with the network side.
The method of claim 34, further comprising:

The second terminal completes the authentication process with the first terminal by using the second identifier.
The method of claim 34, further comprising:

The second terminal uses the first identifier based on the security protection of the first authentication-related information.
The method according to claim 37, wherein the second terminal uses the first identification based on the security protection of the first authentication-related information, comprising:

When the first authentication-related information is for security protection, the second terminal uses the first identifier.
The method according to claim 34, wherein the first authentication related information is used to request the identification of the first terminal.
A device authentication device, comprising:

The first transceiver module is configured to receive the first authentication-related information sent by the first network function, and send the first authentication-related information to the second terminal;

The second transceiver module is configured to receive the second authentication-related information sent by the second terminal, and send the second authentication-related information to the first network function.
A device authentication device, comprising:

The third transceiver module is configured to receive the instruction information sent by the second network function, the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, authentication instruction ;

The fourth transceiver module is configured to perform or stop performing a first operation according to the indication information, and the first operation includes:

Sending first authentication-related information to the first terminal, where the first authentication-related information is used by the first terminal to send to the second terminal;

receiving second authentication-related information sent by the first terminal, where the second authentication-related information is received by the first terminal from the second terminal;

Send the second authentication-related information to a third network function.
A device authentication device, comprising:

The fifth transceiver module is configured to send instruction information to the first network function, where the instruction information includes at least one of the following: related information of the first terminal, related information of the second terminal, stop authentication instruction, and authentication instruction;

The indication information is used to send the first authentication-related information to the first terminal when the first network function is executed or stopped, and the first authentication-related information is used for the first terminal to send to the second terminal.
A device authentication device, comprising:

The first processing module is configured to execute an authentication process between the second terminal and the third network function, and the second terminal executes the authentication process through the first terminal and the third network function.
A device authentication device, comprising:

The second processing module is used to complete the authentication process with the first terminal;

The sixth transceiver module is configured to receive the first authentication-related information from the first terminal, and send the second authentication-related information carrying the first identification to the first terminal, wherein the first identification is used to communicate with the network side Execute the authentication process.
A terminal, including a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the programs or instructions are executed by the processor, the process described in any one of claims 1 to 15 is implemented. The steps of the device authentication method described above, or the steps of the device authentication method described in any one of claims 34 to 39.
A network function, including a processor and a memory, the memory stores programs or instructions that can run on the processor, and when the programs or instructions are executed by the processor, any one of claims 16 to 24 is implemented The steps of the device authentication method, or, realizing the steps of the device authentication method according to any one of claims 25 to 26, or, realizing the device authentication according to any one of claims 27 to 33 method steps.
A readable storage medium, on which a program or instruction is stored, and when the program or instruction is executed by a processor, the steps of the device authentication method according to any one of claims 1 to 15 are implemented, or , realizing the steps of the device authentication method according to any one of claims 16 to 24, or, realizing the steps of the device authentication method according to any one of claims 25 to 26, or, Realize the steps of the device authentication method according to any one of claims 27 to 33, or realize the steps of the device authentication method according to any one of claims 34 to 39.