WO2023197273A1 - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
WO2023197273A1
WO2023197273A1 PCT/CN2022/086929 CN2022086929W WO2023197273A1 WO 2023197273 A1 WO2023197273 A1 WO 2023197273A1 CN 2022086929 W CN2022086929 W CN 2022086929W WO 2023197273 A1 WO2023197273 A1 WO 2023197273A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
authentication
amf
amf network
ausf
Prior art date
Application number
PCT/CN2022/086929
Other languages
French (fr)
Chinese (zh)
Inventor
商正仪
陆伟
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to CN202280001191.6A priority Critical patent/CN117597960A/en
Priority to PCT/CN2022/086929 priority patent/WO2023197273A1/en
Publication of WO2023197273A1 publication Critical patent/WO2023197273A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present disclosure relates to the field of mobile communication technology, and in particular to an authentication method and device.
  • the user equipment In the mobile network communication system, the user equipment (User Equipment, UE) can initiate a network authentication process to achieve two-way authentication between the UE side and the network side and provide information required for subsequent security processes, such as the Authentication Server Function (Authentication Server Function) )AUSF network element key.
  • the network side does not have a mechanism to trigger the network authentication process for the UE. Therefore, when the information required for the security process needs to be updated, it is possible that the UE fails to initiate network authentication in time. The process causes the interruption of network services.
  • the present disclosure proposes an authentication method and device, and provides a mechanism for triggering the network authentication process on the UE from the network side, thereby greatly improving the continuity and security of network services.
  • the first aspect embodiment of the present disclosure provides an authentication method, which is executed by an AUSF network element.
  • the method includes: sending an access and mobility management function (Access and Mobility Management Function) to a Unified Data Management (Unified Data Management, UDM) network element.
  • Mobility Mangement Function (AMF) network element information acquisition request wherein the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; receiving the AMF network element information acquisition response fed back by the UDM network element, Wherein, the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE; and an authentication notification message is sent to the AMF network element, wherein the authentication notification message includes the identity of the UE. , and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • AMF Access and Mobility Management Function
  • UDM Unified Data Management
  • the authentication notification message also includes access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes the third generation partnership plan. (3rd Generation Partnership Project, 3GPP) access and/or non-3GPP access.
  • the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches an upper limit; and UE parameter update count The upper limit value is reached.
  • the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the requested operation. Describe the network authentication process.
  • the method further includes: after confirming that the network authentication process is completed, generating a new AUSF network element key, and resetting the roaming manipulation count and the UE parameter update count.
  • An embodiment of the second aspect of the present disclosure provides an authentication method, which is executed by a UDM network element.
  • the method includes: receiving an access and mobility management function AMF network element information acquisition request from an AUSF network element, wherein:
  • the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; and according to the identification of the UE, an AMF network element information acquisition response is fed back to the AUSF network element, wherein the AMF network element information
  • the acquisition response is used to indicate the AMF network element that provides services for the UE to be able to perform a network authentication process on the UE.
  • a third aspect embodiment of the present disclosure provides an authentication method, the method is executed by an AMF network element, the method includes: receiving an authentication notification message from the authentication server function AUSF network element, wherein in the authentication notification message Including the identification of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE; through the non-access (Non Access Stratum) between the AMF network element and the UE, NAS) connection, sending an authentication request to the UE, where the authentication request is used to request the UE to perform the network authentication process; and receiving an authentication response fed back by the UE, where the authentication response includes performing the Describe the information required for the network authentication process.
  • Non Access Stratum Non Access Stratum
  • the method further includes: sending a paging message to the UE to create the NAS connection.
  • the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the method further includes: sending the authentication notification confirmation message to the AUSF network element, wherein , the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  • the method further includes: performing security protection on the authentication request according to a locally stored NAS security context.
  • the method further includes: after the network authentication process is completed, updating the locally stored NAS security context.
  • the authentication request and the authentication notification message also include access type information, the access type information is used to indicate the access type applicable to the initiated network authentication process, and the access type includes 3GPP access and/or non-3GPP access.
  • the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches an upper limit; and UE parameter update count The upper limit value is reached.
  • a fourth aspect embodiment of the present disclosure provides an authentication method, which is executed by a UE.
  • the method includes: receiving an authentication request from an AMF network element, wherein the authentication request is used to request the UE to perform network authentication. The process; and feeding back an authentication response to the AMF network element, where the authentication response includes information required to perform the network authentication process.
  • the method further includes: receiving a paging message from the AMF network element to create a NAS connection with the AMF network element.
  • the method further includes: security protecting the authentication response according to a locally stored NAS security context.
  • the method further includes: after the network authentication process is completed, updating the locally stored NAS security context.
  • the authentication request includes access type information.
  • the access type information is used to indicate the access type to which the initiated network authentication process is applicable.
  • the access type includes 3GPP access and/or non-3GPP access. access.
  • the fifth aspect of the present disclosure provides an authentication method.
  • the method includes: the AUSF network element obtains AMF network element related information from the UDM network element, wherein the AMF network element related information is used to indicate that it is related to the The AMF network element that the UE corresponding to the AUSF network element provides services; the AUSF network element sends an authentication notification message to the AMF network element, where the authentication notification message is used to notify the AMF network element to perform operations related to the UE.
  • Network authentication process the AMF network element sends an authentication request to the UE, where the authentication request is used to request the UE to perform the network authentication process; and the AMF network element receives an authentication response fed back by the UE , wherein the authentication response includes information required to perform the network authentication process.
  • the AUSF network element obtains AMF network element related information from the UDM network element including: the AUSF network element sends an AMF network element information acquisition request to the UDM network element, wherein the AMF network element information acquisition request including the identification of the UE; receiving an AMF network element information acquisition response fed back by the UDM network element, wherein the AMF network element information acquisition response includes the AMF network element related information.
  • the authentication notification message includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element
  • the method further includes: the AMF network element sending the authentication notification to the AUSF network element.
  • Confirmation message wherein the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  • the method further includes: after the network authentication process is completed, the AUSF network element generates a new AUSF network element key, and resets the roaming manipulation count and the UE parameter update count.
  • the authentication notification message also includes access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes the third generation partnership plan. 3GPP access and/or non-3GPP access.
  • the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches an upper limit; and UE parameter update count The upper limit value is reached.
  • a sixth embodiment of the present disclosure provides an authentication device for an AUSF network element, including: a transceiver module for sending an AMF network element information acquisition request to a UDM network element, wherein the AMF network element information acquisition request including the identification of the UE corresponding to the AUSF network element; receiving an AMF network element information acquisition response fed back by the UDM network element, wherein the AMF network element information acquisition response is used to indicate the AMF network that provides services for the UE. element; and sending an authentication notification message to the AMF network element, wherein the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform network operations related to the UE. certification process.
  • a seventh embodiment of the present disclosure provides an authentication device for a UDM network element, including: a transceiver module, configured to receive an AMF network element information acquisition request from an AUSF network element, wherein the AMF network element information acquisition request including the identity of the UE corresponding to the AUSF network element; and feeding back an AMF network element information acquisition response to the AUSF network element according to the identity of the UE, wherein the AMF network element information acquisition response is used to indicate that the AMF network element information acquisition response is the
  • the UE provides services to AMF network elements capable of performing network authentication procedures with respect to the UE.
  • An eighth embodiment of the present disclosure provides an authentication device for an AMF network element, including: a transceiver module configured to receive an authentication notification message from an AUSF network element, where the authentication notification message includes an identification of the UE, And the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE; sending an authentication request to the UE through the NAS connection between the AMF network element and the UE, wherein, The authentication request is used to request the UE to perform the network authentication process; and to receive an authentication response fed back by the UE, where the authentication response includes information required to perform the network authentication process.
  • a ninth aspect of the present disclosure provides an authentication device for a UE, including: a transceiver module configured to receive an authentication request from an AMF network element, where the authentication request is used to request the UE to perform a network authentication process. ; And feed back an authentication response to the AMF network element, where the authentication response includes information required to perform the network authentication process.
  • a tenth aspect embodiment of the present disclosure provides an authentication system, including: an AUSF network element, a UDM network element, and an AMF network element, wherein the AUSF network element is used to obtain from the UDM network element an indication that it is related to the AMF network element related information of the AMF network element that the UE corresponding to the AMF network element provides services, and sends an authentication notification message to the AMF network element, where the authentication notification message is used to notify the AMF network element to perform the relevant Describe the network authentication process of the UE; the UDM network element is used to receive the AMF network element information acquisition request sent from the AUSF network element, and feedback the AMF network element information acquisition request to the AUSF network element in response to the AMF network element information acquisition request.
  • the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; the AMF network element sends an authentication request to the UE and receives an authentication response from the UE, where, The authentication request is used to request the UE to perform the network authentication process and the authentication response includes information required to perform the network authentication process.
  • An eleventh aspect embodiment of the present disclosure provides a communication device, including: a transceiver; a memory; and a processor, respectively connected to the transceiver and the memory, configured to execute a computer executable program on the memory. Instructions control the wireless signal transmission and reception of the transceiver, and can implement the authentication method of the above-mentioned first aspect embodiment, second aspect embodiment, third aspect embodiment or fourth aspect embodiment.
  • a twelfth aspect embodiment of the present disclosure provides a computer storage medium, wherein the computer storage medium stores computer-executable instructions; after the computer-executable instructions are executed by a processor, the above-mentioned first aspect embodiment can be realized Or the authentication method of the embodiment of the second aspect, the embodiment of the third aspect, or the embodiment of the fourth aspect.
  • Embodiments of the present disclosure provide an authentication method and device.
  • the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response from the UDM network element indicating the AMF network element that provides services for the UE. , and sends an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process on the UE, thereby realizing a mechanism for the network side to trigger the network authentication process on the UE, which can greatly improve the continuity and quality of network services. safety.
  • Figure 1 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure
  • Figure 2 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure
  • Figure 5 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • Figure 7 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • Figure 8 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • Figure 9 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • Figure 11 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • Figure 12 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • Figure 13 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure.
  • Figure 14 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • FIG. 15 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • FIG. 16 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • FIG. 17 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • FIG. 18 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • FIG. 19 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • Figure 20 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • Figure 21 is a block diagram of an authentication device according to an embodiment of the present disclosure.
  • Figure 22 is a schematic structural diagram of a communication device provided by an embodiment of the present disclosure.
  • Figure 23 is a schematic structural diagram of a chip provided by an embodiment of the present disclosure.
  • the Authentication Server Function Authentication Sever Function
  • the Authentication Sever Function AUSF network element and UE need to use the AUSF network element key K during the AUSF usage period.
  • Internally maintain roaming operation count Counter SoR /UE parameter update count Counter UPU .
  • Counter SoR is set to 0x00 0x01
  • Counter UPU is set to 0x00 0x01, and will be updated with the hash value of each AUSF network element side SoR message SoR-MAC-I AUSF /UPU
  • the hash value of the message UPU-MAC-I AUSF is calculated and incremented.
  • the AUSF network element will not be able to provide SoR/UPU protection services for the UE. Only when a new K AUSF is regenerated for the UE, the Counter SoR /Counter UPU is reset, and the AUSF network element can resume the SoR/UPU protection service for the UE. Therefore, it is very necessary to refresh K AUSF in time before K AUSF becomes invalid.
  • the network authentication process can realize two-way authentication between the UE side and the network side and provide information required for subsequent security processes. After successful completion of the network authentication process, a new K AUSF can be generated.
  • the network side does not have a mechanism to trigger the network authentication process on the UE.
  • the UE can use the same K AUSF to attach to the network for a long time without refreshing the K AUSF , but this will lead to SoR/UPU protection services and even network Interruption of Service.
  • Triggering the network authentication process on the UE on the network side can greatly improve the continuity and security of network services.
  • NF network functions
  • AUSF network UDM network element
  • AMF network element a network function on the core network side
  • AMF Access and Mobility Management Function
  • the NF on the core network side does not have a mechanism to trigger the network authentication process on the UE, so it is possible to introduce additional security threats and reduce service quality.
  • the present disclosure proposes an authentication method and device, which provides a mechanism for the network side to trigger the network authentication process for the UE, thereby greatly improving the continuity and security of network services.
  • Figure 1 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 1, the method can be executed by the AUSF network element and can include the following steps.
  • the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element.
  • the AUSF network element may send an AMF network element information acquisition request to the UDM network element to obtain relevant information of the AMF network element serving the UE corresponding to the AUSF network element.
  • the AUSF network element determines that it needs to regenerate the AUSF network element key K AUSF , such as when the current K AUSF is invalid, it sends an AMF network element carrying the identity of the UE corresponding to the AUSF network element to the UDM network element.
  • Information acquisition request to obtain relevant information of the AMF network element that provides services for the UE from the UDM network element.
  • the identity of the UE can be a general public user identity (Generic Public Subscription Identifier, GPSI) or a user permanent identity (Subscription Permanent Identifier, SUPI).
  • GPSI Global System for Mobile communications
  • SUPI Subscriber Permanent Identifier
  • the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE.
  • the UDM network element After receiving the AMF network element information acquisition request sent by the AUSF network element, the UDM network element can feed back the AMF network element information acquisition response to the AUSF network element according to the UE identification carried in the AMF network element information acquisition request, so as to provide the UE with
  • the relevant information of the AMF network element that provides the service (for example, the identification of the AMF network element) is provided to the AUSF network element.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • the AUSF network element can send an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process for the UE.
  • the network authentication process of the UE For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art.
  • the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
  • the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response indicating an AMF network element that provides services for the UE from the UDM network element, and sends the AMF network element information acquisition response to the UDM network element.
  • the AMF network element sends an authentication notification message to notify the AMF network element to perform the network authentication process on the UE, thereby realizing a mechanism for the network side to trigger the network authentication process on the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message sent by the AUSF network element to the AMF network element may also include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type Including 3rd Generation Partnership Project (3GPP) access and/or non-3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is only for 3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is only for non-3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is for both 3GPP access and non-3GPP access. 3GPP access is in progress.
  • the authentication notification message sent by the AUSF network element to the AMF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: the roaming manipulation count reaches the upper limit; and The UE parameter update count reaches the upper limit.
  • K AUSF invalidation may be caused by the roaming manipulation count reaching the upper limit and/or the UE parameter update count reaching the upper limit. Therefore, the reason why the AUSF network element sends an authentication notification message to trigger the network authentication process for the UE may be roaming manipulation. The count reaches the upper limit and/or the UE parameter update count reaches the upper limit.
  • the authentication notification message sent by the AUSF network element to the AMF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element.
  • the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE Go through the network authentication process.
  • the authentication notification message sent by the ASF network element to the AMF network element may also include a confirmation request indication, which is used to request from the AMF network element an authentication notification confirmation message indicating that the AMF network element has requested the UE to perform a network authentication process, thereby After receiving the authentication notification confirmation message, the AUSF network element can confirm that the AMF network element has requested the UE to perform the network authentication process, that is, the AUSF network element can understand whether this triggering of the UE's network authentication process has been implemented.
  • the AUSF network element can confirm the information about the UE. This trigger of the network authentication process could not be implemented.
  • Figure 2 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method can be executed by the AUSF network element, based on the embodiment shown in Figure 1, as shown in Figure 2, and the method can include the following steps.
  • the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element.
  • the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE.
  • S203 Send an authentication notification message to the AMF network element.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • the AUSF network element can generate a new AUSF network element key K AUSF and reset the roaming operation count and UE parameter update count, that is, set Counter SoR to 0x00 0x01 and Counter UPU to 0x00 0x01.
  • the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response indicating an AMF network element that provides services for the UE from the UDM network element, and sends the AMF network element information acquisition response to the UDM network element.
  • the AMF network element sends an authentication notification message to notify the AMF network element to perform the network authentication process on the UE.
  • a new AUSF network element key can be generated and the roaming operation count and UE parameter update count can be reset, thereby Implementing a mechanism for triggering the network authentication process on the UE from the network side can greatly improve the continuity and security of network services.
  • the authentication notification message sent by the AUSF network element to the AMF network element may also include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type Including 3GPP access and/or non-3GPP access.
  • the authentication notification message sent by the AUSF network element to the AMF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: the roaming manipulation count reaches the upper limit; and The UE parameter update count reaches the upper limit.
  • the authentication notification message sent by the AUSF network element to the AMF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element.
  • the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE Go through the network authentication process.
  • FIG 3 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 3, this method can be executed by a UDM network element and can include the following steps.
  • the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element.
  • the UDM network element may receive an AMF network element information acquisition request that carries the identity of the UE corresponding to the AUSF network element from the AUSF network element, so that the AUSF network element obtains the AMF network that provides services for the UE from the UDM network element. Yuan related information.
  • the AUSF network element can send the AMF network element information acquisition request to the UDM network element.
  • the identity of the UE may be GPSI or SUPI.
  • S302 Feed back the AMF network element information acquisition response to the AUSF network element according to the UE identification.
  • the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE to enable the network authentication process for the UE to be performed.
  • the UDM network element After receiving the AMF network element information acquisition request sent by the AUSF network element, the UDM network element can feed back the AMF network element information acquisition response to the AUSF network element according to the UE identification carried in the AMF network element information acquisition request, so as to provide the UE with The service is provided to provide relevant information of the AMF network element (for example, the identification of the AMF network element) to the AUSF network element that can perform the network authentication process on the UE. Therefore, the AUSF network element can learn from the UDM network element the AMF network element that can provide services for the UE to perform the network authentication process on the UE, so that the AUSF network element can send the authentication notification message to the AMF network element to trigger the network authentication process on the UE. certification process.
  • the AMF network element for example, the identification of the AMF network element
  • the network authentication process of the UE For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art.
  • the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
  • the UDM network element can receive the AMF network element information acquisition request from the AUSF network element and feed back the AMF network element information acquisition response to the AUSF network element to indicate the AMF network element that provides services for the UE, Therefore, the AUSF network element can send an authentication notification message to the AMF network element to trigger the network authentication process for the UE.
  • This can implement a mechanism for the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and quality of network services. safety.
  • FIG 4 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 4, the method can be executed by an AMF network element and can include the following steps.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • the AMF network element may receive an authentication notification message carrying the identity of the UE corresponding to the AUSF network element from the AUSF network element, so that the network side triggers a network authentication process for the UE.
  • the AUSF network element can learn from the UDM network element to provide services for the UE corresponding to the AUSF network element.
  • AMF network element sends an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process on the UE.
  • the identity of the UE may be GPSI or SUPI.
  • S402 Send an authentication request to the UE through the non-access (Non Access Stratum, NAS) connection between the AMF network element and the UE.
  • Non-access Stratum NAS
  • the authentication request is used to request the UE to perform a network authentication process.
  • the AMF network element can send an authentication request to the UE through the NAS connection between the AMF network element and the UE to request the UE to perform a network authentication process.
  • S403 Receive the authentication response fed back by the UE.
  • the authentication response includes information required for the network authentication process.
  • the UE After receiving the authentication request from the AMF network element, the UE can feed back the authentication response to the AMF network element to provide the AMF network element with the information required for the network authentication process.
  • Network devices involved in the network authentication process can interact with each other so that the network devices involved can obtain the information required for the network authentication process, so that they can perform information about the UE. Network authentication process.
  • the network authentication process of the UE For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art.
  • the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
  • the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE.
  • the authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
  • K AUSF invalidation may be caused by the roaming manipulation count reaching the upper limit and/or the UE parameter update count reaching the upper limit. Therefore, the reason why the AUSF network element sends an authentication notification message to trigger the network authentication process for the UE may be roaming manipulation. The count reaches the upper limit and/or the UE parameter update count reaches the upper limit.
  • the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information.
  • the access type information is used to indicate the access to which the initiated network authentication process is applicable.
  • Type the access type includes 3rd Generation Partnership Project (3GPP) access and/or non-3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is only for 3GPP access, and the AMF network element sends The access type information is carried in the authentication request so that the UE can confirm that the network authentication process is only performed for 3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is only for non-3GPP access, and the AMF network element The access type information is carried in the authentication request sent to the UE, so that the UE can confirm that the network authentication process is only performed for non-3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is for both 3GPP access and non-3GPP access.
  • 3GPP access is performed, and the authentication request sent by the AMF network element to the UE carries the access type information, so that the UE can confirm that the network authentication process is performed for both 3GPP access and non-3GPP access.
  • Figure 5 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method can be executed by the AMF network element, based on the embodiment shown in Figure 4, as shown in Figure 5, and the method can include the following steps.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • step S501 For the description and specific details of the above step S501, please refer to the relevant description and details of the above step S401.
  • S502 Send a paging message to the UE to create a NAS connection.
  • the AMF network element After the AMF network element receives the authentication communication message carrying the UE's identity, if it is found that there is no NAS connection between the UE and the AMF network element, the 5G core network will page the UE. If the UE is in the registered (RM) -REGISTERED) and CM-IDLE state, the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, it indicates that the NAS connection between the UE and the AMF network element already exists, and this step S502 can be omitted.
  • RM registered
  • NG-RAN 5G Radio Access Network
  • S503 Send an authentication request to the UE through the NAS connection between the AMF network element and the UE.
  • the authentication request is used to request the UE to perform a network authentication process.
  • S504 Receive the authentication response fed back by the UE.
  • the authentication response includes information required for the network authentication process.
  • the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE.
  • the authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
  • the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information.
  • the access type information is used to indicate the access to which the initiated network authentication process is applicable.
  • Type the access type includes 3GPP access and/or non-3GPP access.
  • Figure 6 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method can be executed by the AMF network element, based on the embodiment shown in Figure 4, as shown in Figure 6, and the method can include the following steps.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • S602 Send an authentication request to the UE through the NAS connection between the AMF network element and the UE.
  • the authentication request is used to request the UE to perform a network authentication process.
  • S603 Send an authentication notification confirmation message to the AUSF network element.
  • the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform a network authentication process.
  • the authentication notification message received from the AUSF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. If the authentication notification message includes a confirmation request indication, the AMF network element, after sending the authentication request to the UE, can send an authentication notification confirmation message to the ASUF network element to notify the ASUF network element that the network authentication process for the UE has been triggered. If the AMF network element fails to send an authentication request to the UE, it will not send the authentication notification confirmation message to the AUSF network element. If the AUSF network element fails to receive the authentication notification confirmation message within the preset time period, it can confirm that the UE This triggering of the network authentication process failed to take place.
  • S604 Receive the authentication response fed back by the UE.
  • the authentication response includes information required for the network authentication process.
  • step S604 For the description and specific details of the above step S604, please refer to the relevant description and details of the above step S403.
  • the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE.
  • the authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
  • the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information.
  • the access type information is used to indicate the access to which the initiated network authentication process is applicable.
  • Type the access type includes 3GPP access and/or non-3GPP access.
  • Figure 7 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method can be executed by the AMF network element, based on the embodiment shown in Figure 4, as shown in Figure 7, and the method can include the following steps.
  • S701 Receive the authentication notification message from the AUSF network element.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • step S701 For the description and specific details of the above step S701, please refer to the relevant description and details of the above step S401.
  • the AMF network element can send an authentication request to the UE through the NAS connection between the AMF network element and the UE to request the UE to perform a network authentication process.
  • the AMF network element can securely protect the authentication request based on the locally stored NAS security context, for example, encrypt it, and then send the securely protected authentication request to the UE.
  • the UE can parse the security-protected authentication request according to the NAS security context stored locally in the UE to obtain the content of the authentication request.
  • S703 Send a security-protected authentication request to the UE through the NAS connection between the AMF network element and the UE.
  • the authentication request is used to request the UE to perform a network authentication process.
  • S704 Receive the authentication response fed back by the UE.
  • the authentication response includes information required for the network authentication process.
  • the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE.
  • the authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • step S702 in Figure 7 can also be combined with steps S501-S504 in Figure 5 and steps S601-S604 in Figure 6, which will not be described again.
  • the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
  • the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information.
  • the access type information is used to indicate the access to which the initiated network authentication process is applicable.
  • Type the access type includes 3GPP access and/or non-3GPP access.
  • Figure 8 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method can be executed by the AMF network element, based on the embodiment shown in Figure 7, as shown in Figure 8, and the method can include the following steps.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • S802 Security protect the authentication request according to the locally stored NAS security context.
  • S803 Send a security-protected authentication request to the UE through the NAS connection between the AMF network element and the UE.
  • the authentication request is used to request the UE to perform a network authentication process.
  • the authentication response includes information required for the network authentication process.
  • the AMF network element After the AMF network element confirms that the network authentication process is completed, it can update the locally stored NAS security context, so that after completing the NAS security model command process to activate the updated NAS security context, it can use the updated NAS security context to respond to the specified message. For security protection.
  • the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE.
  • the authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
  • the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information.
  • the access type information is used to indicate the access to which the initiated network authentication process is applicable.
  • Type the access type includes 3GPP access and/or non-3GPP access.
  • Figure 9 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 9, the method may be performed by the UE and may include the following steps.
  • S901 Receive an authentication request from the AMF network element.
  • the authentication request is used to request the UE to perform a network authentication process.
  • the UE may receive an authentication request from the AMF network element for requesting the UE to perform a network authentication process.
  • the AMF network element may send an authentication request to the UE after receiving an authentication notification message from the AUSF network element for notifying the AMF network element to perform a network authentication process on the UE.
  • S902 Feed back the authentication response to the AMF network element.
  • the authentication response includes information required for the network authentication process.
  • the UE After receiving the authentication request from the AMF network element, the UE can feed back the authentication response to the AMF network element to provide the AMF network element with the information required for the network authentication process.
  • Network devices involved in the network authentication process can interact with each other so that the network devices involved can obtain the information required for the network authentication process, so that they can perform information about the UE. Network authentication process.
  • the network authentication process of the UE For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art.
  • the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
  • the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
  • the authentication request received from the AMF network element may include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes 3GPP access. and/or non-3GPP access.
  • the UE can confirm that the network authentication process is only performed for 3GPP access.
  • the UE can confirm that the network authentication process is only performed for non-3GPP access.
  • the UE can confirm that the network authentication process is performed for both 3GPP access and non-3GPP access.
  • Figure 10 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method may be executed by the UE. Based on the embodiment shown in Figure 9, as shown in Figure 10, the method may include the following steps.
  • S1001 Receive a paging message from the AMF network element to create a NAS connection with the AMF network element.
  • the AMF network element can exchange information with the UE through the NAS connection. If there is no NAS connection between the UE and the AMF network element, the 5G core network will page the UE. If the UE is in the registered (RM-REGISTERED) and CM If the UE is idle (CM-IDLE), the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, it indicates that the NAS connection between the UE and the AMF network element already exists, and this step S1001 can be omitted.
  • S1002 Receive the authentication request from the AMF network element through the NAS connection.
  • the authentication request is used to request the UE to perform a network authentication process.
  • S1003 Feed back the authentication response to the AMF network element.
  • the authentication response includes information required for the network authentication process.
  • the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
  • the authentication request received from the AMF network element may include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes 3GPP access. and/or non-3GPP access.
  • Figure 11 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure.
  • the method may be executed by the UE. Based on the embodiment shown in Fig. 9, as shown in Fig. 11, the method may include the following steps.
  • the authentication request is used to request the UE to perform a network authentication process.
  • step S110 For the description and specific details of the above step S1101, please refer to the relevant description and details of the above step S901.
  • the UE After receiving the authentication request, the UE can send an authentication response to the AMF network element through the NAS connection between the AMF network element and the UE to provide the information required for the network authentication process.
  • the UE can securely protect the authentication response based on the locally stored NAS security context, for example, encrypt it, and then send the securely protected authentication response to the AMF network element.
  • the AMF network element After the AMF network element receives the security-protected authentication response, it can parse the security-protected authentication response according to the NAS security context stored locally on the AMF network element to obtain the content of the authentication response.
  • S1103 Feed back the security-protected authentication response to the AMF network element.
  • the authentication response includes information required for the network authentication process.
  • step S1103 For the description and specific details of the above step S1103, please refer to the relevant description and details of the above step S902.
  • the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
  • FIG. 11 is only described based on the embodiment shown in FIG. 9 , similarly, the embodiment shown in FIG. 11 may also be based on the embodiment shown in FIG. 10 , for example, FIG. 11 Step S1102 of can also be combined with steps S1001-S1003 of Figure 10, which will not be described again here.
  • the authentication request received from the AMF network element may include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes 3GPP access. and/or non-3GPP access.
  • Figure 12 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method may be executed by the UE. Based on the embodiment shown in Figure 9, as shown in Figure 12, the method may include the following steps.
  • the authentication request is used to request the UE to perform a network authentication process.
  • S1203 Feed back the security-protected authentication response to the AMF network element.
  • the authentication response includes information required for the network authentication process.
  • the UE can update the locally stored NAS security context, so that after completing the NAS security model command process to activate the updated NAS security context, the UE can use the updated NAS security context to secure the specified message.
  • Protect
  • the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
  • the authentication request received from the AMF network element may include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes 3GPP access. and/or non-3GPP access.
  • FIG 13 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. This method can be executed by interaction between UE, AMF network element, AUSF network element and UDM network element, as shown in Figure 13, and the method can include the following steps.
  • the AUSF network element obtains AMF network element related information from the UDM network element.
  • the AMF network element related information is used to indicate the AMF network element that provides services for the UE corresponding to the AUSF network element.
  • the AUSF network element sends an AMF network element information acquisition request to the UDM network element and receives an AMF network element information acquisition response fed back by the UDM network element.
  • the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element, and the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE.
  • the identity of the UE can be a Generic Public Subscription Identifier (GPSI) or a User Permanent Identifier (Subscription Permanent Identifier, SUPI).
  • the AUSF network element sends an authentication notification message to the AMF network element.
  • the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  • the AUSF network element can send an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process for the UE.
  • the network authentication process of the UE For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art.
  • the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
  • the AMF network element sends an authentication request to the UE.
  • the authentication request is used to request the UE to perform the network authentication process.
  • the AMF network element can send an authentication request to the UE through the Non Access Stratum (NAS) connection between the AMF network element and the UE to request the UE to perform the network authentication process.
  • NAS Non Access Stratum
  • the 5G core network After the MF network element receives the authentication communication message carrying the UE's identity, if it is found that there is no NAS connection between the UE and the AMF network element, the 5G core network will page the UE. If the UE is in the registered (RM) -REGISTERED) and CM-IDLE state, the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, it indicates that the NAS connection between the UE and the AMF network element already exists. The AMF network element communicates with the UE through the NAS connection.
  • RM registered
  • CM-IDLE 5G Radio Access Network
  • the AMF network element receives the authentication response fed back by the UE.
  • the authentication response includes information required for the network authentication process.
  • the UE After receiving the authentication request from the AMF network element, the UE can feed back the authentication response to the AMF network element to provide the AMF network element with the information required for the network authentication process.
  • the AUSF network element obtains the AMF network element related information indicating the AMF network element that provides services for the UE from the UDM network element, and sends an authentication notification message to the AMF network element to notify the AMF network element to perform relevant procedures.
  • the AMF network element sends an authentication request to the UE after receiving the authentication notification message from the AUSF network element and obtains an authentication response from the UE that includes the information required for the network authentication process to trigger the network authentication process for the UE.
  • This implements a mechanism for the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message sent by the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update count The upper limit value is reached.
  • K AUSF invalidation may be caused by the roaming manipulation count reaching the upper limit and/or the UE parameter update count reaching the upper limit. Therefore, the reason why the AUSF network element sends an authentication notification message to trigger the network authentication process for the UE may be roaming manipulation. The count reaches the upper limit and/or the UE parameter update count reaches the upper limit.
  • the authentication notification message sent by the AUSF network element and the authentication request sent by the AMF network element to the UE may also include access type information.
  • the access type information is used to indicate that the initiated network authentication process is applicable.
  • Access type includes 3rd Generation Partnership Project (3GPP) access and/or non-3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is only for 3GPP access, and the AMF network element sends The access type information is carried in the authentication request so that the UE can confirm that the network authentication process is only performed for 3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is only for non-3GPP access, and the AMF network element The access type information is carried in the authentication request sent to the UE, so that the UE can confirm that the network authentication process is only performed for non-3GPP access.
  • the AMF network element can confirm that the initiated network authentication process is for both 3GPP access and non-3GPP access.
  • 3GPP access is performed, and the authentication request sent by the AMF network element to the UE carries the access type information, so that the UE can confirm that the network authentication process is performed for both 3GPP access and non-3GPP access.
  • the authentication notification message includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element.
  • the authentication method may also include the AMF network element sending an authentication notification confirmation message to the AUSF network element, wherein the authentication notification confirmation message The message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  • the authentication notification message sent by the AUSF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. If the authentication notification message includes a confirmation request indication, the AMF network element, after sending the authentication request to the UE, can send an authentication notification confirmation message to the ASUF network element to notify the ASUF network element that the network authentication process for the UE has been triggered. If the AMF network element fails to send an authentication request to the UE, it will not send the authentication notification confirmation message to the AUSF network element. If the AUSF network element fails to receive the authentication notification confirmation message within the preset time period, it can confirm that the UE This triggering of the network authentication process failed to take place.
  • the authentication method may also include, after the network authentication process is completed, the AUSF network element generates a new AUSF network element key, and resets the roaming manipulation count and the UE parameter update count.
  • the AUSF network element can generate a new AUSF network element key K AUSF and reset the roaming operation count and UE parameter update count, that is, set Counter SoR to 0x00 0x01 and Counter UPU to 0x00 0x01.
  • FIG 14 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. This method can be implemented through interaction between UE, AMF network element, AUSF network element, and UDM network element. As shown in Figure 14, the method can include the following steps.
  • the AUSF network element sends an AMF network element information acquisition request Nudm_UECM_Get Request to the UDM network element.
  • the request may include the identity of the UE, such as GPSI or SUPI.
  • the UDM network element retrieves the UE's subscription data according to the UE's identity to determine the AMF network element that provides services for the UE, and feeds back the AMF network element information acquisition response Nudm_UECM_Get Response to the AUSF network element.
  • the response carries the AMF network element's identity.
  • the AUSF network element sends an authentication notification message (for example, Nausf_UECM_AuthenticationNotification) to the AMF network element.
  • the authentication notification message may include SUPI, access type, authentication reason, etc.
  • the certification reason can be that Counter SoR reaches the upper limit and/or Counter UPU reaches the upper limit.
  • the access type may indicate whether the authentication process applies to 3GPP access, non-3GPP access, or both.
  • the 5G core network can page the UE. If the UE is in the registered (RM-REGISTERED) and CM idle (CM-IDLE) states, that is, reachable via 3GPP access, the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node , to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, this step can be omitted.
  • RM-REGISTERED CM idle
  • NG-RAN 5G Radio Access Network
  • the AMF network element can send an authentication request HN-triggered Authentication Request to the UE.
  • the request can include the access type, and the request can be securely protected via the NAS security context.
  • the AMF network element sends the authentication notification confirmation message Authentication Notification ACK to the AUSF network element.
  • the UE feeds back the authentication response HN-triggered Authentication Response to the AMF network element.
  • the response may include information required for the network authentication process, such as the UE's own capability information.
  • the Security Anchor Function (SEAF) network element triggers the authentication service by sending the authentication request message Nausf_UEAuthentication_Authenticate Request to the AUSF network element.
  • the message may include SUCI or SUPI, service network name and other information.
  • the AUSF network element sends an authentication acquisition request message Nudm_UEAuthentication_Get Request to the UDM network element.
  • the message may include SUPI, service network name and other information.
  • the UDM network element can select an authentication method based on SUPI.
  • EAP-AKA Improved Extensible Authentication Protocol-Authentication and Key Agreement
  • the AUSF network element generates and stores a new K AUSF , and uses the authentication result confirmation request Nudm_UEAuthentication_ResultConfirmation Request to notify the UDM network element of the result and time of the network authentication process.
  • the AUSF network element resets the Counter SoR and Counter UPU .
  • the UDM network element stores the authentication status information of the UE, including SUPI, an authentication result indicating the authentication result or failure, a timestamp indicating the time when the network authentication process is performed, and the service network name.
  • the UDM network element feeds back the authentication result confirmation response Nudm_UEAuthentication_ResultConfirmation Response to the AUSF network element to indicate that the authentication result confirmation request has been received.
  • network equipment and user equipment may include hardware structures and software modules to implement the above functions in the form of hardware structures, software modules, or hardware structures plus software modules.
  • a certain function among the above functions can be executed by a hardware structure, a software module, or a hardware structure plus a software module.
  • the present disclosure also provides an authentication device. Since the authentication device provided by the embodiments of the present disclosure corresponds to the authentication methods provided by the above-mentioned embodiments, the implementation of the authentication method It is also applicable to the authentication device provided in this embodiment, and will not be described in detail in this embodiment.
  • FIG. 15 is a schematic structural diagram of an authentication device 1500 provided by an embodiment of the present disclosure.
  • the authentication device 1500 can be used in AUSF network elements.
  • the device 1500 may include a transceiver module 1501.
  • the transceiver module 1501 is configured to send an AMF network element information acquisition request to the UDM network element, where the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; the AMF network that receives feedback from the UDM network element meta information acquisition response, wherein the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE; and sends an authentication notification message to the AMF network element, wherein the authentication notification message includes The identity of the UE and the authentication notification message are used to notify the AMF network element to perform a network authentication process on the UE.
  • the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response indicating an AMF network element that provides services for the UE from the UDM network element, and sends the AMF network element information acquisition response to the UDM network element.
  • the AMF network element sends an authentication notification message to notify the AMF network element to perform the network authentication process on the UE, thereby realizing a mechanism for the network side to trigger the network authentication process on the UE, which can greatly improve the continuity and security of network services.
  • the authentication notification message also includes access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type includes third generation cooperation. Partner Program (3rd Generation Partnership Project, 3GPP) access and/or non-3GPP access.
  • the authentication notification message also includes the authentication reason for the AUSF network element to send the authentication notification message.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameters The update count has reached the upper limit.
  • the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE Perform the network authentication process.
  • the device 1500 also includes a processing module 1502, which is configured to generate a new AUSF network element key after confirming that the network authentication process is completed, and perform roaming The manipulation count and UE parameter update count are reset.
  • FIG 17 is a schematic structural diagram of an authentication device 1700 provided by an embodiment of the present disclosure.
  • the authentication device 1700 can be used for UDM network elements.
  • the device 1700 may include a transceiver module 1701.
  • the transceiver module 1701 is configured to receive an access and mobility management function AMF network element information acquisition request from the AUSF network element, where the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; and according to the The identity of the UE is fed back to the AUSF network element an AMF network element information acquisition response, where the AMF network element information acquisition response is used to indicate that services are provided for the UE to enable the network authentication process regarding the UE to be performed.
  • AMF network element AMF network element information acquisition request.
  • the UDM network element can receive the AMF network element information acquisition request from the AUSF network element and feed back the AMF network element information acquisition response to the AUSF network element indicating the AMF network element that provides services for the UE, Therefore, the AUSF network element can send an authentication notification message to the AMF network element to trigger the network authentication process for the UE.
  • This can implement a mechanism for the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and quality of network services. safety.
  • FIG 18 is a schematic structural diagram of an authentication device 1800 provided by an embodiment of the present disclosure.
  • the authentication device 1800 can be used for AMF network elements.
  • the device 1800 may include a transceiver module 1801.
  • the transceiver module 1801 is configured to receive an authentication notification message from the authentication server function AUSF network element, where the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform operations related to the UE.
  • the network authentication process sending an authentication request to the UE through the NAS connection between the AMF network element and the UE, wherein the authentication request is used to request the UE to perform the network authentication process; and receiving The authentication response fed back by the UE, wherein the authentication response includes information required to perform the network authentication process
  • the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE, so as to trigger the network authentication of the UE.
  • the authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
  • the transceiving module 1801 is also configured to send a paging message to the UE to create the NAS connection.
  • the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the transceiver module 1801 is also used to: send the authentication to the AUSF network element. Notification confirmation message, wherein the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  • the device 1800 further includes a processing module 1802, which is configured to perform security protection on the authentication request according to the locally stored NAS security context.
  • the processing module 1802 is also configured to update the locally stored NAS security context after the network authentication process is completed.
  • the authentication request and the authentication notification message also include access type information.
  • the access type information is used to indicate the access type applicable to the initiated network authentication process.
  • the access type Including 3GPP access and/or non-3GPP access.
  • the authentication notification message also includes the authentication reason for the AUSF network element to send the authentication notification message.
  • the authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameters The update count has reached the upper limit.
  • Figure 20 is a schematic structural diagram of an authentication device 2000 provided by an embodiment of the present disclosure.
  • the authentication device 2000 can be used for UE.
  • the device 2000 may include a transceiver module 2001.
  • the transceiver module 2001 is configured to receive an authentication request from an AMF network element, where the authentication request is used to request the UE to perform a network authentication process; and to feed back an authentication response to the AMF network element, where the authentication response includes Information required to conduct the network authentication process described.
  • the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
  • the transceiver module 2001 is also configured to: receive a paging message from the AMF network element to create a NAS connection with the AMF network element.
  • the device 2000 further includes a processing module 2002, which is configured to perform security protection on the authentication response according to the locally stored NAS security context.
  • the processing module 2002 is also configured to update the locally stored NAS security context after the network authentication process is completed.
  • the authentication request includes access type information
  • the access type information is used to indicate the access type to which the initiated network authentication process is applicable
  • the access type includes 3GPP access and/or Non-3GPP access.
  • the embodiment of the present application also provides an authentication system, which includes the AUSF network element described in the embodiment of Figures 15-16, the UDM network element described in the embodiment of Figure 17, and the AMF network described in the embodiment of Figures 18-19 Yuan.
  • FIG 22 is a schematic structural diagram of a communication device 2200 provided by an embodiment of the present application.
  • the communication device 2200 may be a network device, a user equipment, a chip, a chip system, or a processor that supports network equipment to implement the above method, or a chip, a chip system, or a processor that supports user equipment to implement the above method. Processor etc.
  • the device can be used to implement the method described in the above method embodiment. For details, please refer to the description in the above method embodiment.
  • Communication device 2200 may include one or more processors 2201.
  • the processor 2201 may be a general-purpose processor or a special-purpose processor, or the like.
  • it can be a baseband processor or a central processing unit.
  • the baseband processor can be used to process communication protocols and communication data.
  • the central processor can be used to control communication devices (such as base stations, baseband chips, terminal equipment, terminal equipment chips, DU or CU, etc.) and execute computer programs. , processing data for computer programs.
  • the communication device 2200 may also include one or more memories 2202, on which a computer program 2204 may be stored.
  • the processor 2201 executes the computer program 2204, so that the communication device 2200 performs the steps described in the above method embodiments. method.
  • the memory 2202 may also store data.
  • the communication device 2200 and the memory 2202 can be provided separately or integrated together.
  • the communication device 2200 may also include a transceiver 2205 and an antenna 2206.
  • the transceiver 2205 may be called a transceiver unit, a transceiver, a transceiver circuit, etc., and is used to implement transceiver functions.
  • the transceiver 2205 may include a receiver and a transmitter.
  • the receiver may be called a receiver or a receiving circuit, etc., used to implement the receiving function;
  • the transmitter may be called a transmitter, a transmitting circuit, etc., used to implement the transmitting function.
  • the communication device 2200 may also include one or more interface circuits 2207.
  • the interface circuit 2207 is used to receive code instructions and transmit them to the processor 2201.
  • the processor 2201 executes the code instructions to cause the communication device 2200 to perform the method described in the above method embodiment.
  • the processor 2201 may include a transceiver for implementing receiving and transmitting functions.
  • the transceiver may be a transceiver circuit, an interface, or an interface circuit.
  • the transceiver circuits, interfaces or interface circuits used to implement the receiving and transmitting functions can be separate or integrated together.
  • the above-mentioned transceiver circuit, interface or interface circuit can be used for reading and writing codes/data, or the above-mentioned transceiver circuit, interface or interface circuit can be used for signal transmission or transfer.
  • the processor 2201 may store a computer program 2203, and the computer program 2203 runs on the processor 2201, causing the communication device 2200 to perform the method described in the above method embodiment.
  • the computer program 2203 may be solidified in the processor 2201, in which case the processor 2201 may be implemented by hardware.
  • the communication device 2200 may include a circuit, and the circuit may implement the functions of sending or receiving or communicating in the foregoing method embodiments.
  • the processor and transceiver described in this application can be implemented in integrated circuits (ICs), analog ICs, radio frequency integrated circuits RFICs, mixed signal ICs, application specific integrated circuits (ASICs), printed circuit boards ( printed circuit board (PCB), electronic equipment, etc.
  • the processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), n-type metal oxide-semiconductor (NMOS), P-type Metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
  • CMOS complementary metal oxide semiconductor
  • NMOS n-type metal oxide-semiconductor
  • PMOS P-type Metal oxide semiconductor
  • BJT bipolar junction transistor
  • BiCMOS bipolar CMOS
  • SiGe silicon germanium
  • GaAs gallium arsenide
  • the communication device described in the above embodiments may be network equipment or user equipment, but the scope of the communication device described in this application is not limited thereto, and the structure of the communication device may not be limited by FIG. 22 .
  • the communication device may be a stand-alone device or may be part of a larger device.
  • the communication device may be:
  • the IC collection may also include storage components for storing data and computer programs;
  • the communication device may be a chip or a chip system
  • the schematic structural diagram of the chip shown in FIG. 23 refer to the schematic structural diagram of the chip shown in FIG. 23 .
  • the chip shown in Figure 23 includes a processor 2301 and an interface 2302.
  • the number of processors 2301 may be one or more, and the number of interfaces 2302 may be multiple.
  • the chip also includes a memory 2303, which is used to store necessary computer programs and data.
  • This application also provides a readable storage medium on which instructions are stored. When the instructions are executed by a computer, the functions of any of the above method embodiments are implemented.
  • This application also provides a computer program product, which, when executed by a computer, implements the functions of any of the above method embodiments.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer programs.
  • the computer program When the computer program is loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer program may be stored in or transferred from one computer-readable storage medium to another, for example, the computer program may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated.
  • the usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., high-density digital video discs (DVD)), or semiconductor media (e.g., solid state disks, SSD)) etc.
  • magnetic media e.g., floppy disks, hard disks, magnetic tapes
  • optical media e.g., high-density digital video discs (DVD)
  • DVD digital video discs
  • semiconductor media e.g., solid state disks, SSD
  • At least one in this application can also be described as one or more, and the plurality can be two, three, four or more, which is not limited by this application.
  • the technical feature is distinguished by “first”, “second”, “third”, “A”, “B”, “C” and “D”, etc.
  • the technical features described in “first”, “second”, “third”, “A”, “B”, “C” and “D” are in no particular order or order.
  • machine-readable medium and “computer-readable medium” refer to any computer program product, apparatus, and/or means for providing machine instructions and/or data to a programmable processor (for example, magnetic disks, optical disks, memories, programmable logic devices (PLD)), including machine-readable media that receive machine instructions as machine-readable signals.
  • machine-readable signal refers to any signal used to provide machine instructions and/or data to a programmable processor.
  • the systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., A user's computer having a graphical user interface or web browser through which the user can interact with implementations of the systems and technologies described herein), or including such backend components, middleware components, or any combination of front-end components in a computing system.
  • the components of the system may be interconnected by any form or medium of digital data communication (eg, a communications network). Examples of communication networks include: local area network (LAN), wide area network (WAN), and the Internet.
  • Computer systems may include clients and servers.
  • Clients and servers are generally remote from each other and typically interact over a communications network.
  • the relationship of client and server is created by computer programs running on corresponding computers and having a client-server relationship with each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to the field of communications and provides an authentication method and device. The technical solution of the present application is mainly that: an AUSF network element sends an AMF network element information acquisition request to a UDM network element so as to obtain from the UDM network element an AMF network element information acquisition response for indicating an AMF network element providing service to a UE, and sends an authentication notification message to the AMF network element to notify the AMF network element of performing a network authentication process regarding the UE, such that the mechanism of triggering by a network side the network authentication process regarding the UE is implemented, and the continuity and security of the network service can be greatly improved.

Description

认证方法及装置Authentication methods and devices 技术领域Technical field
本公开涉及移动通信技术领域,特别涉及一种认证方法及装置。The present disclosure relates to the field of mobile communication technology, and in particular to an authentication method and device.
背景技术Background technique
在移动网络通信系统中,用户设备(User Equipment,UE)能够发起网络认证过程以实现UE侧与网络侧之间的双向认证并提供后续安全过程所需信息,诸如鉴权服务器功能(Authentication Sever Function)AUSF网元密钥。然而,在当前移动网络通信系统中,网络侧不具有触发关于UE的网络认证过程的机制,因此,在安全过程所需信息需要进行更新的情况下,有可能会由于UE未能及时发起网络认证过程而导致网络服务的中断。In the mobile network communication system, the user equipment (User Equipment, UE) can initiate a network authentication process to achieve two-way authentication between the UE side and the network side and provide information required for subsequent security processes, such as the Authentication Server Function (Authentication Server Function) )AUSF network element key. However, in the current mobile network communication system, the network side does not have a mechanism to trigger the network authentication process for the UE. Therefore, when the information required for the security process needs to be updated, it is possible that the UE fails to initiate network authentication in time. The process causes the interruption of network services.
发明内容Contents of the invention
本公开提出了一种认证方法及装置,提供了一种由网络侧触发关于UE的网络认证过程的机制,从而能够极大改善网络服务的连续性和安全性。The present disclosure proposes an authentication method and device, and provides a mechanism for triggering the network authentication process on the UE from the network side, thereby greatly improving the continuity and security of network services.
本公开的第一方面实施例提供了一种认证方法,由AUSF网元执行,所述方法包括:向统一数据管理(Unified Data Management,UDM)网元发送接入和移动性管理功能(Access and Mobility Mangement Function,AMF)网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务的AMF网元;以及向所述AMF网元发送认证通知消息,其中,所述认证通知消息中包括所述UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程。The first aspect embodiment of the present disclosure provides an authentication method, which is executed by an AUSF network element. The method includes: sending an access and mobility management function (Access and Mobility Management Function) to a Unified Data Management (Unified Data Management, UDM) network element. Mobility Mangement Function (AMF) network element information acquisition request, wherein the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; receiving the AMF network element information acquisition response fed back by the UDM network element, Wherein, the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE; and an authentication notification message is sent to the AMF network element, wherein the authentication notification message includes the identity of the UE. , and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
可选地,所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入和/或非3GPP接入。Optionally, the authentication notification message also includes access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes the third generation partnership plan. (3rd Generation Partnership Project, 3GPP) access and/or non-3GPP access.
可选地,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。Optionally, the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message. The authentication reason includes at least one of the following: roaming manipulation count reaches an upper limit; and UE parameter update count The upper limit value is reached.
可选地,所述认证通知消息还包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。Optionally, the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the requested operation. Describe the network authentication process.
可选地,所述方法还包括:在确认所述网络认证过程完成之后,生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。Optionally, the method further includes: after confirming that the network authentication process is completed, generating a new AUSF network element key, and resetting the roaming manipulation count and the UE parameter update count.
本公开第二方面实施例提供了一种认证方法,所述方法由UDM网元执行,所述方法包括:从AUSF网元接收接入和移动性管理功能AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;以及根据所述UE的标识,向所述AUSF网元反馈AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务以能够进行关于所述UE的网络认证过程的AMF网元。An embodiment of the second aspect of the present disclosure provides an authentication method, which is executed by a UDM network element. The method includes: receiving an access and mobility management function AMF network element information acquisition request from an AUSF network element, wherein: The AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; and according to the identification of the UE, an AMF network element information acquisition response is fed back to the AUSF network element, wherein the AMF network element information The acquisition response is used to indicate the AMF network element that provides services for the UE to be able to perform a network authentication process on the UE.
本公开的第三方面实施例提供了一种认证方法,所述方法由AMF网元执行,所述方法包括:从鉴权服务器功能AUSF网元接收认证通知消息,其中,所述认证通知消息中包括UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;通过所述AMF网元与所述UE之间的非接入(Non Access Stratum,NAS)连接,向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。A third aspect embodiment of the present disclosure provides an authentication method, the method is executed by an AMF network element, the method includes: receiving an authentication notification message from the authentication server function AUSF network element, wherein in the authentication notification message Including the identification of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE; through the non-access (Non Access Stratum) between the AMF network element and the UE, NAS) connection, sending an authentication request to the UE, where the authentication request is used to request the UE to perform the network authentication process; and receiving an authentication response fed back by the UE, where the authentication response includes performing the Describe the information required for the network authentication process.
可选地,所述方法还包括:向所述UE发送寻呼消息以创建所述NAS连接。Optionally, the method further includes: sending a paging message to the UE to create the NAS connection.
可选地,所述认证通知消息还包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述方法还包括:向所述AUSF网元发送所述认证通知确认消息,其中,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。Optionally, the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the method further includes: sending the authentication notification confirmation message to the AUSF network element, wherein , the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
可选地,所述方法还包括:根据本地存储的NAS安全上下文对所述认证请求进行安全保护。Optionally, the method further includes: performing security protection on the authentication request according to a locally stored NAS security context.
可选地,所述方法还包括:在所述网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。Optionally, the method further includes: after the network authentication process is completed, updating the locally stored NAS security context.
可选地,所述认证请求和所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括3GPP接入和/或非3GPP接入。Optionally, the authentication request and the authentication notification message also include access type information, the access type information is used to indicate the access type applicable to the initiated network authentication process, and the access type includes 3GPP access and/or non-3GPP access.
可选地,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。Optionally, the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message. The authentication reason includes at least one of the following: roaming manipulation count reaches an upper limit; and UE parameter update count The upper limit value is reached.
本公开的第四方面实施例提供了一种认证方法,所述方法由UE执行,所述方法包括:从AMF网元接收认证请求,其中,所述认证请求用于请求所述UE进行网络认证过程;以及向所述AMF网元反馈认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。A fourth aspect embodiment of the present disclosure provides an authentication method, which is executed by a UE. The method includes: receiving an authentication request from an AMF network element, wherein the authentication request is used to request the UE to perform network authentication. The process; and feeding back an authentication response to the AMF network element, where the authentication response includes information required to perform the network authentication process.
可选地,所述方法还包括:从所述AMF网元接收寻呼消息以创建与所述AMF网元之间的NAS连接。Optionally, the method further includes: receiving a paging message from the AMF network element to create a NAS connection with the AMF network element.
可选地,所述方法还包括:根据本地存储的NAS安全上下文对所述认证响应进行安全保护。Optionally, the method further includes: security protecting the authentication response according to a locally stored NAS security context.
可选地,所述方法还包括:在所述网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。Optionally, the method further includes: after the network authentication process is completed, updating the locally stored NAS security context.
可选地,所述认证请求包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括3GPP接入和/或非3GPP接入。Optionally, the authentication request includes access type information. The access type information is used to indicate the access type to which the initiated network authentication process is applicable. The access type includes 3GPP access and/or non-3GPP access. access.
本公开的第五方面实施例提供了一种认证方法,所述方法包括:AUSF网元从UDM网元获取AMF网元相关信息,其中,所述AMF网元相关信息用于指示为与所述AUSF网元对应的UE提供服务的AMF网元;所述AUSF网元向所述AMF网元发送认证通知消息,其中,所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;所述AMF网元向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及所述AMF网元接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。The fifth aspect of the present disclosure provides an authentication method. The method includes: the AUSF network element obtains AMF network element related information from the UDM network element, wherein the AMF network element related information is used to indicate that it is related to the The AMF network element that the UE corresponding to the AUSF network element provides services; the AUSF network element sends an authentication notification message to the AMF network element, where the authentication notification message is used to notify the AMF network element to perform operations related to the UE. Network authentication process; the AMF network element sends an authentication request to the UE, where the authentication request is used to request the UE to perform the network authentication process; and the AMF network element receives an authentication response fed back by the UE , wherein the authentication response includes information required to perform the network authentication process.
可选地,所述AUSF网元从UDM网元获取AMF网元相关信息包括:所述AUSF网元向所述UDM网元发送AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括所述UE的标识;接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应包括所述AMF网元相关信息。Optionally, the AUSF network element obtains AMF network element related information from the UDM network element including: the AUSF network element sends an AMF network element information acquisition request to the UDM network element, wherein the AMF network element information acquisition request including the identification of the UE; receiving an AMF network element information acquisition response fed back by the UDM network element, wherein the AMF network element information acquisition response includes the AMF network element related information.
可选地,所述认证通知消息包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述方法还包括:所述AMF网元向所述AUSF网元发送所述认证通知确认消息,其中,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。Optionally, the authentication notification message includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the method further includes: the AMF network element sending the authentication notification to the AUSF network element. Confirmation message, wherein the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
可选地,所述方法还包括:在所述网络认证过程完成之后,所述AUSF网元生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。Optionally, the method further includes: after the network authentication process is completed, the AUSF network element generates a new AUSF network element key, and resets the roaming manipulation count and the UE parameter update count.
可选地,所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划3GPP接入和/或非3GPP接入。Optionally, the authentication notification message also includes access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes the third generation partnership plan. 3GPP access and/or non-3GPP access.
可选地,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。Optionally, the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message. The authentication reason includes at least one of the following: roaming manipulation count reaches an upper limit; and UE parameter update count The upper limit value is reached.
本公开的第六方面实施例提供了一种认证装置,用于AUSF网元,包括:收发模块,用于向UDM网元发送AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务的AMF网元;以及向所述AMF网元发送认证通知消息,其中,所述认证通知消息中包括所述UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程。A sixth embodiment of the present disclosure provides an authentication device for an AUSF network element, including: a transceiver module for sending an AMF network element information acquisition request to a UDM network element, wherein the AMF network element information acquisition request including the identification of the UE corresponding to the AUSF network element; receiving an AMF network element information acquisition response fed back by the UDM network element, wherein the AMF network element information acquisition response is used to indicate the AMF network that provides services for the UE. element; and sending an authentication notification message to the AMF network element, wherein the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform network operations related to the UE. certification process.
本公开的第七方面实施例提供了一种认证装置,用于UDM网元,包括:收发模块,用于从AUSF网元接收AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;以及根据所述UE的标识,向所述AUSF网元反馈AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务以能够进行关于所述UE的网络认证过程的AMF网元。A seventh embodiment of the present disclosure provides an authentication device for a UDM network element, including: a transceiver module, configured to receive an AMF network element information acquisition request from an AUSF network element, wherein the AMF network element information acquisition request including the identity of the UE corresponding to the AUSF network element; and feeding back an AMF network element information acquisition response to the AUSF network element according to the identity of the UE, wherein the AMF network element information acquisition response is used to indicate that the AMF network element information acquisition response is the The UE provides services to AMF network elements capable of performing network authentication procedures with respect to the UE.
本公开的第八方面实施例提供了一种认证装置,用于AMF网元,包括:收发模块,用于从AUSF网元接收认证通知消息,其中,所述认证通知消息中包括UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;通过所述AMF网元与所述UE之间的NAS连接,向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。An eighth embodiment of the present disclosure provides an authentication device for an AMF network element, including: a transceiver module configured to receive an authentication notification message from an AUSF network element, where the authentication notification message includes an identification of the UE, And the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE; sending an authentication request to the UE through the NAS connection between the AMF network element and the UE, wherein, The authentication request is used to request the UE to perform the network authentication process; and to receive an authentication response fed back by the UE, where the authentication response includes information required to perform the network authentication process.
本公开的第九方面实施例提供了一种认证装置,用于UE,包括:收发模块,用于从AMF网元接收认证请求,其中,所述认证请求用于请求所述UE进行网络认证过程;以及向所述AMF网元反馈认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。A ninth aspect of the present disclosure provides an authentication device for a UE, including: a transceiver module configured to receive an authentication request from an AMF network element, where the authentication request is used to request the UE to perform a network authentication process. ; And feed back an authentication response to the AMF network element, where the authentication response includes information required to perform the network authentication process.
本公开的第十方面实施例提供了一种认证系统,包括:AUSF网元、UDM网元、AMF网元,其中所述AUSF网元用于从所述UDM网元获取用于指示为与所述AUSF网元对应的UE提供服务的AMF 网元的AMF网元相关信息,并向所述AMF网元发送认证通知消息,其中,所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;所述UDM网元用于接收从所述AUSF网元发送的AMF网元信息获取请求,并响应于所述AMF网元信息获取请求向所述AUSF网元反馈所述AMF网元相关信息,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;所述AMF网元向所述UE发送认证请求并从UE接收认证响应,其中,所述认证请求用于请求所述UE进行所述网络认证过程以及所述认证响应包括进行所述网络认证过程所需信息。A tenth aspect embodiment of the present disclosure provides an authentication system, including: an AUSF network element, a UDM network element, and an AMF network element, wherein the AUSF network element is used to obtain from the UDM network element an indication that it is related to the AMF network element related information of the AMF network element that the UE corresponding to the AMF network element provides services, and sends an authentication notification message to the AMF network element, where the authentication notification message is used to notify the AMF network element to perform the relevant Describe the network authentication process of the UE; the UDM network element is used to receive the AMF network element information acquisition request sent from the AUSF network element, and feedback the AMF network element information acquisition request to the AUSF network element in response to the AMF network element information acquisition request. AMF network element related information, wherein the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; the AMF network element sends an authentication request to the UE and receives an authentication response from the UE, where, The authentication request is used to request the UE to perform the network authentication process and the authentication response includes information required to perform the network authentication process.
本公开的第十一方面实施例提供了一种通信设备,包括:收发器;存储器;处理器,分别与所述收发器及所述存储器连接,配置为通过执行所述存储器上的计算机可执行指令,控制所述收发器的无线信号收发,并能够实现上述第一方面实施例或第二方面实施例或第三方面实施例或第四方面实施例的认证方法。An eleventh aspect embodiment of the present disclosure provides a communication device, including: a transceiver; a memory; and a processor, respectively connected to the transceiver and the memory, configured to execute a computer executable program on the memory. Instructions control the wireless signal transmission and reception of the transceiver, and can implement the authentication method of the above-mentioned first aspect embodiment, second aspect embodiment, third aspect embodiment or fourth aspect embodiment.
本公开第十二方面实施例提出了一种计算机存储介质,其中,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被处理器执行后,能够实现上述第一方面实施例或第二方面实施例或第三方面实施例或第四方面实施例的认证方法。A twelfth aspect embodiment of the present disclosure provides a computer storage medium, wherein the computer storage medium stores computer-executable instructions; after the computer-executable instructions are executed by a processor, the above-mentioned first aspect embodiment can be realized Or the authentication method of the embodiment of the second aspect, the embodiment of the third aspect, or the embodiment of the fourth aspect.
本公开实施例提供了一种认证方法及装置,AUSF网元向UDM网元发送AMF网元信息获取请求以从UDM网元获取到指示为UE提供服务的AMF网元的AMF网元信息获取响应,并向该AMF网元发送认证通知消息以通知AMF网元进行关于UE的网络认证过程,从而实现了由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。Embodiments of the present disclosure provide an authentication method and device. The AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response from the UDM network element indicating the AMF network element that provides services for the UE. , and sends an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process on the UE, thereby realizing a mechanism for the network side to trigger the network authentication process on the UE, which can greatly improve the continuity and quality of network services. safety.
本公开附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本公开的实践了解到。Additional aspects and advantages of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
附图说明Description of the drawings
本公开上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present disclosure will become apparent and readily understood from the following description of the embodiments in conjunction with the accompanying drawings, in which:
图1为根据本公开实施例的一种认证方法的流程示意图;Figure 1 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure;
图2为根据本公开实施例的一种认证方法的流程示意图;Figure 2 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图3为根据本公开实施例的一种认证方法的流程示意图;Figure 3 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure;
图4为根据本公开实施例的一种认证方法的流程示意图;Figure 4 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure;
图5为根据本公开实施例的一种认证方法的流程示意图;Figure 5 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图6为根据本公开实施例的一种认证方法的流程示意图;Figure 6 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure;
图7为根据本公开实施例的一种认证方法的流程示意图;Figure 7 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图8为根据本公开实施例的一种认证方法的流程示意图;Figure 8 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图9为根据本公开实施例的一种认证方法的流程示意图;Figure 9 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图10为根据本公开实施例的一种认证方法的流程示意图;Figure 10 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure;
图11为根据本公开实施例的一种认证方法的流程示意图;Figure 11 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图12为根据本公开实施例的一种认证方法的流程示意图;Figure 12 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图13为根据本公开实施例的一种认证方法的流程示意图;Figure 13 is a schematic flow chart of an authentication method according to an embodiment of the present disclosure;
图14为根据本公开实施例的一种认证方法的流程示意图;Figure 14 is a schematic flowchart of an authentication method according to an embodiment of the present disclosure;
图15为根据本公开实施例的一种认证装置的框图;Figure 15 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图16为根据本公开实施例的一种认证装置的框图;Figure 16 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图17为根据本公开实施例的一种认证装置的框图;Figure 17 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图18为根据本公开实施例的一种认证装置的框图;Figure 18 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图19为根据本公开实施例的一种认证装置的框图;Figure 19 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图20为根据本公开实施例的一种认证装置的框图;Figure 20 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图21为根据本公开实施例的一种认证装置的框图;Figure 21 is a block diagram of an authentication device according to an embodiment of the present disclosure;
图22为本公开实施例提供的一种通信装置的结构示意图;Figure 22 is a schematic structural diagram of a communication device provided by an embodiment of the present disclosure;
图23为本公开实施例提供的一种芯片的结构示意图。Figure 23 is a schematic structural diagram of a chip provided by an embodiment of the present disclosure.
具体实施方式Detailed ways
下面详细描述本公开的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本公开,而不能理解为对本公开的限制。Embodiments of the present disclosure are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals throughout represent the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary and intended to explain the present disclosure and are not to be construed as limitations of the present disclosure.
为了保护漫游操纵(Steering of Roaming,SoR)/UE参数更新(UE Parameter Update,UPU)服务,鉴权服务器功能(Authentication Sever Function)AUSF网元和UE需要在AUSF网元密钥K AUSF的使用期限内维护漫游操纵计数Counter SoR/UE参数更新计数Counter UPU。当新生成的K AUSF被存储时,Counter SoR被设置为0x00 0x01,Counter UPU被设置为0x00 0x01,并且将随着每次AUSF网元侧SoR消息的哈希值SoR-MAC-I AUSF/UPU消息的哈希值UPU-MAC-I AUSF的计算而单增。一旦与K AUSF关联的Counter SoR/Counter UPU达到上限值,AUSF网元将无法提供对于UE的SoR/UPU保护服务。仅在为UE重新生成新的K AUSF时,Counter SoR/Counter UPU被重置,且AUSF网元可恢复对于UE的SoR/UPU保护服务。因此,在K AUSF变得无效之前,及时地刷新K AUSF是非常必要的。 In order to protect the Steering of Roaming (SoR)/UE Parameter Update (UE Parameter Update, UPU) service, the Authentication Server Function (Authentication Sever Function) AUSF network element and UE need to use the AUSF network element key K during the AUSF usage period. Internally maintain roaming operation count Counter SoR /UE parameter update count Counter UPU . When the newly generated K AUSF is stored, Counter SoR is set to 0x00 0x01, Counter UPU is set to 0x00 0x01, and will be updated with the hash value of each AUSF network element side SoR message SoR-MAC-I AUSF /UPU The hash value of the message UPU-MAC-I AUSF is calculated and incremented. Once the Counter SoR /Counter UPU associated with K AUSF reaches the upper limit, the AUSF network element will not be able to provide SoR/UPU protection services for the UE. Only when a new K AUSF is regenerated for the UE, the Counter SoR /Counter UPU is reset, and the AUSF network element can resume the SoR/UPU protection service for the UE. Therefore, it is very necessary to refresh K AUSF in time before K AUSF becomes invalid.
网络认证过程可以实现UE侧与网络侧之间的双向认证并提供后续安全过程所需信息。在成功完成网络认证过程之后,可以生成新的K AUSF。在当前移动通信网络中,网络侧不具有触发关于UE的网络认证过程的机制,UE可以长时间使用同一K AUSF附接至网络而不刷新K AUSF,但这将导致SoR/UPU保护服务甚至网络服务的中断。为了安全起见,亟待需要能够使得网络侧来触发关于UE的网络认证过程的机制,以解决引入的安全威胁。网络侧触发关于UE的网络认证过程能极大地改善网络服务的连续性和安全性。 The network authentication process can realize two-way authentication between the UE side and the network side and provide information required for subsequent security processes. After successful completion of the network authentication process, a new K AUSF can be generated. In the current mobile communication network, the network side does not have a mechanism to trigger the network authentication process on the UE. The UE can use the same K AUSF to attach to the network for a long time without refreshing the K AUSF , but this will lead to SoR/UPU protection services and even network Interruption of Service. For security reasons, there is an urgent need for a mechanism that enables the network side to trigger the network authentication process for the UE to solve the introduced security threats. Triggering the network authentication process on the UE on the network side can greatly improve the continuity and security of network services.
当Counter SoR/Counter UPU达到上限值时,部分核心网侧的网络功能(Network Function,NF)(如,AUSF网络、UDM网元、AMF网元等)可以检测K AUSF的不可用并通知UE来运行网络认证过程而无需挂起对于UE的SoR/UPU保护服务。然而,在当前移动网络通信系统中,主要由UE通过向接入和移动性管理功能(Access and Mobility Mangement Function,AMF)网元发送注册请求来发起网络认证过程。核心网侧的NF不具有触发关于UE的网络认证过程的机制,因此有可能引入额外的安全威胁并降低服务质量。 When Counter SoR /Counter UPU reaches the upper limit, some network functions (NF) on the core network side (such as AUSF network, UDM network element, AMF network element, etc.) can detect the unavailability of K AUSF and notify the UE to run the network authentication process without suspending the SoR/UPU protection service for the UE. However, in the current mobile network communication system, the UE mainly initiates the network authentication process by sending a registration request to the access and mobility management function (Access and Mobility Management Function, AMF) network element. The NF on the core network side does not have a mechanism to trigger the network authentication process on the UE, so it is possible to introduce additional security threats and reduce service quality.
为此,本公开提出了一种认证方法及装置,提供了一种由网络侧触发关于UE的网络认证过程的机制,从而能够极大改善网络服务的连续性和安全性。To this end, the present disclosure proposes an authentication method and device, which provides a mechanism for the network side to trigger the network authentication process for the UE, thereby greatly improving the continuity and security of network services.
下面结合附图对本申请所提供的认证方法及装置进行详细地介绍。The authentication method and device provided by this application will be introduced in detail below with reference to the accompanying drawings.
图1示出了根据本公开实施例的一种认证方法的流程示意图。如图1所示,该方法可由AUSF网元执行,且可以包括以下步骤。Figure 1 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 1, the method can be executed by the AUSF network element and can include the following steps.
S101,向UDM网元发送AMF网元信息获取请求。S101. Send an AMF network element information acquisition request to the UDM network element.
其中,AMF网元信息获取请求包括与AUSF网元对应的UE的标识。The AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element.
在本实施中,AUSF网元可以向UDM网元发送AMF网元信息获取请求以获取为与AUSF网元对应的UE服务的AMF网元的相关信息。In this implementation, the AUSF network element may send an AMF network element information acquisition request to the UDM network element to obtain relevant information of the AMF network element serving the UE corresponding to the AUSF network element.
例如,当AUSF网元确定需要重新生成AUSF网元密钥K AUSF的情况下,诸如,当前K AUSF无效的情况下,向UDM网元发送其中携带AUSF网元对应的UE的标识的AMF网元信息获取请求,以从UDM网元获取为该UE提供服务的AMF网元的相关信息。 For example, when the AUSF network element determines that it needs to regenerate the AUSF network element key K AUSF , such as when the current K AUSF is invalid, it sends an AMF network element carrying the identity of the UE corresponding to the AUSF network element to the UDM network element. Information acquisition request to obtain relevant information of the AMF network element that provides services for the UE from the UDM network element.
其中,UE的标识可以为通用公共用户标识(Generic Public Subscription Identifier,GPSI)或用户永久标识(Subscription Permanent Identifier,SUPI)。Among them, the identity of the UE can be a general public user identity (Generic Public Subscription Identifier, GPSI) or a user permanent identity (Subscription Permanent Identifier, SUPI).
S102,接收UDM网元反馈的AMF网元信息获取响应。S102. Receive the AMF network element information acquisition response fed back by the UDM network element.
其中,AMF网元信息获取响应用于指示为UE提供服务的AMF网元。The AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE.
UDM网元在接收到AUSF网元发送的AMF网元信息获取请求后,可以根据该AMF网元信息获取请求中携带的UE的标识向AUSF网元反馈AMF网元信息获取响应,以将为UE提供服务的AMF网元的相关信息(例如,AMF网元的标识)提供给AUSF网元。After receiving the AMF network element information acquisition request sent by the AUSF network element, the UDM network element can feed back the AMF network element information acquisition response to the AUSF network element according to the UE identification carried in the AMF network element information acquisition request, so as to provide the UE with The relevant information of the AMF network element that provides the service (for example, the identification of the AMF network element) is provided to the AUSF network element.
S103,向AMF网元发送认证通知消息。S103. Send an authentication notification message to the AMF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
AUSF网元在获知为UE提供服务的AMF网元之后,可以向该AMF网元发送认证通知消息,以通知AMF网元进行关于UE的网络认证过程。After learning the AMF network element that provides services for the UE, the AUSF network element can send an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process for the UE.
其中,关于UE的网络认证过程的具体实现可以参考现有技术中的网络认证过程。例如,本申请中所示的网络认证过程的具体实现类似于UE通过向AMF网元发送注册请求所发起网络认证过程的实现,在此不再赘述。For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art. For example, the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
根据本公开实施例的认证方法,AUSF网元向UDM网元发送AMF网元信息获取请求以从UDM网元获取到指示为UE提供服务的AMF网元的AMF网元信息获取响应,并向该AMF网元发送认证通知消息以通知AMF网元进行关于UE的网络认证过程,从而实现了由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response indicating an AMF network element that provides services for the UE from the UDM network element, and sends the AMF network element information acquisition response to the UDM network element. The AMF network element sends an authentication notification message to notify the AMF network element to perform the network authentication process on the UE, thereby realizing a mechanism for the network side to trigger the network authentication process on the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,AUSF网元向AMF网元发送的认证通知消息还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入和/或非3GPP接入。In some embodiments, the authentication notification message sent by the AUSF network element to the AMF network element may also include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type Including 3rd Generation Partnership Project (3GPP) access and/or non-3GPP access.
例如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示3GPP接入,则AMF网元可确认所发起的网络认证过程仅针对3GPP接入进行。For example, if the access type information in the authentication notification message received by the AMF network element indicates 3GPP access, the AMF network element can confirm that the initiated network authentication process is only for 3GPP access.
又如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示非3GPP接入,则AMF网元可确认所发起的网络认证过程仅针对非3GPP接入进行。For another example, if the access type information in the authentication notification message received by the AMF network element indicates non-3GPP access, the AMF network element can confirm that the initiated network authentication process is only for non-3GPP access.
又如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示3GPP接入和非3GPP接入,则AMF网元可确认所发起的网络认证过程既针对3GPP接入又针对非3GPP接入进行。For another example, if the access type information in the authentication notification message received by the AMF network element indicates 3GPP access and non-3GPP access, the AMF network element can confirm that the initiated network authentication process is for both 3GPP access and non-3GPP access. 3GPP access is in progress.
在一些实施例中,AUSF网元向AMF网元发送的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message sent by the AUSF network element to the AMF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: the roaming manipulation count reaches the upper limit; and The UE parameter update count reaches the upper limit.
K AUSF无效可能是由于漫游操纵计数达到上限值和/或UE参数更新计数达到上限值所导致,因此,AUSF网元发出认证通知消息以触发关于UE的网络认证过程的原因可以是漫游操纵计数达到上限值和/或UE参数更新计数达到上限值。 K AUSF invalidation may be caused by the roaming manipulation count reaching the upper limit and/or the UE parameter update count reaching the upper limit. Therefore, the reason why the AUSF network element sends an authentication notification message to trigger the network authentication process for the UE may be roaming manipulation. The count reaches the upper limit and/or the UE parameter update count reaches the upper limit.
在一些实施例中,AUSF网元向AMF网元发送的认证通知消息还可以包括用于向AMF网元请求认证通知确认消息的确认请求指示,认证通知确认消息用于指示AMF网元已请求UE进行网络认证过程。In some embodiments, the authentication notification message sent by the AUSF network element to the AMF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. The authentication notification confirmation message is used to indicate that the AMF network element has requested the UE Go through the network authentication process.
AUSF网元向AMF网元发送的认证通知消息还可以包括确认请求指示,该确认请求指示用于向AMF网元请求用于指示AMF网元已请求UE进行网络认证过程的认证通知确认消息,从而AUSF网元在收到该认证通知确认消息之后能够确认AMF网元已请求UE进行网络认证过程,即AUSF网元能够了解关于UE的网络认证过程的此次触发是否实施。The authentication notification message sent by the ASF network element to the AMF network element may also include a confirmation request indication, which is used to request from the AMF network element an authentication notification confirmation message indicating that the AMF network element has requested the UE to perform a network authentication process, thereby After receiving the authentication notification confirmation message, the AUSF network element can confirm that the AMF network element has requested the UE to perform the network authentication process, that is, the AUSF network element can understand whether this triggering of the UE's network authentication process has been implemented.
例如,若认证通知消息中包括确认请求指示,而AUSF网元在发送认证通知消息后的预设时间段内未接收到AMF网元发送的认证通知确认消息,则AUSF网元可以确认关于UE的网络认证过程的此次触发未能实施。For example, if the authentication notification message includes a confirmation request indication, and the AUSF network element does not receive the authentication notification confirmation message sent by the AMF network element within a preset time period after sending the authentication notification message, the AUSF network element can confirm the information about the UE. This trigger of the network authentication process could not be implemented.
图2示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由AUSF网元执行,基于图1所示实施例,如图2所示,且该方法可以包括以下步骤。Figure 2 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method can be executed by the AUSF network element, based on the embodiment shown in Figure 1, as shown in Figure 2, and the method can include the following steps.
S201,向UDM网元发送AMF网元信息获取请求。S201. Send an AMF network element information acquisition request to the UDM network element.
其中,AMF网元信息获取请求包括与AUSF网元对应的UE的标识。The AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element.
S202,接收UDM网元反馈的AMF网元信息获取响应。S202: Receive the AMF network element information acquisition response fed back by the UDM network element.
其中,AMF网元信息获取响应用于指示为UE提供服务的AMF网元。The AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE.
S203,向AMF网元发送认证通知消息。S203: Send an authentication notification message to the AMF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
关于上述步骤S201-S203的描述和具体细节,可以参考上述步骤S101-S103的相关描述与细节。For the description and specific details of the above steps S201-S203, please refer to the relevant description and details of the above steps S101-S103.
S204,在确认网络认证过程完成之后,生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。S204: After confirming that the network authentication process is completed, generate a new AUSF network element key, and reset the roaming operation count and UE parameter update count.
AUSF网元在确认网络认证过程完成之后,可以生成新的AUSF网元密钥K AUSF,并对漫游操纵计数和UE参数更新计数进行重置,即将Counter SoR设置为0x00 0x01,将Counter UPU设置为0x00 0x01。 After confirming that the network authentication process is completed, the AUSF network element can generate a new AUSF network element key K AUSF and reset the roaming operation count and UE parameter update count, that is, set Counter SoR to 0x00 0x01 and Counter UPU to 0x00 0x01.
根据本公开实施例的认证方法,AUSF网元向UDM网元发送AMF网元信息获取请求以从UDM网元获取到指示为UE提供服务的AMF网元的AMF网元信息获取响应,并向该AMF网元发送认证通知消息以通知AMF网元进行关于UE的网络认证过程,在网络认证过程完成之后可以生成新的AUSF网元密钥并对漫游操纵计数和UE参数更新计数进行重置,从而实现了由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response indicating an AMF network element that provides services for the UE from the UDM network element, and sends the AMF network element information acquisition response to the UDM network element. The AMF network element sends an authentication notification message to notify the AMF network element to perform the network authentication process on the UE. After the network authentication process is completed, a new AUSF network element key can be generated and the roaming operation count and UE parameter update count can be reset, thereby Implementing a mechanism for triggering the network authentication process on the UE from the network side can greatly improve the continuity and security of network services.
在一些实施例中,AUSF网元向AMF网元发送的认证通知消息还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication notification message sent by the AUSF network element to the AMF network element may also include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type Including 3GPP access and/or non-3GPP access.
在一些实施例中,AUSF网元向AMF网元发送的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message sent by the AUSF network element to the AMF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: the roaming manipulation count reaches the upper limit; and The UE parameter update count reaches the upper limit.
在一些实施例中,AUSF网元向AMF网元发送的认证通知消息还可以包括用于向AMF网元请求认证通知确认消息的确认请求指示,认证通知确认消息用于指示AMF网元已请求UE进行网络认证过程。In some embodiments, the authentication notification message sent by the AUSF network element to the AMF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. The authentication notification confirmation message is used to indicate that the AMF network element has requested the UE Go through the network authentication process.
图3示出了根据本公开实施例的一种认证方法的流程示意图。如图3所示,该方法可由UDM网元执行,且可以包括以下步骤。Figure 3 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 3, this method can be executed by a UDM network element and can include the following steps.
S301,从AUSF网元接收AMF网元信息获取请求。S301. Receive an AMF network element information acquisition request from the AUSF network element.
其中,AMF网元信息获取请求包括与AUSF网元对应的UE的标识。The AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element.
在本实施例中,UDM网元可以从AUSF网元接收其中携带AUSF网元对应的UE的标识的AMF网元信息获取请求,以便AUSF网元从UDM网元获取为该UE提供服务的AMF网元的相关信息。In this embodiment, the UDM network element may receive an AMF network element information acquisition request that carries the identity of the UE corresponding to the AUSF network element from the AUSF network element, so that the AUSF network element obtains the AMF network that provides services for the UE from the UDM network element. Yuan related information.
例如,当AUSF网元确定需要重新生成AUSF网元密钥K AUSF的情况下,诸如,当前K AUSF无效的情况下,AUSF网元可以向UDM网元发送该AMF网元信息获取请求。 For example, when the AUSF network element determines that it needs to regenerate the AUSF network element key K AUSF , such as when the current K AUSF is invalid, the AUSF network element can send the AMF network element information acquisition request to the UDM network element.
其中,UE的标识可以为GPSI或SUPI。The identity of the UE may be GPSI or SUPI.
S302,根据UE的标识,向AUSF网元反馈AMF网元信息获取响应。S302: Feed back the AMF network element information acquisition response to the AUSF network element according to the UE identification.
其中,AMF网元信息获取响应用于指示为UE提供服务以能够进行关于UE的网络认证过程的AMF网元。The AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE to enable the network authentication process for the UE to be performed.
UDM网元在接收到AUSF网元发送的AMF网元信息获取请求后,可以根据该AMF网元信息获取请求中携带的UE的标识向AUSF网元反馈AMF网元信息获取响应,以将为UE提供服务以能够进行关于UE的网络认证过程的AMF网元的相关信息(例如,AMF网元的标识)提供给AUSF网元。由此,AUSF网元可以从UDM网元获知可以为UE提供服务以进行关于UE的网络认证过程的AMF网元,从而AUSF网元能够向该AMF网元发送认证通知消息以触发关于UE的网络认证过程。After receiving the AMF network element information acquisition request sent by the AUSF network element, the UDM network element can feed back the AMF network element information acquisition response to the AUSF network element according to the UE identification carried in the AMF network element information acquisition request, so as to provide the UE with The service is provided to provide relevant information of the AMF network element (for example, the identification of the AMF network element) to the AUSF network element that can perform the network authentication process on the UE. Therefore, the AUSF network element can learn from the UDM network element the AMF network element that can provide services for the UE to perform the network authentication process on the UE, so that the AUSF network element can send the authentication notification message to the AMF network element to trigger the network authentication process on the UE. certification process.
其中,关于UE的网络认证过程的具体实现可以参考现有技术中的网络认证过程。例如,本申请中所示的网络认证过程的具体实现类似于UE通过向AMF网元发送注册请求所发起网络认证过程的实现,在此不再赘述。For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art. For example, the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
根据本公开实施例的认证方法,UDM网元可以从AUSF网元接收到AMF网元信息获取请求并向AUSF网元反馈用于指示为UE提供服务的AMF网元的AMF网元信息获取响应,从而AUSF网元能够向该AMF网元发送认证通知消息以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the UDM network element can receive the AMF network element information acquisition request from the AUSF network element and feed back the AMF network element information acquisition response to the AUSF network element to indicate the AMF network element that provides services for the UE, Therefore, the AUSF network element can send an authentication notification message to the AMF network element to trigger the network authentication process for the UE. This can implement a mechanism for the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and quality of network services. safety.
图4示出了根据本公开实施例的一种认证方法的流程示意图,如图4所示,该方法可由AMF网元执行,且可以包括以下步骤。Figure 4 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 4, the method can be executed by an AMF network element and can include the following steps.
S401,从AUSF网元接收认证通知消息。S401. Receive the authentication notification message from the AUSF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
在本实施例中,AMF网元可以从AUSF网元接收其中携带AUSF网元对应的UE的标识的认证通知消息,以便由网络侧触发关于UE的网络认证过程。In this embodiment, the AMF network element may receive an authentication notification message carrying the identity of the UE corresponding to the AUSF network element from the AUSF network element, so that the network side triggers a network authentication process for the UE.
例如,当AUSF网元确定需要重新生成AUSF网元密钥K AUSF的情况下,诸如,当前K AUSF无效的情况下,AUSF网元可以从UDM网元获知为与AUSF网元对应的UE提供服务的AMF网元,并向该AMF网元发送认证通知消息,以通知AMF网元进行关于UE的网络认证过程。 For example, when the AUSF network element determines that it needs to regenerate the AUSF network element key K AUSF , such as when the current K AUSF is invalid, the AUSF network element can learn from the UDM network element to provide services for the UE corresponding to the AUSF network element. AMF network element, and sends an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process on the UE.
其中,UE的标识可以为GPSI或SUPI。The identity of the UE may be GPSI or SUPI.
S402,通过AMF网元与UE之间的非接入(Non Access Stratum,NAS)连接,向UE发送认证请求。S402: Send an authentication request to the UE through the non-access (Non Access Stratum, NAS) connection between the AMF network element and the UE.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
AMF网元在接收到认证通知消息后,可以通过AMF网元与UE之间的NAS连接向UE发送认证请求,以请求UE进行网络认证过程。After receiving the authentication notification message, the AMF network element can send an authentication request to the UE through the NAS connection between the AMF network element and the UE to request the UE to perform a network authentication process.
S403,接收UE反馈的认证响应。S403: Receive the authentication response fed back by the UE.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
UE在从AMF网元接收到认证请求后,可以向AMF网元反馈认证响应,以向AMF网元提供用于进行网络认证过程所需信息。After receiving the authentication request from the AMF network element, the UE can feed back the authentication response to the AMF network element to provide the AMF network element with the information required for the network authentication process.
网络认证过程所涉及的网络设备,诸如AMF网元、AUSF网元、UDM网元之间可以通过交互以便所涉及的网络设备均能够获取到进行网络认证过程所需信息,从而能够进行关于UE的网络认证过程。Network devices involved in the network authentication process, such as AMF network elements, AUSF network elements, and UDM network elements, can interact with each other so that the network devices involved can obtain the information required for the network authentication process, so that they can perform information about the UE. Network authentication process.
其中,关于UE的网络认证过程的具体实现可以参考现有技术中的网络认证过程。例如,本申请中所示的网络认证过程的具体实现类似于UE通过向AMF网元发送注册请求所发起网络认证过程的实现,在此不再赘述。For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art. For example, the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
根据本公开实施例的认证方法,AMF网元可以从AUSF网元接收到认证通知消息,向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE. The authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,从AUSF网元接收的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
K AUSF无效可能是由于漫游操纵计数达到上限值和/或UE参数更新计数达到上限值所导致,因此,AUSF网元发出认证通知消息以触发关于UE的网络认证过程的原因可以是漫游操纵计数达到上限值和/或UE参数更新计数达到上限值。 K AUSF invalidation may be caused by the roaming manipulation count reaching the upper limit and/or the UE parameter update count reaching the upper limit. Therefore, the reason why the AUSF network element sends an authentication notification message to trigger the network authentication process for the UE may be roaming manipulation. The count reaches the upper limit and/or the UE parameter update count reaches the upper limit.
在一些实施例中,从AUSF网元接收的认证通知消息以及向UE发送的认证请求中还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入和/或非3GPP接入。In some embodiments, the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information. The access type information is used to indicate the access to which the initiated network authentication process is applicable. Type, the access type includes 3rd Generation Partnership Project (3GPP) access and/or non-3GPP access.
例如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示3GPP接入,则AMF网元可确认所发起的网络认证过程仅针对3GPP接入进行,并且AMF网元向UE发送的认证请求中携带该接入类型信息,以便UE能够确认该网络认证过程仅针对3GPP接入进行。For example, if the access type information in the authentication notification message received by the AMF network element indicates 3GPP access, the AMF network element can confirm that the initiated network authentication process is only for 3GPP access, and the AMF network element sends The access type information is carried in the authentication request so that the UE can confirm that the network authentication process is only performed for 3GPP access.
又如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示非3GPP接入,则AMF网元可确认所发起的网络认证过程仅针对非3GPP接入进行,并且AMF网元向UE发送的认证请求中携带该接入类型信息,以便UE能够确认该网络认证过程仅针对非3GPP接入进行。For another example, if the access type information in the authentication notification message received by the AMF network element indicates non-3GPP access, the AMF network element can confirm that the initiated network authentication process is only for non-3GPP access, and the AMF network element The access type information is carried in the authentication request sent to the UE, so that the UE can confirm that the network authentication process is only performed for non-3GPP access.
又如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示3GPP接入和非3GPP接入,则AMF网元可确认所发起的网络认证过程既针对3GPP接入又针对非3GPP接入进行,并且AMF网元向UE发送的认证请求中携带该接入类型信息,以便UE能够确认该网络认证过程既针对3GPP接入又针对非3GPP接入进行。For another example, if the access type information in the authentication notification message received by the AMF network element indicates 3GPP access and non-3GPP access, the AMF network element can confirm that the initiated network authentication process is for both 3GPP access and non-3GPP access. 3GPP access is performed, and the authentication request sent by the AMF network element to the UE carries the access type information, so that the UE can confirm that the network authentication process is performed for both 3GPP access and non-3GPP access.
图5示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由AMF网元执行,基于图4所示实施例,如图5所示,且该方法可以包括以下步骤。Figure 5 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method can be executed by the AMF network element, based on the embodiment shown in Figure 4, as shown in Figure 5, and the method can include the following steps.
S501,从AUSF网元接收认证通知消息。S501. Receive the authentication notification message from the AUSF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
关于上述步骤S501的描述和具体细节,可以参考上述步骤S401的相关描述与细节。For the description and specific details of the above step S501, please refer to the relevant description and details of the above step S401.
S502,向UE发送寻呼消息以创建NAS连接。S502: Send a paging message to the UE to create a NAS connection.
AMF网元在接收到携带有UE的标识的认证通信消息后,若发现该UE与AMF网元之间不存在NAS连接,则5G核心网对该UE进行寻呼,如果UE处于已注册(RM-REGISTERED)和CM空闲(CM-IDLE)状态,则AMF可以经由5G无线接入网(NG-RAN)节点向该UE发送寻呼消息,以创建与该UE之间的NAS连接。若UE处于CM连接(CM-CONNECTED)状态,则表明UE与AMF网元之间的NAS连接已存在,则该步骤S502可省略。After the AMF network element receives the authentication communication message carrying the UE's identity, if it is found that there is no NAS connection between the UE and the AMF network element, the 5G core network will page the UE. If the UE is in the registered (RM) -REGISTERED) and CM-IDLE state, the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, it indicates that the NAS connection between the UE and the AMF network element already exists, and this step S502 can be omitted.
S503,通过AMF网元与UE之间的NAS连接,向UE发送认证请求。S503: Send an authentication request to the UE through the NAS connection between the AMF network element and the UE.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
S504,接收UE反馈的认证响应。S504: Receive the authentication response fed back by the UE.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S503-S504的描述和具体细节,可以参考上述步骤S402-S403的相关描述与细节。For the description and specific details of the above steps S503-S504, please refer to the relevant description and details of the above steps S402-S403.
根据本公开实施例的认证方法,AMF网元可以从AUSF网元接收到认证通知消息,向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE. The authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,从AUSF网元接收的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
在一些实施例中,从AUSF网元接收的认证通知消息以及向UE发送的认证请求中还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information. The access type information is used to indicate the access to which the initiated network authentication process is applicable. Type, the access type includes 3GPP access and/or non-3GPP access.
图6示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由AMF网元执行,基于图4所示实施例,如图6所示,且该方法可以包括以下步骤。Figure 6 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method can be executed by the AMF network element, based on the embodiment shown in Figure 4, as shown in Figure 6, and the method can include the following steps.
S601,从AUSF网元接收认证通知消息。S601. Receive the authentication notification message from the AUSF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
S602,通过AMF网元与UE之间的NAS连接,向UE发送认证请求。S602: Send an authentication request to the UE through the NAS connection between the AMF network element and the UE.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
关于上述步骤S601-S602的描述和具体细节,可以参考上述步骤S401-S402的相关描述与细节。For the description and specific details of the above steps S601-S602, please refer to the relevant description and details of the above steps S401-S402.
S603,向AUSF网元发送认证通知确认消息。S603: Send an authentication notification confirmation message to the AUSF network element.
其中,认证通知确认消息用于指示AMF网元已请求UE进行网络认证过程。The authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform a network authentication process.
从AUSF网元接收的认证通知消息还可以包括用于向AMF网元请求认证通知确认消息的确认请求指示。若认证通知消息中包括确认请求指示,则AMF网元在向UE发送认证请求后可以向AUSF网元发送认证通知确认消息以通知ASUF网元已触发关于UE的网络认证过程。若AMF网元未能向UE发送认证请求,则不会向AUSF网元发送认证通知确认消息,而AUSF网元在预设时间段内未能收到该认证通知确认消息,便可以确认关于UE的网络认证过程的此次触发未能实施。The authentication notification message received from the AUSF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. If the authentication notification message includes a confirmation request indication, the AMF network element, after sending the authentication request to the UE, can send an authentication notification confirmation message to the ASUF network element to notify the ASUF network element that the network authentication process for the UE has been triggered. If the AMF network element fails to send an authentication request to the UE, it will not send the authentication notification confirmation message to the AUSF network element. If the AUSF network element fails to receive the authentication notification confirmation message within the preset time period, it can confirm that the UE This triggering of the network authentication process failed to take place.
S604,接收UE反馈的认证响应。S604: Receive the authentication response fed back by the UE.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S604的描述和具体细节,可以参考上述步骤S403的相关描述与细节。For the description and specific details of the above step S604, please refer to the relevant description and details of the above step S403.
根据本公开实施例的认证方法,AMF网元可以从AUSF网元接收到认证通知消息,向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE. The authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
应当注意的是,虽然图6所示实施例仅仅在图4所示实施例的基础上进行描述,类似地,该图6所示实施例也可基于图5所示实施例,例如,图6的步骤S603也可以与图5的步骤S501-S504进行结合,在此不再进行赘述。It should be noted that although the embodiment shown in Figure 6 is only described based on the embodiment shown in Figure 4, similarly, the embodiment shown in Figure 6 can also be based on the embodiment shown in Figure 5, for example, Figure 6 Step S603 of can also be combined with steps S501-S504 of Figure 5, which will not be described again here.
在一些实施例中,从AUSF网元接收的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
在一些实施例中,从AUSF网元接收的认证通知消息以及向UE发送的认证请求中还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information. The access type information is used to indicate the access to which the initiated network authentication process is applicable. Type, the access type includes 3GPP access and/or non-3GPP access.
图7示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由AMF网元执行,基于图4所示实施例,如图7所示,且该方法可以包括以下步骤。Figure 7 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method can be executed by the AMF network element, based on the embodiment shown in Figure 4, as shown in Figure 7, and the method can include the following steps.
S701,从AUSF网元接收认证通知消息。S701: Receive the authentication notification message from the AUSF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
关于上述步骤S701的描述和具体细节,可以参考上述步骤S401的相关描述与细节。For the description and specific details of the above step S701, please refer to the relevant description and details of the above step S401.
S702,根据本地存储的NAS安全上下文对认证请求进行安全保护。S702, perform security protection on the authentication request according to the locally stored NAS security context.
AMF网元在接收到认证通知消息后,可以通过AMF网元与UE之间的NAS连接向UE发送认证请求,以请求UE进行网络认证过程。After receiving the authentication notification message, the AMF network element can send an authentication request to the UE through the NAS connection between the AMF network element and the UE to request the UE to perform a network authentication process.
为了安全起见,AMF网元可以根据本地存储的NAS安全上下文对该认证请求进行安全保护,例如,进行加密,再将经安全保护的认证请求发送给UE。UE接收到经安全保护的认证请求后,可以根据UE本地存储的NAS安全上下文对经安全保护的认证请求进行解析以获取到认证请求的内容。For security reasons, the AMF network element can securely protect the authentication request based on the locally stored NAS security context, for example, encrypt it, and then send the securely protected authentication request to the UE. After receiving the security-protected authentication request, the UE can parse the security-protected authentication request according to the NAS security context stored locally in the UE to obtain the content of the authentication request.
S703,通过AMF网元与UE之间的NAS连接,向UE发送经安全保护的认证请求。S703: Send a security-protected authentication request to the UE through the NAS connection between the AMF network element and the UE.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
S704,接收UE反馈的认证响应。S704: Receive the authentication response fed back by the UE.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S703-S704的描述和具体细节,可以参考上述步骤S402-S403的相关描述与细节。For the description and specific details of the above steps S703-S704, please refer to the relevant description and details of the above steps S402-S403.
根据本公开实施例的认证方法,AMF网元可以从AUSF网元接收到认证通知消息,向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE. The authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
应当注意的是,虽然图7所示实施例仅仅在图4所示实施例的基础上进行描述,类似地,该图7所示实施例也可基于图5和图6所示实施例,例如,图7的步骤S702也可以与图5的步骤S501-S504、图6的步骤S601-S604进行结合,在此不再进行赘述。It should be noted that although the embodiment shown in Figure 7 is only described based on the embodiment shown in Figure 4, similarly, the embodiment shown in Figure 7 can also be based on the embodiment shown in Figures 5 and 6, for example , step S702 in Figure 7 can also be combined with steps S501-S504 in Figure 5 and steps S601-S604 in Figure 6, which will not be described again.
在一些实施例中,从AUSF网元接收的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
在一些实施例中,从AUSF网元接收的认证通知消息以及向UE发送的认证请求中还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information. The access type information is used to indicate the access to which the initiated network authentication process is applicable. Type, the access type includes 3GPP access and/or non-3GPP access.
图8示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由AMF网元执行,基于图7所示实施例,如图8所示,且该方法可以包括以下步骤。Figure 8 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method can be executed by the AMF network element, based on the embodiment shown in Figure 7, as shown in Figure 8, and the method can include the following steps.
S801,从AUSF网元接收认证通知消息。S801. Receive the authentication notification message from the AUSF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
S802,根据本地存储的NAS安全上下文对认证请求进行安全保护。S802: Security protect the authentication request according to the locally stored NAS security context.
S803,通过AMF网元与UE之间的NAS连接,向UE发送经安全保护的认证请求。S803: Send a security-protected authentication request to the UE through the NAS connection between the AMF network element and the UE.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
S804,接收UE反馈的认证响应。S804: Receive the authentication response fed back by the UE.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S801-S804的描述和具体细节,可以参考上述步骤S701-S704的相关描述与细节。For the description and specific details of the above steps S801-S804, please refer to the relevant description and details of the above steps S701-S704.
S805,在网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。S805: After the network authentication process is completed, update the locally stored NAS security context.
AMF网元在确认网络认证过程完成之后,可以对本地存储的NAS安全上下文进行更新,从而在完成NAS安全模型命令流程以激活更新后的NAS安全上下文后可以使用更新后的NAS安全上下文对指定消息进行安全保护。After the AMF network element confirms that the network authentication process is completed, it can update the locally stored NAS security context, so that after completing the NAS security model command process to activate the updated NAS security context, it can use the updated NAS security context to respond to the specified message. For security protection.
根据本公开实施例的认证方法,AMF网元可以从AUSF网元接收到认证通知消息,向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE to trigger the network on the UE. The authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,从AUSF网元接收的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message received from the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update The count reaches the upper limit value.
在一些实施例中,从AUSF网元接收的认证通知消息以及向UE发送的认证请求中还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication notification message received from the AUSF network element and the authentication request sent to the UE may also include access type information. The access type information is used to indicate the access to which the initiated network authentication process is applicable. Type, the access type includes 3GPP access and/or non-3GPP access.
图9示出了根据本公开实施例的一种认证方法的流程示意图。如图9所示,该方法可由UE执行,且可以包括以下步骤。Figure 9 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in Figure 9, the method may be performed by the UE and may include the following steps.
S901,从AMF网元接收认证请求。S901: Receive an authentication request from the AMF network element.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
在本实施例中,UE可以从AMF网元接收用于请求UE进行网络认证过程的认证请求。In this embodiment, the UE may receive an authentication request from the AMF network element for requesting the UE to perform a network authentication process.
例如,AMF网元可以在从AUSF网元接收到用于通知AMF网元进行关于UE的网络认证过程的认证通知消息后,向UE发送认证请求。For example, the AMF network element may send an authentication request to the UE after receiving an authentication notification message from the AUSF network element for notifying the AMF network element to perform a network authentication process on the UE.
S902,向AMF网元反馈认证响应。S902: Feed back the authentication response to the AMF network element.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
UE在从AMF网元接收到认证请求后,可以向AMF网元反馈认证响应,以向AMF网元提供用于进行网络认证过程所需信息。After receiving the authentication request from the AMF network element, the UE can feed back the authentication response to the AMF network element to provide the AMF network element with the information required for the network authentication process.
网络认证过程所涉及的网络设备,诸如AMF网元、AUSF网元、UDM网元之间可以通过交互以便所涉及的网络设备均能够获取到进行网络认证过程所需信息,从而能够进行关于UE的网络认证过程。Network devices involved in the network authentication process, such as AMF network elements, AUSF network elements, and UDM network elements, can interact with each other so that the network devices involved can obtain the information required for the network authentication process, so that they can perform information about the UE. Network authentication process.
其中,关于UE的网络认证过程的具体实现可以参考现有技术中的网络认证过程。例如,本申请中所示的网络认证过程的具体实现类似于UE通过向AMF网元发送注册请求所发起网络认证过程的实现,在此不再赘述。For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art. For example, the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
根据本公开实施例的认证方法,UE可以从AMF网元接收到认证请求,并向AMF网元反馈包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络设备触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
在一些实施例中,从AMF网元接收的认证请求中可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication request received from the AMF network element may include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes 3GPP access. and/or non-3GPP access.
例如,如果UE所接收到的认证请求中的接入类型信息指示3GPP接入,则UE可以确认该网络认证过程仅针对3GPP接入进行。For example, if the access type information in the authentication request received by the UE indicates 3GPP access, the UE can confirm that the network authentication process is only performed for 3GPP access.
又如,如果UE所接收到的认证请求中的接入类型信息指示非3GPP接入,则UE可以确认该网络认证过程仅针对非3GPP接入进行。For another example, if the access type information in the authentication request received by the UE indicates non-3GPP access, the UE can confirm that the network authentication process is only performed for non-3GPP access.
又如,如果UE所接收到的认证请求中的接入类型信息指示3GPP接入和非3GPP接入,则UE可以确认该网络认证过程既针对3GPP接入又针对非3GPP接入进行。For another example, if the access type information in the authentication request received by the UE indicates 3GPP access and non-3GPP access, the UE can confirm that the network authentication process is performed for both 3GPP access and non-3GPP access.
图10示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由UE执行,基于图9所示的实施例,如图10所示,该方法可以包括以下步骤。Figure 10 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method may be executed by the UE. Based on the embodiment shown in Figure 9, as shown in Figure 10, the method may include the following steps.
S1001,从AMF网元接收寻呼消息以创建与AMF网元之间的NAS连接。S1001: Receive a paging message from the AMF network element to create a NAS connection with the AMF network element.
AMF网元可以通过NAS连接与UE进行信息交互,若该UE与AMF网元之间不存在NAS连接,则5G核心网对该UE进行寻呼,如果UE处于已注册(RM-REGISTERED)和CM空闲(CM-IDLE)状态,则AMF可以经由5G无线接入网(NG-RAN)节点向该UE发送寻呼消息,以创建与该UE之间的NAS连接。若UE处于CM连接(CM-CONNECTED)状态,则表明UE与AMF网元之间的NAS连接已存在,则该步骤S1001可省略。The AMF network element can exchange information with the UE through the NAS connection. If there is no NAS connection between the UE and the AMF network element, the 5G core network will page the UE. If the UE is in the registered (RM-REGISTERED) and CM If the UE is idle (CM-IDLE), the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, it indicates that the NAS connection between the UE and the AMF network element already exists, and this step S1001 can be omitted.
S1002,通过NAS连接从AMF网元接收认证请求。S1002: Receive the authentication request from the AMF network element through the NAS connection.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
S1003,向AMF网元反馈认证响应。S1003: Feed back the authentication response to the AMF network element.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S1002-S1003的描述和具体细节,可以参考上述步骤S901-S902的相关描述与细节。For the description and specific details of the above steps S1002-S1003, please refer to the relevant description and details of the above steps S901-S902.
根据本公开实施例的认证方法,UE可以从AMF网元接收到认证请求,并向AMF网元反馈包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络设备触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
在一些实施例中,从AMF网元接收的认证请求中可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication request received from the AMF network element may include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes 3GPP access. and/or non-3GPP access.
图11示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由UE执行,基于图9所示的实施例,如图11所示,该方法可以包括以下步骤。Figure 11 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method may be executed by the UE. Based on the embodiment shown in Fig. 9, as shown in Fig. 11, the method may include the following steps.
S1101,从AMF网元接收认证请求。S1101. Receive an authentication request from the AMF network element.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
关于上述步骤S1101的描述和具体细节,可以参考上述步骤S901的相关描述与细节。For the description and specific details of the above step S1101, please refer to the relevant description and details of the above step S901.
S1102,根据本地存储的NAS安全上下文对认证响应进行安全保护。S1102, perform security protection on the authentication response according to the locally stored NAS security context.
UE在接收到认证请求后,可以通过AMF网元与UE之间的NAS连接向AMF网元发送认证响应,以提供进行网络认证过程所需信息。After receiving the authentication request, the UE can send an authentication response to the AMF network element through the NAS connection between the AMF network element and the UE to provide the information required for the network authentication process.
为了安全起见,UE可以根据本地存储的NAS安全上下文对该认证响应进行安全保护,例如,进行加密,再将经安全保护的认证响应发送给AMF网元。AMF网元接收到经安全保护的认证响应后,可以根据AMF网元本地存储的NAS安全上下文对经安全保护的认证响应进行解析以获取到认证响应的内容。For security reasons, the UE can securely protect the authentication response based on the locally stored NAS security context, for example, encrypt it, and then send the securely protected authentication response to the AMF network element. After the AMF network element receives the security-protected authentication response, it can parse the security-protected authentication response according to the NAS security context stored locally on the AMF network element to obtain the content of the authentication response.
S1103,向AMF网元反馈经安全保护的认证响应。S1103: Feed back the security-protected authentication response to the AMF network element.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S1103的描述和具体细节,可以参考上述步骤S902的相关描述与细节。For the description and specific details of the above step S1103, please refer to the relevant description and details of the above step S902.
根据本公开实施例的认证方法,UE可以从AMF网元接收到认证请求,并向AMF网元反馈包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络设备触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
应当注意的是,虽然图11所示实施例仅仅在图9所示实施例的基础上进行描述,类似地,该图11所示实施例也可基于图10所示实施例,例如,图11的步骤S1102也可以与图10的步骤S1001-S1003进行结合,在此不再进行赘述。It should be noted that although the embodiment shown in FIG. 11 is only described based on the embodiment shown in FIG. 9 , similarly, the embodiment shown in FIG. 11 may also be based on the embodiment shown in FIG. 10 , for example, FIG. 11 Step S1102 of can also be combined with steps S1001-S1003 of Figure 10, which will not be described again here.
在一些实施例中,从AMF网元接收的认证请求中可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication request received from the AMF network element may include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes 3GPP access. and/or non-3GPP access.
图12示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由UE执行,基于图9所示的实施例,如图12所示,该方法可以包括以下步骤。Figure 12 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. The method may be executed by the UE. Based on the embodiment shown in Figure 9, as shown in Figure 12, the method may include the following steps.
S1201,从AMF网元接收认证请求。S1201. Receive an authentication request from the AMF network element.
其中,认证请求用于请求UE进行网络认证过程。The authentication request is used to request the UE to perform a network authentication process.
S1202,根据本地存储的NAS安全上下文对认证响应进行安全保护。S1202, perform security protection on the authentication response according to the locally stored NAS security context.
S1203,向AMF网元反馈经安全保护的认证响应。S1203: Feed back the security-protected authentication response to the AMF network element.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
关于上述步骤S1201-S1203的描述和具体细节,可以参考上述步骤S1101-S1103的相关描述与细节。For the description and specific details of the above steps S1201-S1203, please refer to the relevant description and details of the above steps S1101-S1103.
S1204,在网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。S1204: After the network authentication process is completed, update the locally stored NAS security context.
UE在确认网络认证过程完成之后,可以对本地存储的NAS安全上下文进行更新,从而在完成NAS安全模型命令流程以激活更新后的NAS安全上下文后可以使用更新后的NAS安全上下文对指定消息进行安全保护。After confirming that the network authentication process is completed, the UE can update the locally stored NAS security context, so that after completing the NAS security model command process to activate the updated NAS security context, the UE can use the updated NAS security context to secure the specified message. Protect.
根据本公开实施例的认证方法,UE可以从AMF网元接收到认证请求,并向AMF网元反馈包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络设备触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
在一些实施例中,从AMF网元接收的认证请求中可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication request received from the AMF network element may include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes 3GPP access. and/or non-3GPP access.
图13示出了根据本公开实施例的一种认证方法的流程示意图。该方法可由UE、AMF网元、AUSF网元、UDM网元交互来执行,如图13所示,且该方法可以包括以下步骤。Figure 13 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. This method can be executed by interaction between UE, AMF network element, AUSF network element and UDM network element, as shown in Figure 13, and the method can include the following steps.
S1301,AUSF网元从UDM网元获取AMF网元相关信息。S1301. The AUSF network element obtains AMF network element related information from the UDM network element.
其中,AMF网元相关信息用于指示为与AUSF网元对应的UE提供服务的AMF网元。The AMF network element related information is used to indicate the AMF network element that provides services for the UE corresponding to the AUSF network element.
在一些实施例中,AUSF网元向UDM网元发送AMF网元信息获取请求并接收UDM网元反馈的AMF网元信息获取响应。其中,AMF网元信息获取请求包括与AUSF网元对应的UE的标识,AMF网元信息获取响应用于指示为UE提供服务的AMF网元。UE的标识可以为通用公共用户标识(Generic Public Subscription Identifier,GPSI)或用户永久标识(Subscription Permanent Identifier,SUPI)。In some embodiments, the AUSF network element sends an AMF network element information acquisition request to the UDM network element and receives an AMF network element information acquisition response fed back by the UDM network element. The AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element, and the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE. The identity of the UE can be a Generic Public Subscription Identifier (GPSI) or a User Permanent Identifier (Subscription Permanent Identifier, SUPI).
S1302,AUSF网元向AMF网元发送认证通知消息。S1302. The AUSF network element sends an authentication notification message to the AMF network element.
其中,认证通知消息中包括UE的标识,以及认证通知消息用于通知AMF网元进行关于UE的网络认证过程。The authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
AUSF网元在获知为UE提供服务的AMF网元之后,可以向该AMF网元发送认证通知消息,以通知AMF网元进行关于UE的网络认证过程。After learning the AMF network element that provides services for the UE, the AUSF network element can send an authentication notification message to the AMF network element to notify the AMF network element to perform the network authentication process for the UE.
其中,关于UE的网络认证过程的具体实现可以参考现有技术中的网络认证过程。例如,本申请中所示的网络认证过程的具体实现类似于UE通过向AMF网元发送注册请求所发起网络认证过程的实现,在此不再赘述。For specific implementation of the network authentication process of the UE, reference may be made to the network authentication process in the prior art. For example, the specific implementation of the network authentication process shown in this application is similar to the implementation of the network authentication process initiated by the UE by sending a registration request to the AMF network element, and will not be described again here.
S1303,AMF网元向UE发送认证请求。S1303. The AMF network element sends an authentication request to the UE.
其中,所述认证请求用于请求所述UE进行所述网络认证过程。Wherein, the authentication request is used to request the UE to perform the network authentication process.
AMF网元在接收到认证通知消息后,可以通过AMF网元与UE之间的非接入(Non Access Stratum,NAS)连接向UE发送认证请求,以请求UE进行网络认证过程。After receiving the authentication notification message, the AMF network element can send an authentication request to the UE through the Non Access Stratum (NAS) connection between the AMF network element and the UE to request the UE to perform the network authentication process.
MF网元在接收到携带有UE的标识的认证通信消息后,若发现该UE与AMF网元之间不存在NAS连接,则5G核心网对该UE进行寻呼,如果UE处于已注册(RM-REGISTERED)和CM空闲(CM-IDLE)状态,则AMF可以经由5G无线接入网(NG-RAN)节点向该UE发送寻呼消息,以创建与该UE之间的NAS连接。若UE处于CM连接(CM-CONNECTED)状态,则表明UE与AMF网元之间的NAS连接已存在。AMF网元通过该NAS连接与UE进行通信。After the MF network element receives the authentication communication message carrying the UE's identity, if it is found that there is no NAS connection between the UE and the AMF network element, the 5G core network will page the UE. If the UE is in the registered (RM) -REGISTERED) and CM-IDLE state, the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, it indicates that the NAS connection between the UE and the AMF network element already exists. The AMF network element communicates with the UE through the NAS connection.
S1304,AMF网元接收UE反馈的认证响应。S1304. The AMF network element receives the authentication response fed back by the UE.
其中,认证响应包括进行网络认证过程所需信息。Among them, the authentication response includes information required for the network authentication process.
UE在从AMF网元接收到认证请求后,可以向AMF网元反馈认证响应,以向AMF网元提供用于进行网络认证过程所需信息。After receiving the authentication request from the AMF network element, the UE can feed back the authentication response to the AMF network element to provide the AMF network element with the information required for the network authentication process.
根据本公开实施例的认证方法,AUSF网元从UDM网元获取指示为UE提供服务的AMF网元的AMF网元相关信息,并向该AMF网元发送认证通知消息以通知AMF网元进行关于UE的网络认证过程,AMF网元在从AUSF网元接收到认证通知消息后向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,从而实现了由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication method of the embodiment of the present disclosure, the AUSF network element obtains the AMF network element related information indicating the AMF network element that provides services for the UE from the UDM network element, and sends an authentication notification message to the AMF network element to notify the AMF network element to perform relevant procedures. In the UE's network authentication process, the AMF network element sends an authentication request to the UE after receiving the authentication notification message from the AUSF network element and obtains an authentication response from the UE that includes the information required for the network authentication process to trigger the network authentication process for the UE. This implements a mechanism for the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,AUSF网元发送的认证通知消息还可以包括AUSF网元发出认证通知消息的认证原因,认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message sent by the AUSF network element may also include the authentication reason for the authentication notification message sent by the AUSF network element. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameter update count The upper limit value is reached.
K AUSF无效可能是由于漫游操纵计数达到上限值和/或UE参数更新计数达到上限值所导致,因此,AUSF网元发出认证通知消息以触发关于UE的网络认证过程的原因可以是漫游操纵计数达到上限值和/或UE参数更新计数达到上限值。 K AUSF invalidation may be caused by the roaming manipulation count reaching the upper limit and/or the UE parameter update count reaching the upper limit. Therefore, the reason why the AUSF network element sends an authentication notification message to trigger the network authentication process for the UE may be roaming manipulation. The count reaches the upper limit and/or the UE parameter update count reaches the upper limit.
在一些实施例中,AUSF网元发送的认证通知消息以及AMF网元向UE发送的认证请求中还可以包括接入类型信息,该接入类型信息用于指示所发起的网络认证过程可应用的接入类型,接入类型包括第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入和/或非3GPP接入。In some embodiments, the authentication notification message sent by the AUSF network element and the authentication request sent by the AMF network element to the UE may also include access type information. The access type information is used to indicate that the initiated network authentication process is applicable. Access type, the access type includes 3rd Generation Partnership Project (3GPP) access and/or non-3GPP access.
例如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示3GPP接入,则AMF网元可确认所发起的网络认证过程仅针对3GPP接入进行,并且AMF网元向UE发送的认证请求中携带该接入类型信息,以便UE能够确认该网络认证过程仅针对3GPP接入进行。For example, if the access type information in the authentication notification message received by the AMF network element indicates 3GPP access, the AMF network element can confirm that the initiated network authentication process is only for 3GPP access, and the AMF network element sends The access type information is carried in the authentication request so that the UE can confirm that the network authentication process is only performed for 3GPP access.
又如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示非3GPP接入,则AMF网元可确认所发起的网络认证过程仅针对非3GPP接入进行,并且AMF网元向UE发送的认证请求中携带该接入类型信息,以便UE能够确认该网络认证过程仅针对非3GPP接入进行。For another example, if the access type information in the authentication notification message received by the AMF network element indicates non-3GPP access, the AMF network element can confirm that the initiated network authentication process is only for non-3GPP access, and the AMF network element The access type information is carried in the authentication request sent to the UE, so that the UE can confirm that the network authentication process is only performed for non-3GPP access.
又如,如果AMF网元所接收到的认证通知消息中的接入类型信息指示3GPP接入和非3GPP接入,则AMF网元可确认所发起的网络认证过程既针对3GPP接入又针对非3GPP接入进行,并且AMF网元向UE发送的认证请求中携带该接入类型信息,以便UE能够确认该网络认证过程既针对3GPP接入又针对非3GPP接入进行。For another example, if the access type information in the authentication notification message received by the AMF network element indicates 3GPP access and non-3GPP access, the AMF network element can confirm that the initiated network authentication process is for both 3GPP access and non-3GPP access. 3GPP access is performed, and the authentication request sent by the AMF network element to the UE carries the access type information, so that the UE can confirm that the network authentication process is performed for both 3GPP access and non-3GPP access.
在一些实施例中,认证通知消息包括用于向AMF网元请求认证通知确认消息的确认请求指示,该认证方法还可以包括AMF网元向AUSF网元发送认证通知确认消息,其中,认证通知确认消息用于指示AMF网元已请求UE进行网络认证过程。In some embodiments, the authentication notification message includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. The authentication method may also include the AMF network element sending an authentication notification confirmation message to the AUSF network element, wherein the authentication notification confirmation message The message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
AUSF网元发送的认证通知消息还可以包括用于向AMF网元请求认证通知确认消息的确认请求指示。若认证通知消息中包括确认请求指示,则AMF网元在向UE发送认证请求后可以向AUSF网元发送认证通知确认消息以通知ASUF网元已触发关于UE的网络认证过程。若AMF网元未能向UE发送认证请求,则不会向AUSF网元发送认证通知确认消息,而AUSF网元在预设时间段内未能收到该认证通知确认消息,便可以确认关于UE的网络认证过程的此次触发未能实施。The authentication notification message sent by the AUSF network element may also include a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element. If the authentication notification message includes a confirmation request indication, the AMF network element, after sending the authentication request to the UE, can send an authentication notification confirmation message to the ASUF network element to notify the ASUF network element that the network authentication process for the UE has been triggered. If the AMF network element fails to send an authentication request to the UE, it will not send the authentication notification confirmation message to the AUSF network element. If the AUSF network element fails to receive the authentication notification confirmation message within the preset time period, it can confirm that the UE This triggering of the network authentication process failed to take place.
在一些实施例中,该认证方法还可以包括在网络认证过程完成之后,AUSF网元生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。In some embodiments, the authentication method may also include, after the network authentication process is completed, the AUSF network element generates a new AUSF network element key, and resets the roaming manipulation count and the UE parameter update count.
AUSF网元在确认网络认证过程完成之后,可以生成新的AUSF网元密钥K AUSF,并对漫游操纵计数和UE参数更新计数进行重置,即将Counter SoR设置为0x00 0x01,将Counter UPU设置为0x00 0x01。 After confirming that the network authentication process is completed, the AUSF network element can generate a new AUSF network element key K AUSF and reset the roaming operation count and UE parameter update count, that is, set Counter SoR to 0x00 0x01 and Counter UPU to 0x00 0x01.
图14示出了根据本公开实施例的一种认证方法的流程示意图。该方法可通过UE、AMF网元、AUSF网元、UDM网元交互来实现,如图14所示,该方法可以包括以下步骤。Figure 14 shows a schematic flowchart of an authentication method according to an embodiment of the present disclosure. This method can be implemented through interaction between UE, AMF network element, AUSF network element, and UDM network element. As shown in Figure 14, the method can include the following steps.
S1401,AUSF网元向UDM网元发送AMF网元信息获取请求Nudm_UECM_Get Request,该请求中可以包括UE的标识,诸如GPSI或SUPI。S1401. The AUSF network element sends an AMF network element information acquisition request Nudm_UECM_Get Request to the UDM network element. The request may include the identity of the UE, such as GPSI or SUPI.
S1402,UDM网元根据UE的标识检索UE的签约数据以确定为UE提供服务的AMF网元,并向AUSF网元反馈AMF网元信息获取响应Nudm_UECM_Get Response,该响应中携带AMF网元的标识。S1402. The UDM network element retrieves the UE's subscription data according to the UE's identity to determine the AMF network element that provides services for the UE, and feeds back the AMF network element information acquisition response Nudm_UECM_Get Response to the AUSF network element. The response carries the AMF network element's identity.
S1403,AUSF网元向AMF网元发送认证通知消息Authentication Notification(例如,可以为Nausf_UECM_AuthenticationNotification),该认证通知消息中可以包括SUPI,接入类型、认证原因等。其中认证原因可以是Counter SoR达到上限和/或Counter UPU达到上限。接入类型可以指示该认证过程所应用的是3GPP接入、非3GPP接入还是二者均可。 S1403. The AUSF network element sends an authentication notification message (for example, Nausf_UECM_AuthenticationNotification) to the AMF network element. The authentication notification message may include SUPI, access type, authentication reason, etc. The certification reason can be that Counter SoR reaches the upper limit and/or Counter UPU reaches the upper limit. The access type may indicate whether the authentication process applies to 3GPP access, non-3GPP access, or both.
S1404,考虑到UE可能与AMF网元之间不存在NAS连接,5G核心网可以寻呼该UE。如果UE处于已注册(RM-REGISTERED)和CM空闲(CM-IDLE)状态,即经由3GPP接入可达,则AMF可以经由5G无线接入网(NG-RAN)节点向该UE发送寻呼消息,以创建与该UE之间的NAS连接。若UE处于CM连接(CM-CONNECTED)状态,则该步骤可省略。S1404: Considering that there may be no NAS connection between the UE and the AMF network element, the 5G core network can page the UE. If the UE is in the registered (RM-REGISTERED) and CM idle (CM-IDLE) states, that is, reachable via 3GPP access, the AMF can send a paging message to the UE via the 5G Radio Access Network (NG-RAN) node , to create a NAS connection with the UE. If the UE is in the CM-CONNECTED state, this step can be omitted.
S1405,一旦UE与AMF网元之间的NAS连接已建立,AMF网元可以向UE发送认证请求HN-triggered Authentication Request,该请求可以包括接入类型,且该请求可以经由NAS安全上下文安全保护。S1405. Once the NAS connection between the UE and the AMF network element has been established, the AMF network element can send an authentication request HN-triggered Authentication Request to the UE. The request can include the access type, and the request can be securely protected via the NAS security context.
S1406,如果AUSF网元已向AMF网元请求认证通知确认,则AMF网元向AUSF网元发送认证通知确认消息Authentication Notification ACK。S1406. If the AUSF network element has requested authentication notification confirmation from the AMF network element, the AMF network element sends the authentication notification confirmation message Authentication Notification ACK to the AUSF network element.
S1407,UE向AMF网元反馈认证响应HN-triggered Authentication Response,该响应可以包括用于进行网络认证过程所需信息,诸如UE自身能力信息。S1407. The UE feeds back the authentication response HN-triggered Authentication Response to the AMF network element. The response may include information required for the network authentication process, such as the UE's own capability information.
S1408,安全锚功能(Security Anchor Function,SEAF)网元通过向AUSF网元发送认证请求消息Nausf_UEAuthentication_Authenticate Request以触发认证服务,该消息中可以包括SUCI或SUPI、服务网名称等信息。S1408, the Security Anchor Function (SEAF) network element triggers the authentication service by sending the authentication request message Nausf_UEAuthentication_Authenticate Request to the AUSF network element. The message may include SUCI or SUPI, service network name and other information.
S1409,AUSF网元向UDM网元发送认证获取请求消息Nudm_UEAuthentication_Get Request,该消息可以包括SUPI、服务网名称等信息,UDM网元基于SUPI可以选择认证方式。S1409, the AUSF network element sends an authentication acquisition request message Nudm_UEAuthentication_Get Request to the UDM network element. The message may include SUPI, service network name and other information. The UDM network element can select an authentication method based on SUPI.
S1410,基于UDM网元所选认证方式,进行改进的可扩展认证协议-密钥协商(Improved Extensible Authentication Protocol-Authentication and Key Agreement,EAP-AKA’)或5G-AKA过程。S1410, based on the authentication method selected by the UDM network element, perform the Improved Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA’) or 5G-AKA process.
S1411,AUSF网元生成并存储新的K AUSF,使用认证结果确认请求Nudm_UEAuthentication_ResultConfirmation Request向UDM网元通知网络认证过程的结果和时间。此外,AUSF网元对Counter SoR和Counter UPU进行重置。 S1411, the AUSF network element generates and stores a new K AUSF , and uses the authentication result confirmation request Nudm_UEAuthentication_ResultConfirmation Request to notify the UDM network element of the result and time of the network authentication process. In addition, the AUSF network element resets the Counter SoR and Counter UPU .
S1412,UDM网元存储UE的认证状态信息,包括SUPI、指示认证成果或失败的认证结果、指示执行网络认证过程的时间的时间戳以及服务网名称等。S1412. The UDM network element stores the authentication status information of the UE, including SUPI, an authentication result indicating the authentication result or failure, a timestamp indicating the time when the network authentication process is performed, and the service network name.
S1413,UDM网元向AUSF网元反馈认证结果确认响应Nudm_UEAuthentication_ResultConfirmation Response,以指示已经收到认证结果确认请求。S1413. The UDM network element feeds back the authentication result confirmation response Nudm_UEAuthentication_ResultConfirmation Response to the AUSF network element to indicate that the authentication result confirmation request has been received.
上述本申请提供的实施例中,分别从网络设备、用户设备的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能,网络设备和用户设备可以包括硬件结构、软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能可以以硬件结构、软件模块、或者硬件结构加软件模块的方式来执行。In the above embodiments provided by the present application, the methods provided by the embodiments of the present application are introduced from the perspectives of network equipment and user equipment respectively. In order to implement each function in the method provided by the above embodiments of the present application, network equipment and user equipment may include hardware structures and software modules to implement the above functions in the form of hardware structures, software modules, or hardware structures plus software modules. A certain function among the above functions can be executed by a hardware structure, a software module, or a hardware structure plus a software module.
与上述几种实施例提供的认证方法相对应,本公开还提供一种认证装置,由于本公开实施例提供的认证装置与上述几种实施例提供的认证方法相对应,因此认证方法的实施方式也适用于本实施例提供的认证装置,在本实施例中不再详细描述。Corresponding to the authentication methods provided by the above-mentioned embodiments, the present disclosure also provides an authentication device. Since the authentication device provided by the embodiments of the present disclosure corresponds to the authentication methods provided by the above-mentioned embodiments, the implementation of the authentication method It is also applicable to the authentication device provided in this embodiment, and will not be described in detail in this embodiment.
图15为本公开实施例提供的一种认证装置1500的结构示意图,该认证装置1500可用于AUSF网元。Figure 15 is a schematic structural diagram of an authentication device 1500 provided by an embodiment of the present disclosure. The authentication device 1500 can be used in AUSF network elements.
如图15所示,该装置1500可以包括收发模块1501。As shown in Figure 15, the device 1500 may include a transceiver module 1501.
收发模块1501用于向UDM网元发送AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务的AMF网元;以及向所述AMF网元发送认证通知消息,其中,所述认证通知消息中包括所述UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程The transceiver module 1501 is configured to send an AMF network element information acquisition request to the UDM network element, where the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; the AMF network that receives feedback from the UDM network element meta information acquisition response, wherein the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE; and sends an authentication notification message to the AMF network element, wherein the authentication notification message includes The identity of the UE and the authentication notification message are used to notify the AMF network element to perform a network authentication process on the UE.
根据本公开实施例的认证装置,AUSF网元向UDM网元发送AMF网元信息获取请求以从UDM网元获取到指示为UE提供服务的AMF网元的AMF网元信息获取响应,并向该AMF网元发送认证通知消息以通知AMF网元进行关于UE的网络认证过程,从而实现了由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication device of the embodiment of the present disclosure, the AUSF network element sends an AMF network element information acquisition request to the UDM network element to obtain an AMF network element information acquisition response indicating an AMF network element that provides services for the UE from the UDM network element, and sends the AMF network element information acquisition response to the UDM network element. The AMF network element sends an authentication notification message to notify the AMF network element to perform the network authentication process on the UE, thereby realizing a mechanism for the network side to trigger the network authentication process on the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入和/或非3GPP接入。In some embodiments, the authentication notification message also includes access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type includes third generation cooperation. Partner Program (3rd Generation Partnership Project, 3GPP) access and/or non-3GPP access.
在一些实施例中,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message also includes the authentication reason for the AUSF network element to send the authentication notification message. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameters The update count has reached the upper limit.
在一些实施例中,所述认证通知消息还包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。In some embodiments, the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE Perform the network authentication process.
在一些实施例中,如图16所示,所述装置1500还包括处理模块1502,该处理模块1502用于在确认所述网络认证过程完成之后,生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。In some embodiments, as shown in Figure 16, the device 1500 also includes a processing module 1502, which is configured to generate a new AUSF network element key after confirming that the network authentication process is completed, and perform roaming The manipulation count and UE parameter update count are reset.
图17为本公开实施例提供的一种认证装置1700的结构示意图。该认证装置1700可用于UDM网元。Figure 17 is a schematic structural diagram of an authentication device 1700 provided by an embodiment of the present disclosure. The authentication device 1700 can be used for UDM network elements.
如图17所示,该装置1700可以包括收发模块1701。As shown in Figure 17, the device 1700 may include a transceiver module 1701.
收发模块1701用于从AUSF网元接收接入和移动性管理功能AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;以及根据所述UE的标识,向所述AUSF网元反馈AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务以能够进行关于所述UE的网络认证过程的AMF网元。The transceiver module 1701 is configured to receive an access and mobility management function AMF network element information acquisition request from the AUSF network element, where the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element; and according to the The identity of the UE is fed back to the AUSF network element an AMF network element information acquisition response, where the AMF network element information acquisition response is used to indicate that services are provided for the UE to enable the network authentication process regarding the UE to be performed. AMF network element.
根据本公开实施例的认证装置,UDM网元可以从AUSF网元接收到AMF网元信息获取请求并向AUSF网元反馈用于指示为UE提供服务的AMF网元的AMF网元信息获取响应,从而AUSF网元能够向该AMF网元发送认证通知消息以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication device of the embodiment of the present disclosure, the UDM network element can receive the AMF network element information acquisition request from the AUSF network element and feed back the AMF network element information acquisition response to the AUSF network element indicating the AMF network element that provides services for the UE, Therefore, the AUSF network element can send an authentication notification message to the AMF network element to trigger the network authentication process for the UE. This can implement a mechanism for the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and quality of network services. safety.
图18为本公开实施例提供的一种认证装置1800的结构示意图。该认证装置1800可用于AMF网元。Figure 18 is a schematic structural diagram of an authentication device 1800 provided by an embodiment of the present disclosure. The authentication device 1800 can be used for AMF network elements.
如图18所示,该装置1800可以包括收发模块1801。As shown in Figure 18, the device 1800 may include a transceiver module 1801.
收发模块1801用于从鉴权服务器功能AUSF网元接收认证通知消息,其中,所述认证通知消息中包括UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;通过所述AMF网元与所述UE之间的NAS连接,向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息The transceiver module 1801 is configured to receive an authentication notification message from the authentication server function AUSF network element, where the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform operations related to the UE. The network authentication process; sending an authentication request to the UE through the NAS connection between the AMF network element and the UE, wherein the authentication request is used to request the UE to perform the network authentication process; and receiving The authentication response fed back by the UE, wherein the authentication response includes information required to perform the network authentication process
根据本公开实施例的认证装置,AMF网元可以从AUSF网元接收到认证通知消息,向UE发送认证请求并从UE获取包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络侧触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication device of the embodiment of the present disclosure, the AMF network element can receive the authentication notification message from the AUSF network element, send an authentication request to the UE, and obtain an authentication response including the information required for the network authentication process from the UE, so as to trigger the network authentication of the UE. The authentication process enables the network side to trigger the network authentication process for the UE, which can greatly improve the continuity and security of network services.
在一些实施例中,所述收发模块1801还用于:向所述UE发送寻呼消息以创建所述NAS连接。In some embodiments, the transceiving module 1801 is also configured to send a paging message to the UE to create the NAS connection.
在一些实施例中,所述认证通知消息还包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述收发模块1801还用于:向所述AUSF网元发送所述认证通知确认消息,其中,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。In some embodiments, the authentication notification message also includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the transceiver module 1801 is also used to: send the authentication to the AUSF network element. Notification confirmation message, wherein the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
在一些实施例中,如图19所示,所述装置1800还包括处理模块1802,所述处理模块1802用于:根据本地存储的NAS安全上下文对所述认证请求进行安全保护。In some embodiments, as shown in Figure 19, the device 1800 further includes a processing module 1802, which is configured to perform security protection on the authentication request according to the locally stored NAS security context.
在一些实施例中,所述处理模块1802还用于:在所述网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。In some embodiments, the processing module 1802 is also configured to update the locally stored NAS security context after the network authentication process is completed.
在一些实施例中,所述认证请求和所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication request and the authentication notification message also include access type information. The access type information is used to indicate the access type applicable to the initiated network authentication process. The access type Including 3GPP access and/or non-3GPP access.
在一些实施例中,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:漫游操纵计数达到上限值;以及UE参数更新计数达到上限值。In some embodiments, the authentication notification message also includes the authentication reason for the AUSF network element to send the authentication notification message. The authentication reason includes at least one of the following: roaming manipulation count reaches the upper limit; and UE parameters The update count has reached the upper limit.
图20为本公开实施例提供的一种认证装置2000的结构示意图。该认证装置2000可用于UE。Figure 20 is a schematic structural diagram of an authentication device 2000 provided by an embodiment of the present disclosure. The authentication device 2000 can be used for UE.
如图20所示,该装置2000可以包括收发模块2001。As shown in Figure 20, the device 2000 may include a transceiver module 2001.
所述收发模块2001用于从AMF网元接收认证请求,其中,所述认证请求用于请求所述UE进行网络认证过程;以及向所述AMF网元反馈认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。The transceiver module 2001 is configured to receive an authentication request from an AMF network element, where the authentication request is used to request the UE to perform a network authentication process; and to feed back an authentication response to the AMF network element, where the authentication response includes Information required to conduct the network authentication process described.
根据本公开实施例的认证装置,UE可以从AMF网元接收到认证请求,并向AMF网元反馈包括进行网络认证过程所需信息的认证响应,以触发关于UE的网络认证过程,由此能够实现由网络设备触发关于UE的网络认证过程的机制,能够极大改善网络服务的连续性和安全性。According to the authentication device of the embodiment of the present disclosure, the UE can receive the authentication request from the AMF network element and feed back the authentication response including the information required for the network authentication process to the AMF network element to trigger the network authentication process for the UE, thereby enabling Implementing a mechanism that triggers the network authentication process for UEs by network equipment can greatly improve the continuity and security of network services.
在一些实施例中,所述收发模块2001还用于:从所述AMF网元接收寻呼消息以创建与所述AMF网元之间的NAS连接。In some embodiments, the transceiver module 2001 is also configured to: receive a paging message from the AMF network element to create a NAS connection with the AMF network element.
在一些实施例中,如图21所示,所述装置2000还包括处理模块2002,所述处理模块2002用于:根据本地存储的NAS安全上下文对所述认证响应进行安全保护。In some embodiments, as shown in Figure 21, the device 2000 further includes a processing module 2002, which is configured to perform security protection on the authentication response according to the locally stored NAS security context.
在一些实施例中,所述处理模块2002还用于:在所述网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。In some embodiments, the processing module 2002 is also configured to update the locally stored NAS security context after the network authentication process is completed.
在一些实施例中,所述认证请求包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括3GPP接入和/或非3GPP接入。In some embodiments, the authentication request includes access type information, the access type information is used to indicate the access type to which the initiated network authentication process is applicable, the access type includes 3GPP access and/or Non-3GPP access.
本申请实施例还提供一种认证系统,该系统包括前述图15-16实施例所述的AUSF网元、图17实施例所述的UDM网元、图18-19实施例所述的AMF网元。The embodiment of the present application also provides an authentication system, which includes the AUSF network element described in the embodiment of Figures 15-16, the UDM network element described in the embodiment of Figure 17, and the AMF network described in the embodiment of Figures 18-19 Yuan.
请参见图22,图22是本申请实施例提供的一种通信装置2200的结构示意图。通信装置2200可以是网络设备,也可以是用户设备,也可以是支持网络设备实现上述方法的芯片、芯片系统、或处理器等,还可以是支持用户设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法实施例中描述的方法,具体可以参见上述方法实施例中的说明。Please refer to Figure 22, which is a schematic structural diagram of a communication device 2200 provided by an embodiment of the present application. The communication device 2200 may be a network device, a user equipment, a chip, a chip system, or a processor that supports network equipment to implement the above method, or a chip, a chip system, or a processor that supports user equipment to implement the above method. Processor etc. The device can be used to implement the method described in the above method embodiment. For details, please refer to the description in the above method embodiment.
通信装置2200可以包括一个或多个处理器2201。处理器2201可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行计算机程序,处理计算机程序的数据。 Communication device 2200 may include one or more processors 2201. The processor 2201 may be a general-purpose processor or a special-purpose processor, or the like. For example, it can be a baseband processor or a central processing unit. The baseband processor can be used to process communication protocols and communication data. The central processor can be used to control communication devices (such as base stations, baseband chips, terminal equipment, terminal equipment chips, DU or CU, etc.) and execute computer programs. , processing data for computer programs.
可选的,通信装置2200中还可以包括一个或多个存储器2202,其上可以存有计算机程序2204,处理器2201执行所述计算机程序2204,以使得通信装置2200执行上述方法实施例中描述的方法。可选的,所述存储器2202中还可以存储有数据。通信装置2200和存储器2202可以单独设置,也可以集成在一起。Optionally, the communication device 2200 may also include one or more memories 2202, on which a computer program 2204 may be stored. The processor 2201 executes the computer program 2204, so that the communication device 2200 performs the steps described in the above method embodiments. method. Optionally, the memory 2202 may also store data. The communication device 2200 and the memory 2202 can be provided separately or integrated together.
可选的,通信装置2200还可以包括收发器2205、天线2206。收发器2205可以称为收发单元、收发机、或收发电路等,用于实现收发功能。收发器2205可以包括接收器和发送器,接收器可以称为接收机或接收电路等,用于实现接收功能;发送器可以称为发送机或发送电路等,用于实现发送功能。Optionally, the communication device 2200 may also include a transceiver 2205 and an antenna 2206. The transceiver 2205 may be called a transceiver unit, a transceiver, a transceiver circuit, etc., and is used to implement transceiver functions. The transceiver 2205 may include a receiver and a transmitter. The receiver may be called a receiver or a receiving circuit, etc., used to implement the receiving function; the transmitter may be called a transmitter, a transmitting circuit, etc., used to implement the transmitting function.
可选的,通信装置2200中还可以包括一个或多个接口电路2207。接口电路2207用于接收代码指令并传输至处理器2201。处理器2201运行所述代码指令以使通信装置2200执行上述方法实施例中描述的方法。Optionally, the communication device 2200 may also include one or more interface circuits 2207. The interface circuit 2207 is used to receive code instructions and transmit them to the processor 2201. The processor 2201 executes the code instructions to cause the communication device 2200 to perform the method described in the above method embodiment.
在一种实现方式中,处理器2201中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路,或者是接口,或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的,也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写,或者,上述收发电路、接口或接口电路可以用于信号的传输或传递。In one implementation, the processor 2201 may include a transceiver for implementing receiving and transmitting functions. For example, the transceiver may be a transceiver circuit, an interface, or an interface circuit. The transceiver circuits, interfaces or interface circuits used to implement the receiving and transmitting functions can be separate or integrated together. The above-mentioned transceiver circuit, interface or interface circuit can be used for reading and writing codes/data, or the above-mentioned transceiver circuit, interface or interface circuit can be used for signal transmission or transfer.
在一种实现方式中,处理器2201可以存有计算机程序2203,计算机程序2203在处理器2201上运行,可使得通信装置2200执行上述方法实施例中描述的方法。计算机程序2203可能固化在处理器2201中,该种情况下,处理器2201可能由硬件实现。In one implementation, the processor 2201 may store a computer program 2203, and the computer program 2203 runs on the processor 2201, causing the communication device 2200 to perform the method described in the above method embodiment. The computer program 2203 may be solidified in the processor 2201, in which case the processor 2201 may be implemented by hardware.
在一种实现方式中,通信装置2200可以包括电路,所述电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit,IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit,ASIC)、印刷电路板(printed circuit board,PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造,例如互补金属氧化物半导体(complementary metal oxide semiconductor,CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor,NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor,PMOS)、双极结型晶体管(bipolar junction transistor,BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。In one implementation, the communication device 2200 may include a circuit, and the circuit may implement the functions of sending or receiving or communicating in the foregoing method embodiments. The processor and transceiver described in this application can be implemented in integrated circuits (ICs), analog ICs, radio frequency integrated circuits RFICs, mixed signal ICs, application specific integrated circuits (ASICs), printed circuit boards ( printed circuit board (PCB), electronic equipment, etc. The processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), n-type metal oxide-semiconductor (NMOS), P-type Metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
以上实施例描述中的通信装置可以是网络设备或者用户设备,但本申请中描述的通信装置的范围并不限于此,而且通信装置的结构可以不受图22的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如所述通信装置可以是:The communication device described in the above embodiments may be network equipment or user equipment, but the scope of the communication device described in this application is not limited thereto, and the structure of the communication device may not be limited by FIG. 22 . The communication device may be a stand-alone device or may be part of a larger device. For example, the communication device may be:
(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;(1) Independent integrated circuit IC, or chip, or chip system or subsystem;
(2)具有一个或多个IC的集合,可选的,该IC集合也可以包括用于存储数据,计算机程序的存储部件;(2) A collection of one or more ICs. Optionally, the IC collection may also include storage components for storing data and computer programs;
(3)ASIC,例如调制解调器(Modem);(3)ASIC, such as modem;
(4)可嵌入在其他设备内的模块;(4) Modules that can be embedded in other devices;
(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等;(5) Receivers, terminal equipment, intelligent terminal equipment, cellular phones, wireless equipment, handheld devices, mobile units, vehicle-mounted equipment, network equipment, cloud equipment, artificial intelligence equipment, etc.;
(6)其他等等。(6) Others, etc.
对于通信装置可以是芯片或芯片系统的情况,可参见图23所示的芯片的结构示意图。图23所示的芯片包括处理器2301和接口2302。其中,处理器2301的数量可以是一个或多个,接口2302的数量可以是多个。For the case where the communication device may be a chip or a chip system, refer to the schematic structural diagram of the chip shown in FIG. 23 . The chip shown in Figure 23 includes a processor 2301 and an interface 2302. The number of processors 2301 may be one or more, and the number of interfaces 2302 may be multiple.
可选的,芯片还包括存储器2303,存储器2303用于存储必要的计算机程序和数据。Optionally, the chip also includes a memory 2303, which is used to store necessary computer programs and data.
本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。Those skilled in the art can also understand that the various illustrative logical blocks and steps listed in the embodiments of this application can be implemented by electronic hardware, computer software, or a combination of both. Whether such functionality is implemented in hardware or software depends on the specific application and overall system design requirements. Those skilled in the art can use various methods to implement the described functions for each specific application, but such implementation should not be understood as exceeding the protection scope of the embodiments of the present application.
本申请还提供一种可读存储介质,其上存储有指令,该指令被计算机执行时实现上述任一方法实施例的功能。This application also provides a readable storage medium on which instructions are stored. When the instructions are executed by a computer, the functions of any of the above method embodiments are implemented.
本申请还提供一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。This application also provides a computer program product, which, when executed by a computer, implements the functions of any of the above method embodiments.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行所述计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机程序可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs. When the computer program is loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer program may be stored in or transferred from one computer-readable storage medium to another, for example, the computer program may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated. The usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., high-density digital video discs (DVD)), or semiconductor media (e.g., solid state disks, SSD)) etc.
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。Persons of ordinary skill in the art can understand that the first, second, and other numerical numbers involved in this application are only for convenience of description and are not used to limit the scope of the embodiments of this application and also indicate the order.
本申请中的至少一个还可以描述为一个或多个,多个可以是两个、三个、四个或者更多个,本申请不做限制。在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。At least one in this application can also be described as one or more, and the plurality can be two, three, four or more, which is not limited by this application. In the embodiment of this application, for a technical feature, the technical feature is distinguished by "first", "second", "third", "A", "B", "C" and "D", etc. The technical features described in "first", "second", "third", "A", "B", "C" and "D" are in no particular order or order.
如本文使用的,术语“机器可读介质”和“计算机可读介质”指的是用于将机器指令和/或数据提供给可编程处理器的任何计算机程序产品、设备、和/或装置(例如,磁盘、光盘、存储器、可编程逻辑装置(PLD)),包括,接收作为机器可读信号的机器指令的机器可读介质。术语“机器可读信号”指的是用于将机器指令和/或数据提供给可编程处理器的任何信号。As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or means for providing machine instructions and/or data to a programmable processor ( For example, magnetic disks, optical disks, memories, programmable logic devices (PLD)), including machine-readable media that receive machine instructions as machine-readable signals. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
可以将此处描述的系统和技术实施在包括后台部件的计算系统(例如,作为数据服务器)、或者包括中间件部件的计算系统(例如,应用服务器)、或者包括前端部件的计算系统(例如,具有图形用户界面或者网络浏览器的用户计算机,用户可以通过该图形用户界面或者该网络浏览器来与此处描述的系统和技术的实施方式交互)、或者包括这种后台部件、中间件部件、或者前端部件的任何组合的计算系统中。可以通过任何形式或者介质的数字数据通信(例如,通信网络)来将系统的部件相互连接。通信网络的示例包括:局域网(LAN)、广域网(WAN)和互联网。The systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., A user's computer having a graphical user interface or web browser through which the user can interact with implementations of the systems and technologies described herein), or including such backend components, middleware components, or any combination of front-end components in a computing system. The components of the system may be interconnected by any form or medium of digital data communication (eg, a communications network). Examples of communication networks include: local area network (LAN), wide area network (WAN), and the Internet.
计算机系统可以包括客户端和服务器。客户端和服务器一般远离彼此并且通常通过通信网络进行交互。通过在相应的计算机上运行并且彼此具有客户端-服务器关系的计算机程序来产生客户端和服务器的关系。Computer systems may include clients and servers. Clients and servers are generally remote from each other and typically interact over a communications network. The relationship of client and server is created by computer programs running on corresponding computers and having a client-server relationship with each other.
应该理解,可以使用上面所示的各种形式的流程,重新排序、增加或删除步骤。例如,本公开中记载的各步骤可以并行地执行也可以顺序地执行也可以不同的次序执行,只要能够实现本公开公开的技术方案所期望的结果,本文在此不进行限制。It should be understood that various forms of the process shown above may be used, with steps reordered, added or deleted. For example, each step described in the present disclosure can be executed in parallel, sequentially, or in a different order. As long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, there is no limitation here.
此外,应该理解,本申请所述的各种实施例可以单独实施,也可以在方案允许的情况下与其他实施例组合实施。In addition, it should be understood that the various embodiments described in this application can be implemented alone or in combination with other embodiments if the scheme allows.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (31)

  1. 一种认证方法,其特征在于,所述方法由鉴权服务器功能AUSF网元执行,所述方法包括:An authentication method, characterized in that the method is executed by the authentication server function AUSF network element, and the method includes:
    向统一数据管理UDM网元发送接入和移动性管理功能AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的用户设备UE的标识;Send an access and mobility management function AMF network element information acquisition request to the unified data management UDM network element, where the AMF network element information acquisition request includes the identification of the user equipment UE corresponding to the AUSF network element;
    接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务的AMF网元;以及Receive an AMF network element information acquisition response fed back by the UDM network element, wherein the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE; and
    向所述AMF网元发送认证通知消息,其中,所述认证通知消息中包括所述UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程。Send an authentication notification message to the AMF network element, where the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  2. 如权利要求1所述的方法,其特征在于,所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划3GPP接入和/或非3GPP接入。The method of claim 1, wherein the authentication notification message further includes access type information, and the access type information is used to indicate the applicable access type of the initiated network authentication process. Access types include 3rd Generation Partnership Project 3GPP access and/or non-3GPP access.
  3. 如权利要求1或2所述的方法,其特征在于,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:The method of claim 1 or 2, wherein the authentication notification message further includes an authentication reason for the AUSF network element to send the authentication notification message, and the authentication reason includes at least one of the following:
    漫游操纵计数达到上限值;以及The roaming manipulation count reaches the upper limit; and
    UE参数更新计数达到上限值。The UE parameter update count reaches the upper limit.
  4. 如权利要求1-3中任一项所述的方法,其特征在于,所述认证通知消息还包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。The method according to any one of claims 1 to 3, wherein the authentication notification message further includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the authentication notification confirmation message Used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  5. 如权利要求1-4中任一项所述的方法,其特征在于,还包括:The method according to any one of claims 1-4, further comprising:
    在确认所述网络认证过程完成之后,生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。After confirming that the network authentication process is completed, a new AUSF network element key is generated, and the roaming operation count and the UE parameter update count are reset.
  6. 一种认证方法,其特征在于,所述方法由统一数据管理UDM网元执行,所述方法包括:An authentication method, characterized in that the method is executed by a unified data management UDM network element, and the method includes:
    从鉴权服务器功能AUSF网元接收接入和移动性管理功能AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的用户设备UE的标识;以及Receive an access and mobility management function AMF network element information acquisition request from the authentication server function AUSF network element, wherein the AMF network element information acquisition request includes the identification of the user equipment UE corresponding to the AUSF network element; and
    根据所述UE的标识,向所述AUSF网元反馈AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务以能够进行关于所述UE的网络认证过程的AMF网元。Feed back an AMF network element information acquisition response to the AUSF network element according to the identity of the UE, where the AMF network element information acquisition response is used to indicate that services are provided for the UE to enable network authentication for the UE. AMF network element of the process.
  7. 一种认证方法,其特征在于,所述方法由接入和移动性管理功能AMF网元执行,所述方法包括:An authentication method, characterized in that the method is executed by the access and mobility management function AMF network element, and the method includes:
    从鉴权服务器功能AUSF网元接收认证通知消息,其中,所述认证通知消息中包括UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;Receive an authentication notification message from the authentication server function AUSF network element, where the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE;
    通过所述AMF网元与所述UE之间的NAS连接,向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及Send an authentication request to the UE through the NAS connection between the AMF network element and the UE, where the authentication request is used to request the UE to perform the network authentication process; and
    接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。Receive an authentication response fed back by the UE, where the authentication response includes information required to perform the network authentication process.
  8. 如权利要求7所述的方法,其特征在于,还包括:The method of claim 7, further comprising:
    向所述UE发送寻呼消息以创建所述NAS连接。A paging message is sent to the UE to create the NAS connection.
  9. 如权利要求7或8所述的方法,其特征在于,所述认证通知消息还包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述方法还包括:The method according to claim 7 or 8, wherein the authentication notification message further includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the method further includes:
    向所述AUSF网元发送所述认证通知确认消息,其中,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。Send the authentication notification confirmation message to the AUSF network element, where the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  10. 如权利要求7-9中任一项所述的方法,其特征在于,还包括:The method according to any one of claims 7-9, further comprising:
    根据本地存储的NAS安全上下文对所述认证请求进行安全保护。The authentication request is securely protected according to the locally stored NAS security context.
  11. 如权利要求10所述的方法,其特征在于,还包括:The method of claim 10, further comprising:
    在所述网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。After the network authentication process is completed, the locally stored NAS security context is updated.
  12. 如权利要求7-11所述的方法,其特征在于,所述认证请求和所述认证通知消息还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划3GPP接入和/或非3GPP接入。The method according to claims 7-11, characterized in that the authentication request and the authentication notification message also include access type information, the access type information is used to indicate that the initiated network authentication process is applicable. Access type, the access type includes 3GPP access and/or non-3GPP access.
  13. 如权利要求7-12所述的方法,其特征在于,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:The method according to claims 7-12, wherein the authentication notification message further includes an authentication reason for the AUSF network element to send the authentication notification message, and the authentication reason includes at least one of the following:
    漫游操纵计数达到上限值;以及The roaming manipulation count reaches the upper limit; and
    UE参数更新计数达到上限值。The UE parameter update count reaches the upper limit.
  14. 一种认证方法,其特征在于,所述方法由用户设备UE执行,所述方法包括:An authentication method, characterized in that the method is executed by user equipment UE, and the method includes:
    从接入和移动性管理功能AMF网元接收认证请求,其中,所述认证请求用于请求所述UE进行网络认证过程;以及Receive an authentication request from the access and mobility management function AMF network element, wherein the authentication request is used to request the UE to perform a network authentication process; and
    向所述AMF网元反馈认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。Feed back an authentication response to the AMF network element, where the authentication response includes information required to perform the network authentication process.
  15. 如权利要求14所述的方法,其特征在于,还包括:The method of claim 14, further comprising:
    从所述AMF网元接收寻呼消息以创建与所述AMF网元之间的NAS连接。Receive a paging message from the AMF network element to create a NAS connection with the AMF network element.
  16. 如权利要求14或15所述的方法,其特征在于,还包括:The method of claim 14 or 15, further comprising:
    根据本地存储的NAS安全上下文对所述认证响应进行安全保护。The authentication response is securely protected according to the locally stored NAS security context.
  17. 如权利要求16所述的方法,其特征在于,还包括:The method of claim 16, further comprising:
    在所述网络认证过程完成之后,对本地存储的NAS安全上下文进行更新。After the network authentication process is completed, the locally stored NAS security context is updated.
  18. 如权利要求14-17所述的方法,其特征在于,所述认证请求包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划3GPP接入和/或非3GPP接入。The method according to claims 14-17, wherein the authentication request includes access type information, and the access type information is used to indicate the access type applicable to the initiated network authentication process, and the access type information is used to indicate the applicable access type of the initiated network authentication process. Access types include 3rd Generation Partnership Project 3GPP access and/or non-3GPP access.
  19. 一种认证方法,其特征在于,包括:An authentication method, characterized by including:
    鉴权服务器功能AUSF网元从统一数据管理UDM网元获取接入和移动性管理功能AMF网元相关信息,其中,所述AMF网元相关信息用于指示为与所述AUSF网元对应的用户设备UE提供服务的AMF网元;The authentication server function AUSF network element obtains access and mobility management function AMF network element related information from the unified data management UDM network element, where the AMF network element related information is used to indicate the user corresponding to the AUSF network element The AMF network element provided by the device UE;
    所述AUSF网元向所述AMF网元发送认证通知消息,其中,所述认证通知消息包括与所述AUSF网元对应的UE的标识并用于通知所述AMF网元进行关于所述UE的网络认证过程;The AUSF network element sends an authentication notification message to the AMF network element, where the authentication notification message includes the identity of the UE corresponding to the AUSF network element and is used to notify the AMF network element to perform network operations related to the UE. certification process;
    所述AMF网元向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及The AMF network element sends an authentication request to the UE, where the authentication request is used to request the UE to perform the network authentication process; and
    所述AMF网元接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。The AMF network element receives an authentication response fed back by the UE, where the authentication response includes information required to perform the network authentication process.
  20. 如权利要求19所述的方法,其特征在于,所述AUSF网元从UDM网元获取AMF网元相关信息包括:The method of claim 19, wherein the AUSF network element obtains AMF network element related information from the UDM network element including:
    所述AUSF网元向所述UDM网元发送AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括所述UE的标识;The AUSF network element sends an AMF network element information acquisition request to the UDM network element, where the AMF network element information acquisition request includes the identification of the UE;
    接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应包括所述AMF网元相关信息。Receive an AMF network element information acquisition response fed back by the UDM network element, where the AMF network element information acquisition response includes the AMF network element related information.
  21. 如权利要求19或20所述的方法,其特征在于,所述认证通知消息包括用于向所述AMF网元请求认证通知确认消息的确认请求指示,所述方法还包括:The method of claim 19 or 20, wherein the authentication notification message includes a confirmation request indication for requesting an authentication notification confirmation message from the AMF network element, and the method further includes:
    所述AMF网元向所述AUSF网元发送所述认证通知确认消息,其中,所述认证通知确认消息用于指示所述AMF网元已请求所述UE进行所述网络认证过程。The AMF network element sends the authentication notification confirmation message to the AUSF network element, where the authentication notification confirmation message is used to indicate that the AMF network element has requested the UE to perform the network authentication process.
  22. 如权利要求19-21中任一项所述的方法,其特征在于,还包括:The method according to any one of claims 19-21, further comprising:
    在所述网络认证过程完成之后,所述AUSF网元生成新的AUSF网元密钥,并对漫游操纵计数和UE参数更新计数进行重置。After the network authentication process is completed, the AUSF network element generates a new AUSF network element key, and resets the roaming manipulation count and the UE parameter update count.
  23. 如权利要求19-22中任一项所述的方法,其特征在于,所述认证通知消息和所述认证请求中还包括接入类型信息,所述接入类型信息用于指示所发起的网络认证过程可应用的接入类型,所述接入类型包括第三代合作伙伴计划3GPP接入和/或非3GPP接入。The method according to any one of claims 19 to 22, characterized in that the authentication notification message and the authentication request also include access type information, and the access type information is used to indicate the initiated network Access types to which the authentication process can be applied, including 3GPP access and/or non-3GPP access.
  24. 如权利要求19-23中任一项所述的方法,其特征在于,所述认证通知消息还包括所述AUSF网元发出所述认证通知消息的认证原因,所述认证原因包括以下中至少一种:The method according to any one of claims 19 to 23, wherein the authentication notification message also includes an authentication reason for the AUSF network element to send the authentication notification message, and the authentication reason includes at least one of the following: kind:
    漫游操纵计数达到上限值;以及The roaming manipulation count reaches the upper limit; and
    UE参数更新计数达到上限值。The UE parameter update count reaches the upper limit.
  25. 一种认证装置,其特征在于,用于鉴权服务器功能AUSF网元,包括收发模块,所述收发模块用于:An authentication device, characterized in that it is used to authenticate the server function AUSF network element, including a transceiver module, and the transceiver module is used for:
    向统一数据管理UDM网元发送接入和移动性管理功能AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的用户设备UE的标识;Send an access and mobility management function AMF network element information acquisition request to the unified data management UDM network element, where the AMF network element information acquisition request includes the identification of the user equipment UE corresponding to the AUSF network element;
    接收所述UDM网元反馈的AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务的AMF网元;以及Receive an AMF network element information acquisition response fed back by the UDM network element, wherein the AMF network element information acquisition response is used to indicate the AMF network element that provides services for the UE; and
    向所述AMF网元发送认证通知消息,其中,所述认证通知消息中包括所述UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程。Send an authentication notification message to the AMF network element, where the authentication notification message includes the identity of the UE, and the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE.
  26. 一种认证装置,其特征在于,用于统一数据管理UDM网元,包括收发模块,所述收发模块用于:An authentication device, characterized in that it is used for unified data management UDM network elements, including a transceiver module, and the transceiver module is used for:
    从鉴权服务器功能AUSF网元接收接入和移动性管理功能AMF网元信息获取请求,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的用户设备UE的标识;以及Receive an access and mobility management function AMF network element information acquisition request from the authentication server function AUSF network element, wherein the AMF network element information acquisition request includes the identification of the user equipment UE corresponding to the AUSF network element; and
    根据所述UE的标识,向所述AUSF网元反馈AMF网元信息获取响应,其中,所述AMF网元信息获取响应用于指示为所述UE提供服务以能够进行关于所述UE的网络认证过程的AMF网元。Feed back an AMF network element information acquisition response to the AUSF network element according to the identity of the UE, where the AMF network element information acquisition response is used to indicate that services are provided for the UE to enable network authentication for the UE. AMF network element of the process.
  27. 一种认证装置,其特征在于,用于接入和移动性管理功能AMF网元,包括收发模块,所述收发模块用于:An authentication device, characterized in that it is used for access and mobility management function AMF network elements, including a transceiver module, and the transceiver module is used for:
    从鉴权服务器功能AUSF网元接收认证通知消息,其中,所述认证通知消息中包括用户设备UE的标识,以及所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;Receive an authentication notification message from the authentication server function AUSF network element, wherein the authentication notification message includes the identity of the user equipment UE, and the authentication notification message is used to notify the AMF network element to perform network authentication on the UE process;
    通过所述AMF网元与所述UE之间的NAS连接,向所述UE发送认证请求,其中,所述认证请求用于请求所述UE进行所述网络认证过程;以及Send an authentication request to the UE through the NAS connection between the AMF network element and the UE, where the authentication request is used to request the UE to perform the network authentication process; and
    接收所述UE反馈的认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。Receive an authentication response fed back by the UE, where the authentication response includes information required to perform the network authentication process.
  28. 一种认证装置,其特征在于,用于用户设备UE,包括收发模块,所述收发模块用于:An authentication device, characterized in that it is used for user equipment UE and includes a transceiver module, and the transceiver module is used for:
    从接入和移动性管理功能AMF网元接收认证请求,其中,所述认证请求用于请求所述UE进行网络认证过程;以及Receive an authentication request from the access and mobility management function AMF network element, wherein the authentication request is used to request the UE to perform a network authentication process; and
    向所述AMF网元反馈认证响应,其中,所述认证响应包括进行所述网络认证过程所需信息。Feed back an authentication response to the AMF network element, where the authentication response includes information required to perform the network authentication process.
  29. 一种认证系统,包括鉴权服务器功能AUSF网元、统一数据管理UDM网元、接入和移动性管理功能AMF网元,其中,An authentication system including an authentication server function AUSF network element, a unified data management UDM network element, and an access and mobility management function AMF network element, wherein,
    所述AUSF网元用于从所述UDM网元获取用于指示为与所述AUSF网元对应的UE提供服务的AMF网元的AMF网元相关信息,并向所述AMF网元发送认证通知消息,其中,所述认证通知消息用于通知所述AMF网元进行关于所述UE的网络认证过程;The AUSF network element is configured to obtain, from the UDM network element, AMF network element related information indicating an AMF network element that provides services for the UE corresponding to the AUSF network element, and send an authentication notification to the AMF network element. message, wherein the authentication notification message is used to notify the AMF network element to perform a network authentication process on the UE;
    所述UDM网元用于接收从所述AUSF网元发送的AMF网元信息获取请求,并响应于所述AMF网元信息获取请求向所述AUSF网元反馈所述AMF网元相关信息,其中,所述AMF网元信息获取请求包括与所述AUSF网元对应的UE的标识;The UDM network element is configured to receive an AMF network element information acquisition request sent from the AUSF network element, and to feed back the AMF network element related information to the AUSF network element in response to the AMF network element information acquisition request, wherein , the AMF network element information acquisition request includes the identification of the UE corresponding to the AUSF network element;
    所述AMF网元向所述UE发送认证请求并从UE接收认证响应,其中,所述认证请求用于请求所述UE进行所述网络认证过程以及所述认证响应包括进行所述网络认证过程所需信息。The AMF network element sends an authentication request to the UE and receives an authentication response from the UE, where the authentication request is used to request the UE to perform the network authentication process and the authentication response includes the steps required to perform the network authentication process. Need information.
  30. 一种通信设备,其中,包括:收发器;存储器;处理器,分别与所述收发器及所述存储器连接,配置为通过执行所述存储器上的计算机可执行指令,控制所述收发器的无线信号收发,并能够实现权利要求1-18任一项所述的方法。A communication device, which includes: a transceiver; a memory; and a processor, respectively connected to the transceiver and the memory, and configured to control the wireless operation of the transceiver by executing computer-executable instructions on the memory. Transmit and receive signals, and can implement the method described in any one of claims 1-18.
  31. 一种计算机存储介质,其中,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被处理器执行后,能够实现权利要求1-18任一项所述的方法。A computer storage medium, wherein the computer storage medium stores computer-executable instructions; after the computer-executable instructions are executed by a processor, the method described in any one of claims 1-18 can be implemented.
PCT/CN2022/086929 2022-04-14 2022-04-14 Authentication method and device WO2023197273A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202280001191.6A CN117597960A (en) 2022-04-14 2022-04-14 Authentication method and device
PCT/CN2022/086929 WO2023197273A1 (en) 2022-04-14 2022-04-14 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/086929 WO2023197273A1 (en) 2022-04-14 2022-04-14 Authentication method and device

Publications (1)

Publication Number Publication Date
WO2023197273A1 true WO2023197273A1 (en) 2023-10-19

Family

ID=88328537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/086929 WO2023197273A1 (en) 2022-04-14 2022-04-14 Authentication method and device

Country Status (2)

Country Link
CN (1) CN117597960A (en)
WO (1) WO2023197273A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111669276A (en) * 2019-03-07 2020-09-15 华为技术有限公司 Network verification method, device and system
WO2021094109A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Home network initiated primary authentication/reauthentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111669276A (en) * 2019-03-07 2020-09-15 华为技术有限公司 Network verification method, device and system
WO2021094109A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Home network initiated primary authentication/reauthentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SAMSUNG, NEC: "Network initiated Primary Authentication", 3GPP TSG-SA3 MEETING #105-E, S3-214232, 1 November 2021 (2021-11-01), XP052073641 *
SAMSUNG: "Network initiated Primary Authentication", 3GPP TSG-SA3 MEETING #104-E, S3-212903, 9 August 2021 (2021-08-09), XP052063551 *

Also Published As

Publication number Publication date
CN117597960A (en) 2024-02-23

Similar Documents

Publication Publication Date Title
WO2018082490A1 (en) User terminal location area update method, access network entity, user terminal, and core network entity
KR102456859B1 (en) Method and apparatus for provisioning service parameters to the ue and the network in 5g system
EP3790305A1 (en) Session management method, apparatus and system
EP3758424B1 (en) Method for determining clock source and device
EP3592008A1 (en) Method and device for using ladn in wireless communication system
WO2020034927A1 (en) Local area network communication management method and apparatus
WO2018166338A1 (en) Key update method and apparatus
WO2024031279A1 (en) Network device management method and apparatus
EP4107916A1 (en) Privacy protection for sidelink communications
WO2014023175A1 (en) Message processing method in coexistence of multiple external identifiers of terminal and network side device
WO2018214762A1 (en) Method and apparatus for acquiring paging parameter
WO2023197273A1 (en) Authentication method and device
US20230232318A1 (en) Authentication method and apparatus therefor
WO2023197272A1 (en) Authentication method and device
WO2022110836A1 (en) Communication method and communication apparatus
WO2022082667A1 (en) Method and apparatus for secure transmission of data
CN114830760B (en) Paging method and apparatus in wireless communication system
WO2019161538A1 (en) Method and device for determining security algorithm, and computer storage medium
WO2023225878A1 (en) Re-authentication authorization method/apparatus/device for ai network function, and storage medium
WO2023221000A1 (en) Authentication and authorization method and apparatus for ai function in core network
WO2024060025A1 (en) Communication management method and apparatus
WO2024138581A1 (en) Authorization method and apparatus for network slices, devices, and storage medium
WO2023212961A1 (en) Handover method and apparatus
WO2024040411A1 (en) Method and apparatus for realizing multi-access
WO2024050778A1 (en) Artificial intelligence service policy updating method and apparatus

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280001191.6

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22936921

Country of ref document: EP

Kind code of ref document: A1