WO2023213301A1 - 鉴权方法、通信装置和计算机可读存储介质 - Google Patents

鉴权方法、通信装置和计算机可读存储介质 Download PDF

Info

Publication number
WO2023213301A1
WO2023213301A1 PCT/CN2023/092298 CN2023092298W WO2023213301A1 WO 2023213301 A1 WO2023213301 A1 WO 2023213301A1 CN 2023092298 W CN2023092298 W CN 2023092298W WO 2023213301 A1 WO2023213301 A1 WO 2023213301A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network element
request message
ausf
functional network
Prior art date
Application number
PCT/CN2023/092298
Other languages
English (en)
French (fr)
Inventor
李�赫
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023213301A1 publication Critical patent/WO2023213301A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present application relates to the field of communication, and more specifically, to an authentication method in the field of communication and a communication device using the authentication method.
  • UE user equipment
  • the terminal when the user equipment is connected to the 5G network and the terminal is registered for the first time, the terminal can communicate with the core through the next generation node base station (gNB) or the non-3GPP interworking function (N3IWF) network element.
  • the network access and mobility management function (AMF) entity sends the identity information of the terminal.
  • the AMF network element receives the identity information of the terminal, the AMF network element can select the authentication server function (AUSF) entity based on the identity information of the user equipment to trigger the authentication process.
  • AUSF authentication server function
  • UDM UDM
  • UDM calculates the authentication vector based on the authentication acquisition request, and then returns the authentication vector to the AUSF network element.
  • the AUSF network element sends authentication parameters to the UE through the AMF network element, and the UE verifies the authentication The weight parameter. If the verification is successful, it indicates that the network side verification is passed.
  • the UE sends a response to the AMF, and the AMF sends the authentication verification information to the AUSF.
  • the AUSF verifies the authentication verification information. If the verification is successful, it indicates that the UE authentication is successful, thereby completing the authentication. rights process.
  • the main authentication process is initiated by the AMF network element of the serving network.
  • the functional network element of the home network there is no solution that triggers the main authentication by the functional network element of the home network.
  • the present application provides an authentication method in which authentication is initiated by a functional network element of a home network and a communication device using the authentication method.
  • embodiments of the present application provide an authentication method.
  • the method includes: the first functional network element of the home network determines whether the terminal needs to be authenticated; when the terminal needs to be authenticated, The first functional network element obtains authentication material; the first functional network element obtains a first authentication vector according to the authentication material; the first functional network element sends a first authentication request message to the AMF to Triggering authentication of the terminal, wherein the first authentication request message includes the first authentication vector.
  • the first functional network element of the home network determines whether the terminal needs to be authenticated. If authentication is required, the first functional network element obtains the authentication material, and obtains the third functional network element based on the authentication material. An authentication vector, the first functional network element then sends the first authentication request message to the AMF to trigger authentication of the terminal. In this way, the initiation point of the authentication process is the first functional network element of the home network, reducing the number of connections between the AMF and Signaling interaction between first functional network elements.
  • the first functional network element is AUSF
  • the specific way for the first functional network element to obtain the authentication material may be: the first functional network element obtains the authentication material from the stored context; or The first function network element obtains the authentication material from the fourth function network element, and the fourth function network element is the network element that stores the authentication material.
  • the specific way for the first functional network element to determine whether the terminal needs to be authenticated may be: the first functional network element receives a service request from the third functional network element, and the service request Used to request a designated service from the first functional network element; in response to the service request of the third functional network element, the first functional network element determines whether the terminal needs to be authenticated.
  • the first functional network element obtains the first authentication vector based on the authentication material.
  • the specific method may be: AUSF sends an authentication vector request message to the UDM, where the authentication vector request message includes the The authentication material; the AUSF receives an authentication vector response message from the UDM, and the authentication vector response message includes the first authentication vector.
  • the first functional network element is UDM
  • the specific method for the first functional network element to obtain the authentication material may be: the first functional network element obtains the authentication material from the stored context; or , the first functional network element obtains the authentication material from the fourth functional network element, and the fourth functional network element is the network element that stores the authentication material.
  • a specific manner in which the first functional network element obtains the first authentication vector based on the authentication material may be: the first functional network element generates the first authentication vector based on the authentication material. Authentication vector.
  • the authentication material specifically includes one or more of the following: service network name, service network identifier, network identifier, mobile country code or mobile network number.
  • inventions of the present application provide a communication device.
  • the structure of the communication device includes: a processing module for determining whether the terminal needs to be authenticated; in the case where the terminal needs to be authenticated, the The processing module obtains the authentication material; the processing module obtains the first authentication vector according to the authentication material; the transceiver module is used to send a first authentication request message to the AMF to trigger the authentication of the terminal. right, wherein the first authentication request message includes the first authentication vector.
  • the specific way for the processing module to obtain the authentication material may be: the processing module obtains the authentication material from the stored context; or the processing module obtains the authentication material from the fourth functional network element.
  • the fourth functional network element is a network element that stores the authentication material.
  • the specific way in which the processing module determines whether the terminal needs to be authenticated may be: the processing module receives a service request from the third functional network element, and the service request is used to request the processing module Specify service; in response to the service request of the third function network element, the processing module determines whether the terminal needs to be authenticated.
  • the specific way for the processing module to obtain the first authentication vector based on the authentication material may be: the processing module sends an authentication vector request message to the UDM, where the authentication vector The request message includes the authentication material; the processing module receives an authentication vector response message from the UDM, and the authentication vector response message includes the first authentication vector.
  • a specific manner in which the processing module obtains the first authentication vector based on the authentication material may be: the processing module generates the first authentication vector based on the authentication material.
  • the authentication material specifically includes one or more of the following: service network name, service network identifier, network identifier, mobile country code or mobile network number.
  • inventions of the present application provide another communication device.
  • the communication device includes at least one processor.
  • One less processor executes instructions stored in the memory, so that the communication device implements the operations in the method example described in the first aspect.
  • embodiments of the present invention provide a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program includes program instructions.
  • the communication device causes the communication device to Implement the method of the first aspect above.
  • Figure 1 is a schematic diagram of 5G service-based architecture.
  • Figure 2 is a schematic flow chart of an authentication method.
  • FIG. 3 is a schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of yet another authentication method provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of yet another authentication method provided by an embodiment of the present application.
  • Figure 6 is a schematic structural diagram of an authentication device provided by an embodiment of the present application.
  • Figure 7 is another schematic structural diagram of an authentication device provided by an embodiment of the present application.
  • At least one of the following or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items).
  • at least one of a, b, or c can mean: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • words such as “first” and “second” are used to distinguish identical or similar items with basically the same functions and effects. Those skilled in the art can understand that words such as “first” and “second” do not limit the number and execution order, and words such as "first” and “second” do not limit the number and execution order.
  • NR New Radio
  • 5th Generation 5th Generation
  • future mobile communication systems such as: New Radio (NR) in the fifth generation (5th Generation, 5G) mobile communication system and future mobile communication systems.
  • the architecture may include an access network and a core network, and optionally may also include user equipment (UE).
  • UE user equipment
  • UE is a device with wireless transceiver functions that can be deployed on land, including indoors or outdoors, handheld, wearable or vehicle-mounted; it can also be deployed on water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, etc.) and satellites etc.).
  • UE can be a mobile phone (mobile phone), tablet computer (Pad), computer with wireless transceiver function, virtual reality (VR) terminal device, augmented reality (AR) terminal device, industrial control (industrial control) Wireless terminals in vehicle-mounted terminal equipment, wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and transportation safety wireless terminals, wireless terminals in smart cities Wire terminals, wireless terminals in smart homes, wearable terminal devices, etc.
  • VR virtual reality
  • AR augmented reality
  • Wireless terminals in vehicle-mounted terminal equipment wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and transportation safety wireless terminals, wireless terminals in smart cities Wire
  • UE may also be called terminal, terminal equipment, access terminal equipment, vehicle terminal, industrial control terminal, UE unit, UE station, mobile station, mobile station, remote station, remote terminal equipment, mobile device, UE agent or UE device. wait.
  • the UE can also be fixed or mobile.
  • the access network may include access network equipment, which may be equipment that provides access to terminal devices, and may include radio access network (RAN) equipment.
  • RAN equipment is mainly responsible for wireless resource management, quality of service (QoS) management, data compression and encryption on the air interface side.
  • RAN equipment can include various forms of base stations, such as macro base stations, micro base stations (also called small stations), relay stations, access points, balloon stations, etc.
  • base stations such as macro base stations, micro base stations (also called small stations), relay stations, access points, balloon stations, etc.
  • the names of equipment with base station functions may be different.
  • RAN next-generation Node base station
  • LTE long term evolution
  • eNB evolved NodeB
  • the core network is responsible for maintaining the subscription data of the mobile network and providing functions such as session management, mobility management, policy management, and security authentication for UEs.
  • the core network can include the following network elements: user plane function (UPF), authentication server function (AUSF), access and mobility management function (AMF), session management function (session management function, SMF), network slice selection function (NSSF), network exposure function (NEF), network function repository function (NF repository function, NRF), policy control function (policy control function, PCF), unified data management (unified data management, UDM) and application function (AF), and the anchor network element of the AKMA service (AKMA anchor function, AAnF).
  • UPF user plane function
  • AUSF authentication server function
  • AMF access and mobility management function
  • SMF session management function
  • NSSF network slice selection function
  • NEF network exposure function
  • NRF network exposure function
  • NF repository function NF repository function
  • PCF policy control function
  • unified data management unified data management
  • UDM unified data management
  • AF application
  • the SMF network element is mainly responsible for session management in mobile networks, such as session establishment, modification and release. Specific functions include assigning Internet Protocol (IP) addresses to users, selecting UPF that provides message forwarding functions, etc.
  • IP Internet Protocol
  • the UPF network element is mainly responsible for forwarding and receiving user data. It can receive user data from the data network and transmit it to the UE through the access network device. It can also receive user data from the UE through the access network device and forward it to the data network.
  • the PCF network element mainly supports providing a unified policy framework to control network behavior, provides policy rules to the control layer network functions, and is also responsible for obtaining user subscription information related to policy decisions.
  • PCF network elements can provide policies to AMF network elements and SMF network elements, such as quality of service (QoS) policies, slice selection policies, etc.
  • Data network (DN) is used to provide business services to users. It can be a private network, such as a local area network; it can also be an external network that is not controlled by the operator, such as the Internet; it can also be deployed jointly by operators. Private networks, such as those providing IP multimedia subsystem (IMS).
  • IMS IP multimedia subsystem
  • the UE can access the DN through the established protocol data unit (PDU) session.
  • PDU protocol data unit
  • the AMF network element is mainly responsible for mobility management in mobile networks, such as user location update, user registration network, user switching, etc. For convenience of description, it will be referred to as AMF in the following text.
  • the AUSF network element is used to perform security authentication of UE. After receiving the authentication request initiated by the UE, the AUSF network element can authenticate and/or authorize the UE through the authentication and/or authorization information stored in the UDM network element, or generate the authentication and/or authorization of the subscribed user through the unified data management function. information. For convenience of description, it will be referred to as AUSF in the following text.
  • UDM network element is used to store user data, such as contract data, authentication/authorization data, etc.
  • the serving network (SN) is where AMF and AUSF are located.
  • the serving network also called the visited network, is the network where the AMF is connected to by a terminal using the N1 interface.
  • the service network is where AMF and SMF are located.
  • Home network also called home network, refers to the network where the network element that stores the UE's subscription data is located.
  • the home network can be identified by an identifier.
  • the home network identifier includes Mobile Country Code (MCC) and Mobile Network Code (MNC).
  • MCC Mobile Country Code
  • MNC Mobile Network Code
  • the home network is where AUSF and UDM are located.
  • UE can access the network through 3GPP technology.
  • the AMF needs to initiate mutual authentication between the UE and the network, that is, the main authentication process. It also provides key material that can be used between the UE and the service network in the subsequent security process, thereby ensuring the security between the UE and the core network.
  • the main authentication and key authentication generate the anchor key K SEAF , which is sent by the AUSF of the home network to the AMF of the serving network.
  • Step 201 AMF sends the first authentication request message to AUSF.
  • the AMF of the service network determines to start authentication, the AMF sends the first authentication request message (UEAuthentication_Authenticate Request message) to the AUSF to trigger the main authentication process.
  • UEAuthentication_Authenticate Request message UEAuthentication_Authenticate Request message
  • the first authentication request message may include one or more of the following parameters: user identity, serving network name (SN-name). Among them, the user identity identifier is used to identify the user device, and the service network name is used to identify the corresponding service network.
  • the user identity is SUPI or SUCI.
  • SUPI is the user's permanent identity and can uniquely identify a user across the entire network.
  • SUCI is the anonymous identity information of the UE. It is a temporary identity used to protect SUPI from being exposed on the air interface, thereby protecting user privacy.
  • SUCI includes at least the encrypted result of the part of SUPI other than the SUPI type.
  • Step 202 After receiving the first authentication request message, the AUSF determines whether it is a service network that is allowed to access based on the service network name carried in the first authentication request message. When it is determined that it is a service network that is allowed to access, the AUSF sends the third 1. Get the request message (UEAuthentication_Get Request) to UDM.
  • UEAuthentication_Get Request Get the request message
  • Step 203 UDM receives the first acquisition request message from AUSF, generates a first authentication vector according to the received first acquisition request message, and then sends a first acquisition response message in response to the first acquisition request message to AUSF.
  • the first acquisition response message includes the first authentication vector and the user identity.
  • the user identity is SUCI
  • the UDM parses the SUCI to obtain the permanent identity of the user device (SUPI)
  • the UDM determines the authentication algorithm based on SUPI, and generates the first authentication vector.
  • the authentication algorithm is EAP-AKA’ authentication or 5G AKA. The following takes 5G AKA as an example.
  • the UDM generates the first authentication vector based on the 5G AKA algorithm.
  • the first authentication vector includes RAND, AUTN, XRES* and K AUSF.
  • RAND is a random number
  • K AUSF is the intermediate key generated by AUSF in the home network
  • XRES* is the expected response, calculated according to the keyderivation functions (KDF), and is the expected UE authentication response parameter. Used to compare with the response RES* returned by the UE to determine whether the authentication is successful;
  • AUTN is the authentication token, and AUTN is the parameter provided by the network to the UE for authenticating the home network.
  • Step 204 AUSF receives the first acquisition response message from UDM, generates a second authentication vector, and sends the second authentication response message to AMF.
  • the second authentication response message includes a second authentication vector.
  • the second authentication vector includes RAND, AUTN, HXRES*.
  • AUSF calculates HXRES* based on XRES* and then uses HXRES* to replace XRES* to obtain the second authentication vector.
  • Step 205 AMF receives the second authentication response message and sends a second authentication request message to the UE.
  • the second authentication request message is used to trigger bidirectional authentication on the UE side and the network side.
  • the second authentication request message The message carries RAND, AUTN.
  • Step 206 The UE receives the second authentication request message from the AMF, and the UE verifies whether the network is authentic. When the UE determines that the network is authentic, the UE sends a second authentication response message to the AMF, and the second authentication response message includes the authentication response RES*.
  • Step 207 After receiving the RES*, the AMF sends a third authentication request message to the AUSF.
  • the third authentication request message includes the RES* received by the AMF from the UE.
  • HRES* based on RES* and compare HRES* with stored HXRES*. If HRES* and HXRES* are consistent, AMF considers the UE to be real. Afterwards, the AMF sends a third authentication request message to the AUSF for sending the RES* received from the UE to the AMF.
  • Step 208 After receiving the third authentication request message, the AUSF compares RES* with the saved XRES*. If RES* is consistent with the saved XRES*, the UE authentication is considered successful.
  • the AUSF may send a third authentication response message to the AMF, where the third authentication response message includes the authentication result of the AUSF.
  • the AMF of the serving network can trigger the authentication of the UE during any process of establishing a signaling connection with the UE.
  • the AMF receives a registration request from the user equipment to initiate authentication of the UE.
  • the AMF receives a first registration request from the user equipment through the RAN.
  • the first registration request carries the user equipment identifier (for example, SUCI), and the AMF determines based on the SUCI whether the corresponding user equipment is a user equipment allowed to be accessed by the service network.
  • the AMF preconfiguration policy triggers authentication of the UE.
  • AMF triggers the authentication of the UE when the NAS COUNT is about to flip based on the local policy.
  • the AMF can trigger the main authentication process.
  • Another method of triggering the authentication of the UE is for the UDM to request the AMF serving the UE to initiate authentication for the UE, and the AMF triggers the main authentication process in response to the request.
  • AMF performs the authentication process based on the UDM request in accordance with the above steps 201 to 208.
  • Another method of triggering the authentication of the UE is for the AUSF to request the AMF serving the UE to initiate authentication for the UE, and the AMF initiates the main authentication process in response to the request. Based on the AUSF's request, the AMF performs the authentication process in accordance with the above steps 201 to 208.
  • the difference from UDM's request to AMF to authenticate the UE is that AUSF's request to AMF to authenticate the UE requires first obtaining the AMF information serving the UE from UDM.
  • the essence of the above authentication methods is that the AMF of the service network sends a message to the AUSF to start the authentication process.
  • the AUSF or UDM requests the AMF to initiate authentication of the UE, the authentication process is complicated and the signaling overhead is large.
  • this application provides a method in which the functional network element of the home network sends a message to the AMF and directly starts to authenticate the UE. It can be understood that the initiation point of the authentication process is the functional network element of the home network, not the service AMF for the network.
  • Authentication of the UE means that the core network performs security authentication on the UE to determine that the UE is authentic and trustworthy. At the same time, the UE can also authenticate that the network is authentic. If the home network determines that the UE needs to be authenticated, the home network initiates a home network authentication process. Specifically, the home network authentication process involves the home network functional network element directly starting to authenticate the UE. Specifically, it refers to a process in which when the home network determines that the UE needs to be authenticated, the home network actively sends the authentication vector to the AMF and sends it to the UE through the AMF to perform authentication.
  • this embodiment provides a method for initiating authentication by the first functional network element of the home network.
  • the first functional network element is the AUSF.
  • the method includes but is not limited to:
  • Step 301 The AUSF determines whether the UE needs to be authenticated.
  • the AUSF determines whether the UE needs to be authenticated based on the local policy or the request of the third function network element.
  • the third functional network element is the core network element except AUSF.
  • the AUSF determines whether the UE needs to be authenticated according to the local policy.
  • the local policy may include: when the AUSF discovers that the roaming guidance (Steering of roaming, SoR) counter value or the UE parameters update via UDM (UE parameters update via UDM, UPU) counter value is about to flip, the AUSF determines that the UE needs to be Authentication.
  • the roaming guidance Step of roaming, SoR
  • the UE parameters update via UDM UE parameters update via UDM, UPU
  • the local policy may include: when the AUSF finds that the usage time of K AUSF exceeds or is about to exceed the time specified by the operator's policy, the AUSF determines that the UE needs to be authenticated. Specifically, the usage time of K AUSF is recorded through a timer, which is bound to the permanent identity SUPI of the UE. When the usage time of K AUSF recorded by the timer exceeds or is about to exceed the preset value, the AUSF determines that the UE needs to be Perform authentication.
  • the local policy may include: when the AUSF finds that the time interval from the previous successful authentication of the UE exceeds or is about to exceed the time specified by the operator's policy, the AUSF determines that the UE needs to be authenticated.
  • a timer can be used to record the time interval from the previous successful authentication of the UE, and the timer is bound to the permanent identity SUPI of the UE.
  • the timer starts working.
  • the timer working interval exceeds or is about to exceed the preset interval value
  • the AUSF determines that the UE needs to be authenticated.
  • the AUSF receives a parameter request message from the third functional network element. This parameter request message is used to request parameters from the AUSF, or to request the AUSF to authenticate the UE.
  • the parameter request message at least includes the user's permanent identity SUPI.
  • a parameter request message can be used to request K AKMA .
  • the parameter request message is used to request SoR data protection or UPU data protection.
  • the third functional network element is a functional network element of the core network other than AUSF.
  • the third functional network element is an AAnF, UDM, or AF functional network element.
  • the third functional network element is AAnF, and AAnF sends a K AKMA update request message to the AUSF.
  • the update request message is used to request a new K AKMA key.
  • the update request message is Nausf_AKMA_AnchorKey_Refresh.
  • the AUSF determines whether the K AKMA needs to be updated based on the update request message. If it is determined that the K AKMA needs to be updated, it is determined that the UE needs to be authenticated.
  • the third functional network element is the UDM, and the UDM sends an SoR protection request message or a UPU protection request message to the AUSF.
  • the data carried in the request message needs to be protected by K AUSF .
  • the AUSF finds that K AUSF needs to be updated, or the AUSF does not store K AUSF locally, it is determined that the UE needs to be authenticated.
  • the request message is a Nausf_SoRProtection message or a Nausf_UPUProtection message.
  • the third functional network element is the UDM.
  • the UDM receives the AAnF request to update the K AKMA request
  • the UDM Send a request message to AUSF.
  • the request message is used to request the update of K AKMA .
  • the request message is Nausf_AKMA_K AKMA _Refresh message.
  • the AUSF determines whether the K AKMA needs to be updated, and if it is determined that the K AKMA needs to be updated, it determines that the UE needs to be authenticated.
  • the Nausf_AKMA_K AKMA_Refresh message also carries the AAnF ID.
  • the AAnF ID is used to inform which AAnF requested key update, so that the subsequent AUSF can directly send the updated KAKMA to the AAnF.
  • the third functional network element is a UDM.
  • the UDM receives a request message from the fourth functional network element to update the K AF key.
  • the UDM sends a K AF update request message to the AUSF.
  • the request message is used to request a new K AF key.
  • AF key when the AUSF determines that it needs to update the K AKMA corresponding to K AF , it determines that the UE needs to be authenticated.
  • the fourth functional network element is AAnF, or 3GPP internal AF or 3GPP external AF.
  • the fourth functional network element is an AF external to 3GPP, the AF requests to update K AF through NEF.
  • the update request message is Nausf_AKMA_K AF _Refresh message.
  • the third functional network element is 3GPP internal AF, or NEF used by 3GPP external AF.
  • 3GPP internal AF or NEF sends a request message to AUSF.
  • the request message is used to request an update of K AF .
  • the AUSF determines that the K AKMA corresponding to the K AF needs to be updated , it determines that the UE needs to be authenticated.
  • the update request message is Nausf_AKMA_K AF _Refresh message.
  • the third functional network element is 3GPP internal AF, or NEF used by 3GPP external AF, and the AUSF receives the request message from the 3GPP internal AF or NEF.
  • the request message is used to request authentication of the UE.
  • the AUSF determines that the UE needs to be authenticated.
  • the request message is Nausf_UEAuthentication_Authenticate Requestmessage.
  • the third functional network element is a UDM.
  • the UDM receives a request from the fourth functional network element to authenticate the UE , the UDM determines that the UE needs to be authenticated.
  • the fourth functional network element is AAnF, or 3GPP internal AF or 3GPP external AF.
  • the fourth functional network element is an AF external to 3GPP, the AF requests to authenticate the UE through NEF.
  • the AUSF can comprehensively determine whether the UE needs to be authenticated based on the local policy and the request message of the third functional network element.
  • the third functional network element is AAnF.
  • AAnF sends a K AKMA update request message to AUSF.
  • the update request message is used to request a new K AKMA key.
  • the update request message is the Nausf_AKMA_AnchorKey_Refresh message.
  • the AUSF After receiving the update request message, the AUSF further determines whether to authenticate the UE according to the local policy.
  • the local policy is whether the time interval from the previous successful authentication exceeds or is about to exceed the time specified by the operator's policy.
  • AUSF can determine whether the UE needs to be authenticated based on the time interval from the previous successful authentication. If the time interval from the previous successful authentication is less than the preset value, it is determined that the UE does not need to be authenticated; if the time interval from the previous successful authentication exceeds the preset value, the AUSF determines that the UE needs to be authenticated.
  • the local policy is to determine whether the UE needs to be authenticated by comparing whether the locally saved K AKMA is the same as the K AKMA sent by the AAnF. Specifically, the AUSF compares the K AKMA sent by the AAnF with the locally saved K AKMA . If they are the same, it determines to authenticate the UE; if they are different, it determines not to authenticate the UE.
  • the local policy is to determine whether the UE needs to be authenticated by comparing whether the locally saved K AKMA key identifier is the same as the K AKMA key identifier sent by the AAnF. Specifically, AUSF compares the K AKMA key identifier sent by AAnF with the locally stored K AKMA key identifier. If they are the same, it determines to authenticate the UE; if If not, it is determined that the UE will not be authenticated. Among them, the K AKMA key identifier is generated by AUSF and is used to identify K AKMA . For example, it can be a 3-bit long key identifier, or it can be an AKMA Key Identifier (A-KID).
  • A-KID AKMA Key Identifier
  • the third functional network element is 3GPP internal AF, or NEF used by 3GPP external AF.
  • AUSF receives an authentication request message from AF or NEF requesting to authenticate the UE.
  • AUSF checks whether the UE has just been authenticated according to the local policy or whether the time interval of the last successful UE authentication is within the validity period. If it is not within the validity period, it determines that the UE needs to be authenticated. For example, the message is Nausf_UEAuthentication_Authenticate Request message.
  • Step 302. When the terminal needs to be authenticated, AUSF obtains authentication materials.
  • acquisition can be understood as “active acquisition”, including but not limited to AUSF actively acquiring from a locally stored context or actively initiating an authentication material acquisition request message. It can be understood that “obtain” can also be understood as the AUSF can directly or indirectly receive authentication materials from the fourth functional network element, and the fourth functional network element is a functional network element that stores or generates authentication materials.
  • the authentication material is the material used directly or indirectly to generate the authentication vector.
  • Authentication materials include but are not limited to one or more of the following: serving network name (SN name), serving network identifier (SN ID), network identifier (Network identifier, NID), MCC Or MNC.
  • SN Name can be directly used to generate the authentication vector.
  • SN Name is generated by SN ID.
  • the SN Name can be obtained by concatenating the SN ID and the string "5G” using ":": 5G: SN ID.
  • the format of SN ID can be obtained by splicing MCC and MNC.
  • the network identifier is used to identify the network where the UE is located. This embodiment does not limit the generation method of SN Name, nor does it limit the specific format of SN ID.
  • AUSF can obtain the SN Name based on MCC and MNC.
  • the SN Name is ultimately used to obtain the authentication vector.
  • the AUSF can obtain the MCC and MNC from the UE's permanent identity SUPI.
  • AUSF can use MCC and MNC to first obtain the SN ID, and then use the SN ID to splice "5G" to finally obtain the SN Name.
  • AUSF can construct authentication materials based on the scenario where the authentication occurs. For example, if the SN Name requires an NID, then AUSF can obtain the NID corresponding to SUPI from local storage.
  • the AUSF obtains the authentication materials required to authenticate the UE from the locally stored context. For example, in the previous authentication, the AMF sent the AUSF authentication request message including SN_name, and stored the SN_name in the local context.
  • the AUSF obtains authentication materials from the fourth functional network element.
  • the fourth functional network element is a functional network element that stores authentication materials.
  • the fourth functional network element is the AMF
  • the AUSF sends an AMF ID request message to the UDM.
  • the AMF ID request message is used to request the AMF information serving the UE from the UDM.
  • the AMF ID request message carries the permanent identity SUPI of the user of the UE that needs to be authenticated.
  • the AMF ID request message carries indication information, and the indication information is used to indicate that the request message is used to request an AMF ID to serve the UE.
  • the AMF ID request message itself can trigger UDM to know that the message is used to request the AMF ID serving the UE.
  • the message is a Nudm_UECM Request message, or a Nudm_UEAuthentication Get Request message, or a Nudm_HNAuthentication Get Request message.
  • HNAuthentication represents the home network authentication service.
  • the home network authentication service may be a service used by different network elements in different embodiments.
  • the home network authentication service may be an AMF service.
  • he can be a service of AUSF.
  • it can be a UDM service. This embodiment is not limiting.
  • UDM receives the AMF ID request message, determines the AMF ID according to SUPI, and sends the AMF ID response message to AUSF.
  • the AMF ID response message carries the AMF ID.
  • the AMF ID response message is a Nudm_UECM Response message, or a Nudm_UEAuthentication Get Response message, or a Nudm_HNAuthentication Get Response message.
  • the AUSF determines the AMF based on the AMF ID and sends an SN Name acquisition request message to the AMF.
  • the SN Name acquisition request message is used to obtain authentication materials, such as SN Name.
  • the SN Name acquisition request message carries the SUPI.
  • the SN Name acquisition request message is a Namf_UEAuthentication_Authenticate message, or a Nausf_UEAuthentication_Authenticate Request message, or a Nausf_HNAuthentication_Authenticate Request message, or a Namf_HNAuthentication_Authenticate Request message, or a Namf_HNAuthentication_Get Request message.
  • AMF After receiving the SN Name acquisition request message, AMF determines that it is the SUPI service, and then sends the SN Name to AUSF.
  • the AMF may send the SN Name to the AUSF via a response message in response to the SN Name acquisition request message.
  • the response message is a Namf_UEAuthentication_Authenticate Response message, or a Nausf_UEAuthentication_Authenticate Response message, or a Nausf_HNAuthentication_Authenticate Response message, or a Namf_HNAuthentication_Authenticate Response message, or a Namf_HNAuthentication_Get Response message.
  • the message also carries SUPI.
  • AMF can also send the SN Name through the AUSF authentication request message, for example, the message is Nausf_UEAuthentication_Authenticate Request. At this time, the message also carries SUPI.
  • the AUSF determines to authenticate the terminal, the AUSF sends an acquisition request message to the fourth functional network element to obtain the authentication material.
  • the fourth functional network element will store or The generated authentication materials are sent to AUSF.
  • Step 303 AUSF obtains the first authentication vector based on the authentication material.
  • AUSF obtains the first authentication vector from UDM based on the authentication material. Specifically, AUSF sends authentication materials to UDM, and UDM generates a first authentication vector based on the authentication materials and then sends the first authentication vector to AUSF. In one implementation, this step includes:
  • Step 303a AUSF sends an authentication vector request message to UDM.
  • the authentication vector request message includes authentication material and SUPI.
  • the authentication material can be SN_name.
  • the authentication vector request message also carries indication information, and the indication information indicates obtaining the first authentication vector of the SUPI.
  • the authentication vector request message is a Nudm_UEAuthentication_Get Request message, or Nudm_HNAuthentication Get Request message, or Nausf_HNAuthentication_Authenticate Request message. This message carries authentication materials and the permanent identity of the UE.
  • Step 303b UDM generates the first authentication vector according to SUPI.
  • UDM determines the authentication method based on SUPI and generates the first authentication vector based on the authentication material.
  • the authentication method is EAP-AKA’ authentication or 5G AKA.
  • the first authentication vector includes the random number RAND, the first authentication token AUTN, the first expected response XRES* and the authentication service key K AUSF .
  • the first authentication vector includes the random number RAND, the second authentication token AUTN, the second expected response RES*, the encryption key CK and the integrity key IK.
  • This embodiment only takes EAP-AKA’ and 5G AKA as examples. This embodiment does not limit the authentication method and the first authentication vector.
  • Step 303c AUSF receives the authentication vector response message from UDM, where the authentication vector response message includes the first authentication vector.
  • the authentication acquisition response message may be a Nudm_UEAuthentication_Get message, or a Nudm_HNAuthentication Get Response message, or a Nausf_HNAuthentication_Authenticate Request message. This embodiment does not limit specific message names.
  • the authentication acquisition request response also includes SUPI.
  • Step 304 After receiving the authentication acquisition response message from the UDM, the AUSF sends a first authentication request message to the AMF.
  • the first authentication request message is used to trigger the service network to authenticate the UE.
  • the first authentication request message includes a second authentication vector.
  • it also carries the user's permanent identity.
  • the first authentication request message is used to inform the AMF to perform the process of authenticating the UE, and is a service request message.
  • the message is a N AMF_UEAuthentication_Request message, or a Nausf_UEAuthentication Authenticate Reques message, or a Nausf_UEAuthentication Authenticate Response message, a Namf_HNAuthentication_Authenticate Request message, or a Nausf_HNAuthentication_Authenticate Request message.
  • the AMF needs to check whether the first authentication request message comes from the functional network element of the home network. For example, AMF checks whether the first authentication request message comes from AUSF or UDM. If yes, the AMF processes the message and performs step 305; if not, the message is discarded.
  • the AMF needs to check whether the first authentication request message comes from the functional network element of the home network. For example, AMF checks whether the first authentication request message comes from AUSF or UDM. If yes, the AMF processes the message and performs step 305; if not, the message is discarded.
  • the AMF needs to check whether the first authentication request message comes from the functional network element of the home network. For example, AMF checks whether the first authentication request message comes from AUSF or UDM. If yes, AMF processes the message and executes step 305; if If not, the message is discarded.
  • the first authentication request message is a Nausf_UEAuthentication Authenticate Request message
  • the message is the UEAuthentication service of AUSF and the message is a request message.
  • the Nausf_UEAuthentication service is an existing AUSF service, the service can be reused in order to be compatible with existing technologies and avoid development complexity.
  • AUSF uses the response message of the Nausf_UEAuthentication Authenticate service, that is, the Nausf_UEAuthentication Authenticate Response message, to send the second authentication vector to the AMF.
  • This embodiment uses the request message of the Nausf_UEAuthentication Authenticate service.
  • the AMF receives the first authentication request message and checks whether the first authentication request message comes from AUSF or UDM. If so, step 305 is performed. Otherwise, the first authentication request message is discarded and alarm information is triggered.
  • the first authentication request message may also be a Nausf_UEAuthentication Authenticate Response message.
  • the difference from the existing technology is that the first authentication request message is not a response message as a request message.
  • the first authentication vector and the second authentication vector may be the same or different.
  • the first authentication vector is different from the second authentication vector.
  • the second authentication vector includes RAND, AUTN, and HXRES*; HXRES* is obtained by changing XRES*.
  • the authentication method used in step 303 is EAP-AKA', and the first authentication vector and the second authentication vector are the same.
  • the second authentication vector includes RAND, the second authentication token AUTN, the second expected response RES*, the encryption key CK and the integrity key IK.
  • a first authentication request message is initiated to the AMF through the AUSF as a starting point for triggering authentication of the UE, and subsequent UE authentication procedures are performed.
  • the AMF is used as the starting point to trigger the authentication of the UE.
  • AUSF saves RES* locally as the saved authentication response.
  • Step 305 The AMF sends the second authentication request message to the UE.
  • the AMF After receiving the first authentication request message, the AMF sends a second authentication request message to the UE.
  • the second authentication request message includes all or part of the parameters in the second authentication vector.
  • the AMF first determines that the AMF is still serving the UE.
  • the second authentication request message is Authentication Request.
  • the second authentication request message is a DL (Downlink) NAS Transport NAS message, which is used to transmit the second authentication vector.
  • the second authentication vector carries indication information, which is used to indicate to the UE that the message conveys parameters used to authenticate the UE.
  • the indication information may be binary bit information or character string indication information. For example, when the message carries "authentication", the UE knows that the DL NAS Transport NAS is to trigger two-way authentication.
  • Step 306 The UE verifies whether the network is authentic based on the parameters carried in the received second authentication request message.
  • the UE determines that the network is authentic, the UE sends a second authentication response message to the AMF.
  • the second authentication response message carries the authentication response RES*.
  • the second authentication response message is Authentication Response.
  • the second authentication request message is a UL (Uplink) NAS Transport NAS message.
  • Step 307. After receiving the second authentication response message, the AMF sends the first authentication response message corresponding to the first authentication request message to the AUSF, where the first authentication response message includes the authentication response.
  • the second authentication response message is a NAMF_UEAuthentication_Response message, or a Nausf_UEAuthentication Authenticate Response message, or a Nausf_UEAuthentication Authenticate Request, or a Nausf_HNAuthentication_Authenticate Response message, or a Namf_HNAuthentication_Authenticate Response message.
  • NAMF_UEAuthentication service and Nausf_UEAuthentication refer to the related description in step 304.
  • Step 308. AUSF authenticates the UE. Specifically, the AUSF compares the authentication response with the locally stored authentication response. If they are consistent, the UE authentication is considered successful.
  • Steps 305 to 308 may refer to the relevant description in Chapter 6.1 of 3GPP standard TS 33.501 for a specific method of determining successful UE authentication based on the second authentication vector. I won’t go into details here.
  • the AUSF determines that the terminal needs to be authenticated in response to a local policy or a request from a third function network element, the AUSF actively obtains the authentication from the locally stored context or the fourth function network element. After obtaining the authentication material and further obtaining the authentication vector generated based on the authentication material, the first authentication request message is sent to the AMF to trigger the authentication of the UE.
  • the initiation point of the authentication process in this embodiment is the AUSF of the home network, rather than a request from the AMF. In this way, the AUSF no longer relies on the AMF's request to trigger the authentication of the UE, which reduces the signaling interaction between the AMF and the AUSF.
  • step 301 when the AUSF receives the parameter request from the third functional network element and determines to authenticate the UE according to the parameter request message of the third functional network element, it needs to return the parameters to the third functional network element.
  • the AUSF receives the service parameter request message from the third functional network element, the AUSF also needs to reply a parameter response message to the third functional network element.
  • the AUSF also needs to reply a parameter response message to the third functional network element in the following three situations:
  • the AUSF directly sends the parameter response message to the third functional network element.
  • the parameter response message carries the requested parameters or authentication results.
  • the AUSF uses the K AUSF generated during the authentication process to generate a new K AKMA key, and carry the new K AKMA key in this parameter response message.
  • the third functional network element is a UDM
  • the parameter request message sent by the UDM to the AUSF requests SoR or UPU protection.
  • AUSF determines to authenticate the UE. After the authentication is successful, AUSF uses the newly generated K AUSF to perform security protection on SoR data or UPU data, and then sends the security protection result to UDM through this parameter response message.
  • the parameter request message is used to request a new K AKMA , and the AUSF decides to authenticate the UE. After the AUSF successfully authenticates the UE, it uses the K AUSF generated during the authentication process to generate a new K AKMA key, and then sends the new K AKMA key to the UDM through the return parameter message. If the UDM receives a request to update the K AKMA from a fourth functional network element, such as an AAnF, the UDM shall further send the received new K AKMA key to the AAnF.
  • a fourth functional network element such as an AAnF
  • the third functional network element is 3GPP internal AF, or NEF used for 3GPP external AF.
  • the parameter request message is used to request authentication of the UE.
  • AUSF decides to authenticate the UE. After successful authentication, AUSF sends a return parameter message to UDM. Optionally, the message carries the authentication result.
  • the UDM receives a request message from the fourth functional network element to request authentication of the UE.
  • AUSF determines to authenticate the UE.
  • AUSF sends a return parameter message.
  • the return parameter message carries the authentication result.
  • the UDM shall further inform the fourth function network element of the authentication result.
  • the AUSF sends a parameter response message to the third functional network element, and the return response message is used to inform the third functional network element that the parameter request message has been received.
  • the AUSF After the AUSF successfully authenticates the UE, the AUSF directly sends the parameters requested by the parameter message, or sends the authentication result to the fourth function network element, or a network element of the same type as the fourth function network element.
  • the first example is when the third functional network element is a UDM, and the UDM sends a protection message requesting protection of SoR data or UPU data to the AUSF.
  • the AUSF determines to authenticate the UE because the locally stored K AUSF is invalid or about to become invalid, or the K AUSF is not stored locally.
  • AUSF sends a parameter response message to UDM.
  • This parameter response message is used to inform UDM that the request failed.
  • the return parameter message carries a reason value, which is used to inform UDM that there is no key K AUSF, or that K AUSF has expired or is about to expire .
  • the UDM can reinitiate the request in the subsequent process, for example, after the UDM determines that the UE has been authenticated successfully.
  • This embodiment does not limit the order in which the AUSF decides to authenticate the UE and the AUSF replies the failure message, nor does it limit how the UDM determines that the UE authentication is successful.
  • the second example is when the third functional network element is UDM and the request message is used to request update of K AKMA .
  • the AUSF may determine to authenticate the UE.
  • AUSF also sends return parameter messages to UDM. This parameter response message is used to inform UDM that the parameter request message has been received.
  • the AUSF uses the K AUSF generated during the authentication process to generate a new K AKMA key, and sends the new K AKMA key directly to the AAnF.
  • the AAnF may be the AAnF that requests the key K AKMA from the UDM, or it may be another AAnF.
  • the AUSF can send K AUSF to the AAnF corresponding to the AAnF ID. This embodiment does not limit the order in which the AUSF determines the authentication and parameter response messages for the UE.
  • the third example is that when the third functional network element is a UDM, the UDM receives a request message from the fourth functional network element to request authentication of the UE. AUSF decides to authenticate the UE. After successful authentication, AUSF sends a return parameter message to UDM. The return parameter message is used to inform UDM that the parameter request message has been received.
  • this application provides another method for triggering authentication by a functional network element of the home network.
  • the difference from the method shown in Figure 3 is that in this implementation, the UDM obtains authentication materials.
  • This method includes but is not limited to:
  • Step 401 The AUSF determines whether the UE needs to be authenticated.
  • step 301 please refer to step 301, which will not be described again here.
  • Step 402. When it is determined that the terminal needs to be authenticated, the AUSF sends an acquisition request message to the UDM, and the acquisition request message is used to obtain the first authentication vector.
  • the acquisition request message includes SUPI.
  • the acquisition request message also includes indication information, where the indication information is used to indicate that UDM needs to authenticate the UE.
  • the indication information may be bit indication information or a predetermined SN-Name value.
  • the bits of SN-Name are all 0s or all 1s.
  • the get request message is Nudm_UEAuthentication_Get Reques message, or Nudm_HNAuthentication Get Request message.
  • Step 403. After receiving the acquisition request message, UDM acquires the authentication material.
  • the UDM determines that the UE requires authentication. Specifically, reference may be made to the relevant description of step 501 below.
  • UDM can directly obtain authentication materials based on locally stored information, or UDM can obtain authentication materials from the fourth function network element.
  • the fourth function network element is AMF.
  • UDM stores authentication materials locally, and UDM obtains authentication materials from local storage. For example, the SN_name used in the previous authentication is stored in the UDM local context.
  • UDM determines the service network information serving the UE based on the locally stored context corresponding to SUPI, such as AMF ID or PLMN ID. Obtain the MCC and MNC from the service network information, and generate the SN Name based on the MCC and MNC.
  • SUPI such as AMF ID or PLMN ID.
  • UDM obtains authentication materials from the fourth function network element.
  • the fourth functional network element is a functional network element that stores authentication materials.
  • the fourth functional network element is the AMF
  • the UDM obtains the AMF information serving the UE, such as the AMF ID, from the context corresponding to SUPI.
  • UDM determines the AMF based on the AMF ID and sends an SN Name acquisition request message to the AMF.
  • the SN Name acquisition request message is used to obtain authentication materials, such as SN Name.
  • the SN Name acquisition request message carries the SUPI.
  • the SN Name acquisition request message is the Namf_UEAuthentication_AuthenticateRequest message or the Namf_HNAuthentication_Get Request message.
  • AMF After receiving the SN Name acquisition request message, AMF determines that it is the SUPI service, and then sends the SN Name to AUSF.
  • the AMF may send the SN Name to the AUSF via a response message in response to the SN Name acquisition request message.
  • the response message is Namf_UEAuthentication_Authenticate Response, or Nausf_UEAuthentication_Authenticate Response message, or Namf_HNAuthentication_Get Response message.
  • the message also carries SUPI.
  • AMF can also send the SN Name through the AUSF authentication request message, for example, the message is Nausf_UEAuthentication_Authenticate Request. At this time, the message also carries SUPI.
  • the UDM sends an acquisition request message to the fourth functional network element to obtain authentication materials, and the fourth functional network element responds to the acquisition request message and sends the stored or generated authentication materials to the UDM.
  • the UDM sends an acquisition request message to the fourth functional network element to obtain authentication materials, and the fourth functional network element responds to the acquisition request message and sends the stored or generated authentication materials to the UDM.
  • Step 404 UDM generates a first authentication vector based on the obtained authentication material.
  • UDM determines the authentication method based on SUPI and generates the first authentication vector based on the authentication material.
  • Step 405. The UDM sends an acquisition response message to the AUSF, where the acquisition response message includes the first authentication vector.
  • step 303c please refer to step 303c, which will not be described again here.
  • Step 406 After receiving the authentication acquisition response message from the UDM, the AUSF sends the first authentication request message to the AMF. This message is used to trigger authentication of the UE.
  • the first authentication request message includes a second authentication vector. Optionally, it also carries the user's permanent identity.
  • step 304 please refer to step 304, which will not be described again here.
  • Steps 407 to 409 execute the subsequent authentication process, and the method for implementing the subsequent authentication process is the same as steps 305 to 308, which will not be described again here.
  • this application provides another method for triggering authentication by the functional network element of the home network.
  • the first functional network element is UDM.
  • the method includes but is not limited to:
  • Step 501 The UDM determines whether the UE needs to be authenticated.
  • the UDM determines whether the UE needs to be authenticated according to the local policy or the request of the third function network element. Among them, No.
  • the three-function network elements are core network elements except UDM.
  • UDM determines whether the UE needs to be authenticated according to local policies.
  • the local policy may include: UDM determines whether the UE needs to be authenticated based on whether the AUSF ID is stored locally.
  • the UDM wants to send Steering of roaming (SoR) data or UPU data to the UE, but the UDM does not store the corresponding AUSF ID, and the UDM cannot find the corresponding AUSF to provide security protection for the SoR data or UPU data, the UDM determines the need Authenticate the UE. That is, when UDM determines that the AUSF ID is not stored locally, UDM decides to authenticate the UE.
  • SoR Steering of roaming
  • the local policy may include: UDM determines whether the UE needs to be authenticated based on whether the UE is authenticated by the 5G network. For example, the UE first accesses the 4G core network. Later, when there is 5G network coverage, the UE moves from the 4G network to the 5G network and starts to use the 5G network. According to existing standards, AMF does not need to initiate authentication during this process. In other words, the UE has not been authenticated by the 5G network after accessing the 5G network. Therefore, UDM can determine to authenticate the UE based on the fact that the UE has not been authenticated by the 5G network.
  • the local policy may include: UDM determines whether the UE needs to be authenticated based on whether the time interval from the previous successful authentication meets a preset value. If the UDM finds that the time interval of the previous successful authentication of the UE exceeds or is about to exceed the time specified by the operator's policy, the UDM determines that the UE needs to be authenticated. Specifically, a timer can be used to record the time interval from the previous successful authentication of the UE, and the timer is bound to the permanent identity SUPI of the UE. When the AUSF determines that the UE is successfully authenticated, the timer starts counting. When the time interval recorded by the timer exceeds or is about to exceed the preset interval value, the AUSF determines that the UE needs to be authenticated.
  • the UDM receives a parameter request message from the third functional network element, and the parameter request message is used to request parameters from the UDM or request the UDM to authenticate the UE.
  • This parameter request message includes at least the user's permanent identity.
  • a parameter request message can be used to request K AKMA .
  • the parameter request message is a response message requesting to send a protection message of SoR data or UPU data. This response message is used to indicate that the request failed.
  • the AUSF replies with a response message to inform that the UDM request failed because the locally stored K AUSF has expired or is about to expire, or the K AUSF is not stored locally.
  • the third functional network element is the functional network element of the core network other than UDM.
  • the third functional network element is an AAnF, AUSF, or AF functional network element.
  • the third functional network element is AAnF
  • AAnF sends a K AKMA update request message to UDM.
  • the K AKMA update request message is used to request a new K AKMA key.
  • AUSF determines that K needs to be updated and AKMA determines that the UE needs to be authenticated.
  • the K AKMA update request message is Nudm_AKMA_AnchorKey_Refresh message.
  • the AUSF sends the SoR data or UPU data protection failure result to the UDM.
  • the message is a Nausf_SoRProtection Response message or a Nausf_UPUProtection Response message.
  • UDM determines that the UE needs to be authenticated.
  • the Nausf_SoRProtection Response message or the Nausf_UPUProtection Response message carries a failure reason value.
  • the failure reason value is used to indicate that there is no key K AUSF .
  • the UDM determines that the UE needs to be authenticated based on the failure cause value.
  • the AUSF receives the request message from the fourth functional network element, such as the K AKMA update request message from the AAnF, and the AUSF sends the parameter request message to the UDM.
  • the parameters please The request message is used to request authentication of the UE.
  • the UDM determines that the UE needs to be authenticated based on the parameter request message.
  • the parameter request message is Nudm_UEAuthentication Get Request message.
  • AUSF when the third functional network element is AUSF, AUSF receives a request message from the fourth functional network element, such as a request from NEF or 3GPP internal AF to update K AF , AUSF will send a request message to UDM, and UDM determines that an update is required.
  • K AF corresponds to K AKMA
  • the request message is Nudm_UEAuthentication Get Request message.
  • AF or NEF sends a request message to UDM.
  • the request message is used to request an update of K AF .
  • the UDM determines that the K AKMA corresponding to the K AF needs to be updated , it determines that the UE needs to be authenticated. For example, this message is the Nudm_UEAuthentication Authenticate Request message.
  • the AUSF receives an authentication request message from the fourth functional network element, such as an authentication request message from NEF or AF within 3GPP.
  • the authentication request message is Nausf_UEAuthentication_Authenticate. Request message.
  • the AUSF sends a request message for requesting authentication of the UE to the UDM, and the UDM determines that the UE needs to be authenticated based on the request message.
  • the authentication request message is the Nudm_UEAuthentication Get Request message.
  • the UMD can comprehensively determine whether the UE needs to be authenticated based on the local policy and the request of the third function network element.
  • the third functional network element is the AUSF
  • the AUSF sends a parameter request message to the UDM.
  • the parameter request message is used to request authentication of the UE.
  • the parameter request message is Nausf_UEAuthentication_Authenticate Request.
  • UDM further determines whether to authenticate the UE according to the local policy.
  • the local policy determines whether the UE needs to be authenticated by whether the time interval from the previous successful authentication exceeds or is about to exceed the time specified by the operator's policy. If the time interval from the previous successful authentication is less than the preset value, it is determined not to authenticate the UE; if the time interval from the previous successful authentication exceeds the preset value, it is determined to authenticate the UE.
  • Step 502. When the terminal needs to be authenticated, UDM obtains authentication materials.
  • acquisition can be understood as “active acquisition”, including but not limited to UDM actively acquiring authentication materials from local storage or actively initiating request messages. It can be understood that “obtaining” can also be understood as the UDM can directly or indirectly receive authentication materials from the fourth functional network element.
  • the fourth functional network element is a functional network element that stores or can generate authentication materials.
  • step 302 For the relevant description of the authentication materials, refer to the relevant description of step 302, which will not be described again here.
  • the UDM directly obtains the authentication materials required to authenticate the UE from the locally stored context. For example, the SN_name stored in the UDM local context during the previous authentication.
  • the UDM indirectly obtains the authentication materials required to authenticate the UE from the locally stored context, that is, generates the authentication materials based on the locally stored context.
  • the authentication material is the SN Name
  • UDM can obtain the MCC and MNC based on the UE's permanent identity SUPI, and use the MCC and MNC to generate the SN Name.
  • the authentication material is the SN Name
  • UDM can use the stored PLMN ID corresponding to SUPI to obtain the MCC and MNC, and then use the MCC and MNC to further obtain the SN Name.
  • UDM can construct authentication materials based on the scenario where the authentication occurs.
  • the UDM directly obtains the authentication materials required to authenticate the UE from the fourth functional network element.
  • the fourth functional network element is a functional network element that stores authentication materials.
  • UDM obtains the AMF information serving the UE, such as the AMF ID, from the context corresponding to SUPI.
  • UDM determines the AMF based on the AMF ID and sends the first request message to the AMF.
  • the first request message carries the permanent identity SUPI of the user of the UE that needs to be authenticated.
  • the first request message is a Namf_UEAuthentication_Authenticate message, or a Nudm_SDM_Get_Response message, or a Namf_HNAuthentication_Get Request message.
  • the AMF replies with a first response message, and the first response message carries the authentication material.
  • the authentication material is SN Name.
  • the first response message is the Namf_UEAuthentication_Authenticate Response message, or the Nudm_SDM_Info message, or the Namf_HNAuthentication_Get Response message.
  • the UDM after the UDM determines that the UE needs to be authenticated, the UDM sends a first request message to the fifth functional network element, where the first request message carries the user permanent identity SUPI of the UE that needs to be authenticated.
  • the first request message is used to request the serving network to authenticate the UE.
  • the UDM may send the first request message to the fifth function network element without storing the AUSF ID locally.
  • UDM knows that the authentication materials are stored in the fifth functional network element, and UDM sends the first request message to the fifth functional network element, but UDM obtains the authentication materials required to authenticate the UE from the fourth functional network element. .
  • the fifth functional network element sends a second authentication request message to the fourth functional network element, where the second authentication request message carries authentication material.
  • the fourth functional network element is AUSF
  • the fifth functional network element is AMF.
  • the first request message is the Namf_UEAuthentication_Authenticate message, or the Nudm_SDM_Get_Response message, or the Namf_HNAuthentication_Get Request message; after the AMF receives the Namf_UEAuthentication_Authenticate message, or the Nudm_SDM_Get_Response message, or the Namf_HNAuthentication_Get Request message, the AMF sends the second authentication request message to the AUSF.
  • Request The message is Nausf_UEAuthentication_Authenticate Request message.
  • the Nausf_UEAuthentication_Authenticate Request message carries SN Name and SUPI.
  • AUSF After AUSF receives the Nausf_UEAuthentication_Authenticate Request message, AUSF sends Nudm_UEAuthentication Get Request to UDM.
  • the Nudm_UEAuthentication Get Request message carries SUPI and SN Name. It should be noted that this method can occur in the following situations: UDM determines to authenticate the UE, but does not store the AUSF ID locally. UDM can only request the AMF serving the UE to authenticate the UE based on the locally stored AMF information corresponding to SUPI, such as the AMF ID. Then, after receiving the request message, the AMF selects an AUSF according to SUPI and starts executing the process described in steps 201 to 208.
  • the fifth function network element replies the first response message to the UDM.
  • the first response message is used to inform UDM of receipt of the first request message.
  • the first response message may not carry any content.
  • the first response message is the Namf_UEAuthentication_Authenticate Response message or the Nudm_SDM_Info message. This embodiment does not limit the order in which the fifth functional network element sends the first response message and the second authentication request message.
  • This embodiment does not limit the method of obtaining authentication materials. This embodiment does not limit the message name.
  • Step 503. UDM generates the first authentication vector based on the authentication material.
  • step 303 which will not be described again here.
  • UDM After UDM generates the first authentication vector, it sends the first message to AUSF.
  • AUSF receives the first message.
  • the first message includes the first authentication vector
  • the user's permanent identifier may also be included.
  • the UDM when the UDM does not receive the AUSF authentication acquisition request message, the UDM first determines the AUSF based on the locally stored AUSF ID, and then sends the first message to the AUSF. For example, UDM obtains authentication materials based on local storage or directly obtains authentication materials from AMF, and UDM determines that the UE needs to be authenticated based on local policies.
  • the first message is Nudm_UEAuthentication Get Request or Nausf_UEAuthentication_Authenticate Request or Nausf_HNAuthentication_Authenticate Request.
  • UDM determines that the UE needs to be authenticated based on the received request message of the third function network element, and when the third function network element is not AUSF, the first message is Nudm_UEAuthentication Get Request Or Nausf_UEAuthentication_Authenticate Request or Nausf_HNAuthentication_Authenticate Request.
  • the UDM determines that the UE needs to be authenticated based on the received request message of the third functional network element, and when the third functional network element is not the AUSF, the UDM sends the third authentication to the AMF.
  • the third authentication request message is used to inform the AMF to perform the process of authenticating the UE, and is a service request message.
  • the message is a N AMF _UEAuthentication_Request message, or a Nudm_UEAuthentication Authenticate Reques message, or a Nudm_UEAuthentication Authenticate Response message, or a Namf_HNAuthentication_Authenticate Request message.
  • the third authentication request message is Namf_HNAuthentication_Authenticate Request
  • UDM uses the home network authentication service of AMF
  • the first authentication request message is the home network's request to authenticate the UE.
  • the AMF needs to check whether the first authentication request message comes from the functional network element of the home network. For example, AMF checks whether the first authentication request message comes from AUSF or UDM. If yes, the AMF processes the message and performs step 506; if not, the message is discarded.
  • the third authentication request message is NAMF_UEAuthentication_Request , it indicates that the UDM uses the service of AMF, and the first authentication request message requests an operation to authenticate the UE.
  • the AMF needs to check whether the first authentication request message comes from the functional network element of the home network. For example, AMF checks whether the first authentication request message comes from AUSF or UDM. If yes, the AMF processes the message and performs step 506; if not, the message is discarded.
  • the third authentication request message is a Nudm_UEAuthentication Authenticate Request message, it indicates that the message is the UEAuthentication service of UDM, and the message is a request message.
  • the UDM may receive the request message from the AUSF in step 202.
  • the authentication acquisition request message may be a Nudm_UEAuthentication Get Request message.
  • the authentication acquisition response message may be a Nudm_UEAuthentication Get Response message.
  • the UDM when the UDM receives the authentication acquisition request message sent by the AUSF, the UDM responds to the authentication acquisition request message and replies the first message to the AUSF. At this time, the first message Get the response message for authentication.
  • This embodiment does not limit the specific message name.
  • Step 505. The AUSF sends a first authentication request message to the AMF.
  • the first authentication request message is used to trigger authentication of the UE.
  • the first authentication request message includes a first authentication vector.
  • the first authentication request message also carries the user's permanent identity.
  • Steps 506 to 508 execute the subsequent authentication process.
  • the method for implementing the subsequent authentication process is the same as steps 305 to 308, which will not be described again here.
  • the UDM receives a service parameter request message from the third functional network element in step 501, the UDM also needs to reply a parameter response message to the third functional network element.
  • the third functional network element is AUSF
  • the parameter response message may be an authentication acquisition response message, or a separate message used to notify the received message.
  • the third functional network element is AAnF or AF, or NEF used by the external AF, and the parameter request message is used to request authentication of the UE, the parameter response message can be used to notify the message of receipt or to pass the authentication message. Instructions for the right results. It is used to inform the third function network element whether the authentication is successful or failed.
  • embodiments of the present application also provide corresponding devices, including corresponding modules for executing the above embodiments.
  • the module may be software, hardware, or a combination of software and hardware.
  • the authentication device 600 includes a processing module 610 and a transceiver module 620 .
  • the transceiver module 620 is used to perform operations related to sending and receiving messages in the above-mentioned embodiment of FIG. 2-5, and the processing module 610 can be used to perform related operations in the above-mentioned embodiment of FIG. 2-5 other than sending and receiving messages.
  • the communication device can be used as an AUSF network element to implement the authentication method in the embodiment shown in Figure 3.
  • the processing module 610 is used to determine whether the terminal needs to be authenticated; in the case where the terminal needs to be authenticated , obtain the authentication material; obtain the authentication vector according to the authentication material; the transceiver module 620 can be used to send a first authentication request message to the AMF to trigger the authentication of the terminal, wherein the first authentication request message includes The authentication vector.
  • the processing module 610 is used to determine whether it is necessary to The terminal performs authentication; when the terminal needs to be authenticated, obtains authentication materials; obtains the authentication vector according to the authentication materials; the transceiver module is used to send a first authentication request message to the AMF to trigger the authentication The terminal performs authentication, where the first authentication request message includes the authentication vector.
  • the authentication device 700 includes a processor 710 , a memory 720 and a transceiver 730 .
  • the specific connection medium between the processor 710 and the transceiver 720 is not limited in the embodiment of the present application.
  • the connection between the processor 710 and the transceiver 720 through the bus 730 is taken as an example.
  • the bus 740 is represented by a thick line in the figure. The connection methods between other components are only schematically illustrated and are not intended to be used as illustrations. limit.
  • the bus 740 can be divided into an address bus, a data bus, a control bus, etc. For ease of presentation, only one thick line is used in Figure 7, but it does not mean that there is only one bus or one type of bus.
  • the processor 710 can have a data transceiver function and can communicate with other devices.
  • an independent data transceiver module such as a transceiver 730, can also be provided for transmitting and receiving data; the processor 710 is used with When other devices communicate, data can be transmitted through transceiver 730.
  • the memory 720 stores instructions or programs, and the processor 710 is used to execute the instructions or programs stored in the memory. live When the instructions or programs stored in the memory are executed, the processor 710 is used to perform the operations performed by the processing module in the above method embodiment, and the communication interface is used to perform the operations performed by the transceiver module in the above embodiment.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • each functional unit may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions (programs). When the computer program instructions (program) are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated.
  • the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state disk (SSD)), etc.
  • the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本申请实施例公开了鉴权方法、通信装置和存储介质,其中,该方法包括归属网络的第一功能网元确定是否需要对终端进行鉴权;在需要对终端进行鉴权的情况下,第一功能网元获取鉴权材料;第一功能网元根据所述鉴权材料,获取第一鉴权向量;第一功能网元向AMF发送第一鉴权请求消息以触发对终端进行鉴权,其中,第一鉴权请求消息包括第一鉴权向量。该方法中通过归属网络的第一功能网元确定触发对终端进行鉴权。

Description

鉴权方法、通信装置和计算机可读存储介质
本申请要求于2022年05月06日提交中国专利局、申请号为202210489884.6、申请名称为“鉴权方法、通信装置和计算机可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信领域,并且更具体地,涉及通信领域中的鉴权方法和使用该鉴权方法的通信装置。
背景技术
目前,用户设备(user equipment,UE)接入5G网络,均需经过接入、鉴权的过程。当终端设备鉴权成功并进入连接态,用户设备可以与网络进行通信。
相关技术中,当用户设备接入5G网络,且终端是首次注册时,终端可以通过下一代基站(next generation node basestaion,gNB)或非3GPP合作功能(non-3GPPinterworking function,N3IWF)网元向核心网接入和移动管理(core access and mobility management function,AMF)实体发送该终端的身份信息。当AMF网元接收到终端的身份信息时,AMF网元可以根据该用户设备的身份信息选择鉴权服务功能(authentication server function,AUSF)实体以触发鉴权流程,AUSF向统一数据管理(unified data management,UDM)实体发送鉴权获取请求,UDM根据鉴权获取请求计算鉴权向量,再返回鉴权向量至AUSF网元,AUSF网元通过AMF网元向UE发送鉴权参数,UE校验鉴权参数,校验成功则表明网络侧验证通过,UE向AMF发送响应,AMF向AUSF发送认证校验信息,AUSF校验认证校验信息,校验成功则表明UE鉴权成功,由此完成鉴权流程。
在上述相关技术中,主鉴权流程是由服务网络的AMF网元发起,当前尚未发现由归属网络的功能网元触发主鉴权的方案。
发明内容
本申请提供一种由归属网络的功能网元发起鉴权的鉴权方法和使用该鉴权方法的通信装置。
第一方面,本申请实施例提供了一种鉴权方法,该方法包括:归属网络的第一功能网元确定是否需要对终端进行鉴权;在需要对所述终端进行鉴权的情况下,所述第一功能网元获取鉴权材料;所述第一功能网元根据所述鉴权材料,获取第一鉴权向量;所述第一功能网元向AMF发送第一鉴权请求消息以触发对所述终端进行鉴权,其中,所述第一鉴权请求消息包括所述第一鉴权向量。
在该技术方案中,通过归属网络的第一功能网元确定是否需要对终端进行鉴权,在需要进行鉴权的情况下,第一功能网元获取鉴权材料,根据鉴权材料,获取第一鉴权向量,第一功能网元再向AMF发送第一鉴权请求消息进而触发对终端进行鉴权,这样,鉴权流程的发起点在归属网络的第一功能网元,减少了AMF与第一功能网元之间的信令交互。
在一种实现方式中,第一功能网元为AUSF,第一功能网元获取所述鉴权材料的具体方式可以为:第一功能网元从存储的上下文中获取所述鉴权材料;或者第一功能网元从第四功能网元获取鉴权材料,第四功能网元为存储有鉴权材料的网元。
在一种实现方式中,第一功能网元确定是否需要对所述终端进行鉴权的具体方式可以为:所述第一功能网元接收来自第三功能网元的服务请求,所述服务请求用于向所述第一功能网元请求指定服务;响应于所述第三功能网元的服务请求,所述第一功能网元确定是否需要对所述终端进行鉴权。
在一种实现方式中,第一功能网元根据所述鉴权材料,获取第一鉴权向量的具体方式可以为:AUSF向UDM发送鉴权向量请求消息,其中,鉴权向量请求消息包括所述鉴权材料;所述AUSF接收来自所述UDM的鉴权向量响应消息,所述鉴权向量响应消息包括所述第一鉴权向量。
在一种实现方式中,第一功能网元为UDM,第一功能网元获取所述鉴权材料的具体方式可以为:第一功能网元从存储的上下文中获取所述鉴权材料;或者,第一功能网元从第四功能网元获取所述鉴权材料,所述第四功能网元为存储有所述鉴权材料的网元。
在一种实现方式中,第一功能网元根据所述鉴权材料,获取第一鉴权向量的具体方式可以为:所述第一功能网元根据所述鉴权材料,生成所述第一鉴权向量。
在一种实现方式中,鉴权材料具体包括以下一种或多种:服务网络名称,服务网络标识,网络标识符,移动国家码或移动网号。
第二方面,本申请实施例提供一种通信装置,该通信装置的结构中包括:处理模块,用于确定是否需要对终端进行鉴权;在需要对所述终端进行鉴权的情况下,所述处理模块获取鉴权材料;所述处理模块根据所述鉴权材料,获取第一鉴权向量;收发模块,用于向所述AMF发送第一鉴权请求消息以触发对所述终端进行鉴权,其中,所述第一鉴权请求消息包括所述第一鉴权向量。
在一种实现方式中,处理模块获取所述鉴权材料的具体方式可以为:所述处理模块从存储的上下文中获取所述鉴权材料;或者所述处理模块从第四功能网元获取所述鉴权材料,所述第四功能网元为存储有所述鉴权材料的网元。
在一种实现方式中,处理模块确定是否需要对所述终端进行鉴权的具体方式可以为:处理模块接收来自第三功能网元的服务请求,所述服务请求用于向所述处理模块请求指定服务;响应于所述第三功能网元的服务请求,所述处理模块确定是否需要对所述终端进行鉴权。
在一种实现方式中,处理模块根据所述鉴权材料,获取所述第一鉴权向量的具体方式可以为:所述处理模块向UDM发送鉴权向量请求消息,其中,所述鉴权向量请求消息包括所述鉴权材料;所述处理模块接收来自所述UDM的鉴权向量响应消息,所述鉴权向量响应消息包括所述第一鉴权向量。
在一种实现方式中,处理模块根据所述鉴权材料,获取所述第一鉴权向量的具体方式可以为:所述处理模块根据所述鉴权材料,生成所述第一鉴权向量。
在一种实现方式中,鉴权材料具体包括以下一种或多种:服务网络名称,服务网络标识,网络标识符,移动国家码或移动网号。
第三方面,本申请实施例提供另一种通信装置,该通信装置包括至少一个处理器,至 少一个处理器执行用于执行存储在存储器中的指令,使得该通信装置实现上述第一方面所述的方法示例中的操作。
第四方面,本发明实施例提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令被通信装置执行时使该通信装置执行上述第一方面的方法。
附图说明
图1是5G服务化架构的示意图。
图2是一种鉴权方法的流程示意图。
图3是本申请实施例提供的一种鉴权方法的流程示意图。
图4是本申请实施例提供的又一种鉴权方法的流程示意图。
图5是本申请实施例提供的又一种鉴权方法的流程示意图。
图6是本申请实施例提供的鉴权装置的结构示意图。
图7是本申请实施例提供的鉴权装置的另一结构示意图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。其中,在本申请的描述中,除非另有说明,“/”表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。另外,为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。
本申请实施例的技术方案可以应用于各种通信系统,例如:第五代(5th Generation,5G)移动通信系统中的新无线(New Radio,NR)以及未来的移动通信系统等。
(1)第五代(5th generation,5G)网络架构
如图1所示,为基于服务化架构的第五代(5th generation,5G)网络架构示意图。该架构可包括接入网和核心网,可选的,还可以包括用户设备(user equipment,UE)。
UE是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持、穿戴或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。UE可以是手机(mobile phone)、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端、车载终端设备、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无 线终端、智慧家庭(smart home)中的无线终端、可穿戴终端设备等等。UE有时也可以称为终端、终端设备、接入终端设备、车载终端、工业控制终端、UE单元、UE站、移动站、移动台、远方站、远程终端设备、移动设备、UE代理或UE装置等。UE也可以是固定的或者移动的。
接入网可以包括接入网络设备,接入网络设备可以是为终端设备提供接入的设备,可以包括无线接入网(radio access network,RAN)设备。RAN设备主要负责空口侧的无线资源管理、服务质量(quality of service,QoS)管理、数据压缩和加密等功能。RAN设备可以包括各种形式的基站,例如宏基站,微基站(也可以称为小站),中继站,接入点,气球站等。在采用不同的无线接入技术的系统中,具备基站功能的设备的名称可能会有所不同,例如,在5G系统中,称为RAN或者下一代基站(next-generation Node basestation,gNB);在长期演进(long term evolution,LTE)系统中,称为演进的节点B(evolved NodeB,eNB或eNodeB)。
核心网负责维护移动网络的签约数据,为UE提供会话管理、移动性管理、策略管理以及安全认证等功能。核心网可以包括如下网元:用户面功能(user plane function,UPF)、认证服务功能(authentication server function,AUSF)、接入和移动性管理功能(access and mobility management function,AMF)、会话管理功能(session management function,SMF)、网络切片选择功能(network slice selection function,NSSF)、网络开放功能(network exposure function,NEF)、网络功能仓储功能(NF repository function,NRF)、策略控制功能(policy control function,PCF)、统一数据管理(unified data management,UDM)和应用功能(application function,AF)、AKMA服务的锚点网元(AKMA anchor function,AAnF)。
SMF网元,主要负责移动网络中的会话管理,例如会话建立、修改和释放。具体功能例如为用户分配互联网协议(internet protocol,IP)地址,选择提供报文转发功能的UPF等。UPF网元,主要负责用户数据的转发和接收,可以从数据网络接收用户数据,通过接入网络设备传输给UE;还可以通过接入网络设备从UE接收用户数据,转发至数据网络。PCF网元,主要支持提供统一的策略框架来控制网络行为,提供策略规则给控制层网络功能,同时负责获取与策略决策相关的用户签约信息。PCF网元可以向AMF网元、SMF网元提供策略,例如服务质量(quality of service,QoS)策略、切片选择策略等。数据网络(data network,DN)用于为用户提供业务服务,可以是私有网络,例如局域网;也可以是不受运营商管控的外部网络,例如互联网(Internet);还可以是运营商共同部署的专有网络,例如提供IP多媒体子系统(IP multimedia subsystem,IMS)的网络。UE可通过建立的协议数据单元(protocol data unit,PDU)会话,来访问DN。
AMF网元,主要负责移动网络中的移动性管理,例如用户位置更新、用户注册网络、用户切换等。为描述方便,后文简称AMF。
AUSF网元,用于执行UE的安全认证。AUSF网元接收到UE发起的认证请求之后,可通过UDM网元中存储的认证和/或授权信息对UE进行认证和/或授权,或者通过统一数据管理功能生成签约用户的认证和/或授权信息。为描述方便,后文简称AUSF。
UDM网元,用于存储用户数据,例如签约数据、鉴权/授权数据等。服务网络(serving network,SN),是AMF、AUSF所在的位置。
服务网络(serving network,SN),也称拜访网络,是一个终端使用N1接口连接的AMF所在的网络。服务网络是AMF、SMF所在的位置。
归属网络(Home network,HN),也称家乡网络,是指存储UE的签约数据的网元所在的网络。家乡网络可以被标识符标识。家乡网络标识符包括移动国家码(Mobile Country Code,MCC)和移动网号(Mobile Network Code,MNC)。归属网络是AUSF、UDM所在的位置。
(2)主鉴权
当前,UE可以通过3GPP技术接入网络。当UE首次接入5G网络时,AMF需要启动UE和网络之间的相互认证,即主鉴权流程。并提供可在后续安全过程中在UE和服务网络之间使用的密钥材料,从而保证UE和核心网之间的安全性。主鉴权和密钥认证生成锚密钥KSEAF,锚密钥由归属网络的AUSF发送给服务网络的AMF。
参考图2所示的一种主鉴权流程图,包括但不限于如下步骤:
步骤201:AMF向AUSF发送第一鉴权请求消息。
当服务网络的AMF确定启动认证时,AMF通过向AUSF发送第一鉴权请求消息(UEAuthentication_Authenticate Request message),用于触发主鉴权流程。
第一鉴权请求消息可以包括如下一个或多个参数:用户身份标识、服务网络名称(serving network name,SN-name)。其中,用户身份标识用于标识用户设备,服务网络名称用于标识对应的服务网络。
可选地,用户身份标识为SUPI或SUCI。SUPI是用户的永久身份,可以全网唯一标识一个用户。SUCI是UE的匿名身份信息,是一种临时身份,用于保护SUPI不被暴露在空口,进而保护用户隐私。SUCI至少包括SUPI中除SUPI类型外的部分做加密后的结果。
步骤202:AUSF接收到第一鉴权请求消息后,依据第一鉴权请求消息携带的服务网络名称确定是否为允许接入的服务网络,当确定为允许接入的服务网络后,AUSF发送第一获取请求消息(UEAuthentication_Get Request)至UDM。
步骤203:UDM接收来自AUSF的第一获取请求消息,根据接收的第一获取请求消息生成第一鉴权向量,再发送响应于该第一获取请求消息的第一获取响应消息至AUSF。
其中,第一获取响应消息包括第一鉴权向量和用户身份标识。
一种实现方式中,用户身份标识为SUCI,UDM解析SUCI以获得用户设备的永久身份标识(SUPI),UDM基于SUPI确定鉴权算法,并生成第一鉴权向量。可选的,鉴权算法为EAP-AKA’鉴权或5G AKA。下面以5G AKA为例介绍。
UDM基于5G AKA算法生成第一鉴权向量,第一鉴权向量包括RAND,AUTN,XRES*和KAUSF。其中,RAND为随机数,KAUSF为归属网络中AUSF生成的中间密钥,XRES*为期望响应,根据秘钥生成函数(keyderivation functions,KDF)计算得到的,是期望的UE鉴权响应参数,用于与UE返回的响应RES*比较以确定鉴权是否成功;AUTN为认证令牌,AUTN为网络提供给UE以用于对归属网络进行鉴权的参数。
步骤204:AUSF接收来自UDM的第一获取响应消息,生成第二鉴权向量,发送第二鉴权响应消息至AMF。其中,第二鉴权响应消息包括第二鉴权向量。
AUSF接收第一获取响应消息后,AUSF临时存储XRES*和用户永久身份标识SUPI,计算第二鉴权向量,再发送第二鉴权响应至AMF。其中,第二鉴权向量包括RAND,AUTN, HXRES*。
具体的,AUSF基于XRES*计算得到HXRES*再使用HXRES*替换XRES*得到第二鉴权向量。
步骤205:AMF接收该第二鉴权响应消息,发送第二鉴权请求消息至UE,其中,第二鉴权请求消息用于在UE侧触发和网络侧的双向鉴权,第二鉴权请求消息携带RAND,AUTN。
步骤206:UE接收来自AMF的第二鉴权请求消息,UE验证网络是否为真实的。当UE确定网络是真实的,UE向AMF发送第二鉴权响应消息,该第二鉴权响应消息中包括鉴权响应RES*。
步骤207:AMF接收到RES*后,向AUSF发送第三鉴权请求消息,该第三鉴权请求消息包括AMF从UE处接收到的RES*。
基于RES*计算HRES*,比较HRES*与存储的HXRES*,若HRES*和HXRES*一致则认为AMF认为UE是真实的。之后,AMF向AUSF发送第三鉴权请求消息用于将从UE处接收到的RES*发送至AMF。
步骤208:AUSF接收到该第三鉴权请求消息后,将RES*与保存的XRES*比较,如果RES*与保存的XRES*一致,则认为UE鉴权成功。AUSF可向AMF发送第三鉴权响应消息,该第三鉴权响应消息中包括AUSF的鉴权结果。
上述鉴权方法,服务网络的AMF可在与UE建立信令连接的任何过程中触发对UE的鉴权。
在一种实现方式中,AMF接收用户设备的注册请求以发起对UE的鉴权。可选地,AMF通过RAN接收来自用户设备的首次注册请求,首次注册请求中携带用户设备标识(例如,SUCI),AMF基于SUCI确定对应的用户设备是否为被服务网络允许接入的用户设备。
在另一种实现方式中,AMF预配置策略触发对UE的鉴权。例如,AMF根据本地策略,在NAS COUNT即将翻转时触发对UE的鉴权。
在另一种实现方式中,例如UE从4G移动到5G,且AMF设有5G原生安全上下文的时候,AMF可触发主鉴权流程。
另一种触发对UE鉴权的方法,由UDM向为UE服务的AMF请求为UE发起鉴权,AMF响应于该请求触发主鉴权流程。示例的,AMF基于UDM的请求,按照上述步骤201至步骤208的方式执行鉴权流程。
另一种触发对UE鉴权的方法,由AUSF向为UE服务的AMF请求为UE发起鉴权,AMF响应于该请求发起主鉴权流程。AMF基于AUSF的请求,按照上述步骤201至步骤208的方式执行鉴权流程。与UDM向AMF请求对UE进行鉴权的不同之处在于,AUSF向AMF请求对UE进行鉴权需要先向UDM获取为UE服务的AMF信息。
上述的鉴权方法,其本质都是由服务网络的AMF向AUSF发送消息以开始鉴权流程。当AUSF或者UDM请求AMF发起对UE进行鉴权时,鉴权流程较为复杂,信令开销较大。
鉴于此,本申请提供一种由归属网络的功能网元发送消息给AMF,并直接开始对UE进行鉴权的方法。可以理解的,鉴权流程的发起点在归属网络的功能网元,而不再是服务 网络的AMF。
对UE进行鉴权,是指核心网对UE进行安全认证,确定UE是真实可信的。同时,UE也能认证网络是真实的。若归属网络确定需要对UE进行鉴权,则归属网络发起归属网络鉴权流程。具体地,归属网络鉴权流程是由归属网络功能网元直接开始对UE进行鉴权。具体地,指当归属网络确定需要对UE鉴权时,归属网主动发送鉴权向量给AMF,并通过AMF发送给UE以执行鉴权的过程。
参考图3所示,本实施例提供的一种由归属网络的第一功能网元发起鉴权的方法,在该方法中第一功能网元为AUSF,该方法包括但不限于:
步骤301.AUSF确定是否需要对UE进行鉴权。
AUSF基于本地策略或第三功能网元的请求确定是否需要对UE进行鉴权。其中,第三功能网元为除AUSF以外的核心网网元。
在一种实现方式中,AUSF根据本地策略确定是否需要对UE进行鉴权。
可选地,本地策略可以包括:当AUSF发现漫游指导(Steering of roaming,SoR)计数器值或者通过UDM更新UE参数(UE parameters update via UDM,UPU)计数器值即将翻转时,AUSF确定需要对UE进行鉴权。
可选地,本地策略可以包括:当AUSF发现KAUSF的使用时间超过或即将超过运营商策略所规定的时间,则AUSF确定需要对UE进行鉴权。具体的,通过计时器记录KAUSF的使用时间,该计时器与UE的永久身份SUPI绑定,当该计时器记录的KAUSF的使用时间超过或即将超过预设值时,AUSF确定需要对UE进行鉴权。
可选地,本地策略可以包括:当AUSF发现距离前一次对UE鉴权成功的时间间隔超过或即将超过运营商策略所规定的时间,则AUSF确定需要对UE进行鉴权。具体的,可通过一个计时器记录距离前一次对UE鉴权成功的时间间隔,该计时器与UE的永久身份SUPI绑定。当AUSF确定UE鉴权成功后,计时器开始工作,当该计时器工作时间间隔超过或即将超过预设间隔值时,AUSF确定需要对UE进行鉴权。
在又一种实现方式中,AUSF接收来自第三功能网元的参数请求消息。该参数请求消息用于向AUSF请求参数,或者请求AUSF为UE进行鉴权。
其中,参数请求消息至少包括用户的永久身份SUPI。比如,参数请求消息可以用于请求KAKMA。再比如,参数请求消息用于请求SoR数据保护,或者请求UPU数据保护。
第三功能网元为AUSF以外的核心网功能网元。比如,该第三功能网元为AAnF,UDM,或者AF等功能网元。
可选地,第三功能网元是AAnF,AAnF向AUSF发送KAKMA更新请求消息,该更新请求消息用于请求一个新的KAKMA密钥。比如,该更新请求消息为Nausf_AKMA_AnchorKey_Refresh。AUSF根据该更新请求消息确定是否需要更新KAKMA,若确定需要更新KAKMA则确定需要对UE进行鉴权。
可选地,第三功能网元是UDM,UDM向AUSF发送SoR保护请求消息或者UPU保护请求消息,该请求消息中携带的数据需要使用KAUSF做安全保护。当AUSF发现需要更新KAUSF,或者AUSF本地没有存储KAUSF时,则确定需要对UE进行鉴权。具体的,该请求消息为Nausf_SoRProtection message,或者Nausf_UPUProtection message。
可选地,第三功能网元是UDM,UDM接收到AAnF请求更新KAKMA请求时,UDM 向AUSF发送请求消息。此时,该请求消息用于请求更新KAKMA。比如,该请求消息为Nausf_AKMA_KAKMA_Refresh message。AUSF确定是否需要更新KAKMA,若确定需要更新KAKMA则确定需要对UE进行鉴权。此时,可选地,Nausf_AKMA_KAKMA_Refresh消息中还携带有AAnF ID,该AAnF ID用于告知是哪个AAnF请求密钥更新,以便于后续AUSF直接发送更新后的KAKMA给AAnF。
可选地,第三功能网元是UDM,UDM接收到第四功能网元请求更新KAF密钥的请求消息,UDM向AUSF发送KAF更新请求消息,该请求消息用于请求一个新的KAF密钥,AUSF确定需要更新KAF对应的KAKMA则确定需要对UE进行鉴权。示例的,第四功能网元为AAnF,或者3GPP内部AF或者3GPP外部AF,当第四功能网元为3GPP外部的AF时,该AF通过NEF请求更新KAF。该更新请求消息为Nausf_AKMA_KAF_Refresh message。
可选地,第三功能网元是3GPP内部AF,或者用于3GPP外部AF使用的NEF,AUSF接收到AF或者NEF请求更新KAF时,3GPP内部AF或者NEF向AUSF发送请求消息。此时,该请求消息用于请求更新KAF。AUSF确定需要更新KAF对应的KAKMA则确定需要对UE进行鉴权。该更新请求消息为Nausf_AKMA_KAF_Refresh message。
可选地,第三功能网元是3GPP内部AF,或者用于3GPP外部AF使用的NEF,AUSF接收到来自3GPP内部AF或者NEF的请求消息。此时,该请求消息用于请求对UE进行鉴权,AUSF响应于该请求消息,确定需要对UE进行鉴权。该请求消息为Nausf_UEAuthentication_Authenticate Requestmessage。
可选地,第三功能网元是UDM,UDM接收到来自第四功能网元对UE进行鉴权的请求则UDM确定需要对UE进行鉴权。示例的,第四功能网元为AAnF,或者3GPP内部AF或者3GPP外部AF,当第四功能网元为3GPP外部的AF时,该AF通过NEF请求对UE进行鉴权。
在第三种实现方式中,AUSF可以根据本地策略和第三功能网元的请求消息综合判断是否需要对UE进行鉴权。
可选地,第三功能网元是AAnF。AAnF向AUSF发送KAKMA更新请求消息。该更新请求消息用于请求一个新的KAKMA密钥。比如,该更新请求消息为Nausf_AKMA_AnchorKey_Refresh消息。AUSF在接收到该更新请求消息后,AUSF根据本地策略进一步判断是否对UE进行鉴权。
进一步地,本地策略为距离前次鉴权成功的时间间隔是否超过或即将超过运营商策略所规定的时间。AUSF可以根据距离前次鉴权成功的时间间隔判断是否需要对UE进行鉴权。距离前次鉴权成功的时间间隔小于预设值,则确定无需对UE进行鉴权;若距离前次鉴权成功的时间间隔超过预设值时,则AUSF确定需要对UE进行鉴权。
进一步地,本地策略为比对本地保存的KAKMA与AAnF发送的KAKMA是否一样来确定是否需要对UE进行鉴权。具体地,AUSF根据AAnF发送的KAKMA与本地保存的KAKMA进行对比,若一样,则确定对UE进行鉴权;若不一样,则确定不对UE进行鉴权。
进一步地,本地策略为比对本地保存的KAKMA密钥标识符与AAnF发送的KAKMA密钥标识符是否一样来确定是否需要对UE进行鉴权。具体的,AUSF比对AAnF发送的KAKMA密钥标识符与本地保存的KAKMA密钥标识符,若一样,则确定对UE进行鉴权;若 不一样,则确定不对UE进行鉴权。其中,KAKMA密钥标识符由AUSF生成,用于标识KAKMA,示例的,它可以为3bit长的密钥标识符,也可以是AKMA密钥标识符(AKMA Key Identifier,A-KID)。
可选地,第三功能网元是3GPP内部AF,或者用于3GPP外部AF使用的NEF。AUSF接收到AF或者NEF请求对UE进行鉴权的鉴权请求消息。AUSF根据本地策略查看UE是否刚被鉴权过或者举例上次UE鉴权成功的时间间隔是否在有效期内,如果不在有效期内,则确定需要对UE进行鉴权。示例的,该消息为Nausf_UEAuthentication_Authenticate Request message。
步骤302.在需要对终端进行鉴权的情况下,AUSF获取鉴权材料。
需要说明的是,本实施例中,“获取”可理解为“主动获取”,包括但不限于AUSF主动从本地存储的上下文中获取或主动发起鉴权材料获取请求消息。可以理解的,“获取”亦可理解为AUSF可直接地或间接地从第四功能网元接收鉴权材料,第四功能网元为存储或生成鉴权材料的功能网元。
其中,鉴权材料是直接地或者间接地用于生成鉴权向量的材料。鉴权材料包括但不限于以下的一种或多种:服务网络名称(serving network name,SN name),服务网络标识(serving network identifier,SN ID),网络标识符(Network identifier,NID),MCC或MNC。
示例的,当鉴权材料为SN Name,SN Name可以直接用于生成鉴权向量。其中,SN Name是由SN ID生成的。比如,SN Name可以是由SN ID与字符串“5G”使用“:”进行拼接得到:5G:SN ID。SN ID的格式可以是MCC与MNC拼接得到。网络标识符用于标识UE所在的网络。本实施例不限制SN Name的生成方法,也不限制SN ID的具体格式。
示例的,当鉴权材料为MCC和MNC,AUSF可以根据MCC和MNC得到SN Name。该SN Name最终用于获取鉴权向量。具体地,AUSF可以从UE的永久身份SUPI中获取MCC和MNC。
示例的,当鉴权材料为MCC和MNC,AUSF可以使用MCC和MNC先获取SN ID,再使用SN ID与“5G”进行拼接,最终得到SN Name。
示例的,当鉴权用于私网场景时,则AUSF可以根据鉴权所在的场景构造出鉴权材料。例如,如果SN Name需要NID组成,那么AUSF可以从本地存储获取SUPI对应的NID。
在一种实现方式中,AUSF从本地存储的上下文中获取对UE进行鉴权所需的鉴权材料。例如,前一次鉴权中AMF发送AUSF的鉴权请求消息包括SN_name,将该SN_name存储在本地的上下文中。
在另一种实现方式中,AUSF从第四功能网元获取鉴权材料。其中,第四功能网元为存储鉴权材料的功能网元。
在一种具体实现方式中,第四功能网元为AMF,AUSF向UDM发送AMF ID请求消息。该AMF ID请求消息用于向UDM请求为UE服务的AMF信息。
该AMF ID请求消息携带需要鉴权的UE的用户的永久身份SUPI。
可选地,该AMF ID请求消息携带指示信息,该指示信息用于指示该请求消息是用于请求为UE服务的AMF ID。
可选地,该AMF ID请求消息本身就可以触发UDM知晓该消息的作用是用于请求为UE服务的AMF ID。比如,该消息为Nudm_UECM Request消息,或者Nudm_UEAuthentication Get Request消息,或者Nudm_HNAuthentication Get Request消息。其中,HNAuthentication代表家乡网络鉴权服务。该家乡网络鉴权服务在不同实施例中可以是不同网元使用的服务。比如,该家乡网络鉴权服务可以是AMF的服务。再比如,他可以是AUSF的服务。再比如,他可以是UDM的服务。本实施例不做限定。
相应地,UDM接收该AMF ID请求消息,根据SUPI确定AMF ID后,发送AMF ID响应消息给AUSF。其中,该AMF ID响应消息中携带AMF ID。该AMF ID响应消息为Nudm_UECM Response消息,或者Nudm_UEAuthentication Get Response消息,或者Nudm_HNAuthentication Get Response消息。
AUSF根据AMF ID确定AMF,向该AMF发送SN Name获取请求消息。该SN Name获取请求消息用于获取鉴权材料,例如SN Name。该SN Name获取请求消息中携带所述SUPI。该SN Name获取请求消息为Namf_UEAuthentication_Authenticate消息,或者Nausf_UEAuthentication_Authenticate Request消息,或者Nausf_HNAuthentication_Authenticate Request消息,或者Namf_HNAuthentication_Authenticate Request消息,或者Namf_HNAuthentication_Get Request消息。
AMF在收到所述SN Name获取请求消息后,确定为该SUPI服务,则发送SN Name至AUSF。
可选地,AMF可通过响应于该SN Name获取请求消息的响应消息发送SN Name至AUSF。比如,该响应消息为Namf_UEAuthentication_Authenticate Response,或者Nausf_UEAuthentication_Authenticate Response消息,或者Nausf_HNAuthentication_Authenticate Response消息,或者Namf_HNAuthentication_Authenticate Response消息,或者Namf_HNAuthentication_Get Response消息。
可选地,该消息中还携带SUPI。
可选地,AMF也可以通过AUSF鉴权请求消息发送该SN Name,比如,该消息为Nausf_UEAuthentication_Authenticate Request。此时,该消息中还携带SUPI。
上述过程可以理解的,在AUSF确定对终端进行鉴权的情况下,AUSF向第四功能网元发送获取请求消息以获取鉴权材料,第四功能网元响应于该获取请求消息,将存储或生成的鉴权材料发送给AUSF。
步骤303.AUSF根据鉴权材料,获取第一鉴权向量。
AUSF根据鉴权材料从UDM获取第一鉴权向量。具体的,AUSF发送鉴权材料至UDM,UDM根据鉴权材料生成第一鉴权向量再将该第一鉴权向量发送至AUSF。在一种实现方式中,该步骤包括:
步骤303a:AUSF向UDM发送鉴权向量请求消息。该鉴权向量请求消息包括鉴权材料和SUPI。具体的,鉴权材料可以为SN_name。可选地,鉴权向量请求消息还携带有指示信息,指示信息指示获取SUPI的第一鉴权向量。
该鉴权向量请求消息为Nudm_UEAuthentication_Get Request消息,或者 Nudm_HNAuthentication Get Request消息,或者Nausf_HNAuthentication_Authenticate Request消息。该消息中携带鉴权材料和UE的永久身份。
步骤303b:UDM根据SUPI生成第一鉴权向量。
UDM根据SUPI确定鉴权方法,并根据鉴权材料生成第一鉴权向量。
可选的,鉴权方法为EAP-AKA’鉴权或5G AKA。
若为5G-AKA鉴权方法,则第一鉴权向量包括随机数RAND,第一认证令牌AUTN,第一期望响应XRES*和认证服务密钥KAUSF
若为EAP-AKA’鉴权方法,则第一鉴权向量包括随机数RAND,第二认证令牌AUTN,第二期望响应RES*,加密密钥CK和完整性密钥IK。
可以理解的是,鉴权方法可以有很多种,本实施例只是以EAP-AKA’和5G AKA进行举例。本实施例不对鉴权方法和第一鉴权向量做限定。
步骤303c:AUSF接收来自UDM的鉴权向量响应消息,所述鉴权向量响应消息包括第一鉴权向量。
所述鉴权获取响应消息可以为Nudm_UEAuthentication_Get消息,或者Nudm_HNAuthentication Get Response消息,或者Nausf_HNAuthentication_Authenticate Request消息。本实施例不限制具体的消息名称。
可选的,所述鉴权获取请求响应还包括SUPI。
步骤304.AUSF接收来自UDM的鉴权获取响应消息后,向AMF发送第一鉴权请求消息,该第一鉴权请求消息用于触发服务网络对UE进行鉴权。其中,第一鉴权请求消息包括第二鉴权向量。可选地,还携带用户的永久身份标识。
第一鉴权请求消息用于告知AMF执行对UE进行鉴权的流程,是一条服务化请求消息。比如,该消息是NAMF_UEAuthentication_Request消息,或者Nausf_UEAuthentication Authenticate Reques消息,或者Nausf_UEAuthentication Authenticate Response消息,Namf_HNAuthentication_Authenticate Request消息,或者Nausf_HNAuthentication_Authenticate Request消息。
当第一鉴权请求消息为Namf_HNAuthentication_Authenticate Request时,表示AUSF使用的是AMF的家乡网络鉴权服务,该第一鉴权请求消息的是家乡网络请求对UE进行鉴权的操作。此时,AMF需要检查该第一鉴权请求消息是否来自于归属网络的功能网元。比如,AMF检查该第一鉴权请求消息是否来自于AUSF或者UDM。如果是,则AMF处理该消息,执行步骤305;如果不是,则丢弃该消息。
当第一鉴权请求消息为Nausf_HNAuthentication_Authenticate Request时,表示AUSF使用的是自己的服务,该第一鉴权请求消息的是家乡网络请求对UE进行鉴权的操作。此时,AMF需要检查该第一鉴权请求消息是否来自于归属网络的功能网元。比如,AMF检查该第一鉴权请求消息是否来自于AUSF或者UDM。如果是,则AMF处理该消息,执行步骤305;如果不是,则丢弃该消息。
当第一鉴权请求消息为NAMF_UEAuthentication_Request时,表示AUSF使用的是AMF的服务,该第一鉴权请求消息的是请求对UE进行鉴权的操作。此时,AMF需要检查该第一鉴权请求消息是否来自于归属网络的功能网元。比如,AMF检查该第一鉴权请求消息是否来自于AUSF或者UDM。如果是,则AMF处理该消息,执行步骤305;如果 不是,则丢弃该消息。
当第一鉴权请求消息是Nausf_UEAuthentication Authenticate Request消息时,表明该消息是AUSF的UEAuthentication服务,并且该消息是一条请求消息。因为Nausf_UEAuthentication服务是现有AUSF服务,因此为了兼容现有技术,避免开发复杂度,因此可以重用该服务。但是需要说明的是,在现有技术中,AUSF使用的是该Nausf_UEAuthentication Authenticate服务的响应消息,即Nausf_UEAuthentication Authenticate Response消息,将第二鉴权向量发送给AMF。而本实施例使用的是Nausf_UEAuthentication Authenticate服务的请求消息。AMF接收该第一鉴权请求消息并检查该第一鉴权请求消息是否来自于AUSF或者UDM,是则执行步骤305,否则丢弃该第一鉴权请求消息并触发告警信息。
第一鉴权请求消息也可以为Nausf_UEAuthentication Authenticate Response消息,与现有技术的不同之处在于该第一鉴权请求消息不是作为请求消息的响应消息。
其中,所述第一鉴权向量与所述第二鉴权向量可能相同也可能不同。
例如,若步骤303中采用鉴权方法为5G-AKA,第一鉴权向量与第二鉴权向量不同,第二鉴权向量包括RAND,AUTN,HXRES*;HXRES*由XRES*变化得到。
例如,所步骤303中采用鉴权方法为EAP-AKA’,第一鉴权向量和第二鉴权向量相同。第二鉴权向量包括RAND,第二认证令牌AUTN,第二期望响应RES*,加密密钥CK和完整性密钥IK。在此步骤中,通过AUSF向AMF发起第一鉴权请求消息作为触发对UE进行鉴权的起点,执行后续的UE鉴权流程。而前述的鉴权方法中,由AMF作为触发对UE进行鉴权的起点。
AUSF将RES*保存在本地,作为保存的鉴权响应。
步骤305.AMF发送第二鉴权请求消息至UE。
AMF接收第一鉴权请求消息后,向该UE发送第二鉴权请求消息。其中,第二鉴权请求消息包括第二鉴权向量中的全部或部分参数。
具体地,可选地,在发送第二鉴权请求消息前,AMF先确定该AMF仍然在为该UE服务。
在一种实现方式中,第二鉴权请求消息是Authentication Request。
在另一种实现方式中,第二鉴权请求消息为DL(Downlink)NAS Transport NAS消息,用于传递第二鉴权向量。其中,第二鉴权向量携带有指示信息,用于指示UE该消息传递的是用于对UE进行鉴权的参数。该指示信息可以是二进制比特位信息,或者字符串指示信息。比如,当消息携带“authentication”时,则UE知道该DL NAS Transport NAS是为触发双向鉴权。
步骤306.UE根据接收的第二鉴权请求消息中携带的参数验证网络是否为真实的。当UE确定网络是真实的,UE向AMF发送第二鉴权响应消息。其中,第二鉴权响应消息携带鉴权响应RES*。
在一种实现方式中,第二鉴权响应消息是Authentication Response。
在另一种实现方式中,第二鉴权请求消息为UL(Uplink)NAS Transport NAS消息。
步骤307.AMF接收到第二鉴权响应消息后,向AUSF发送响应于第一鉴权请求消息对应的第一鉴权响应消息,第一鉴权响应消息包括所述鉴权响应。
相应地,该第二鉴权响应消息为NAMF_UEAuthentication_Response消息,或者Nausf_UEAuthentication Authenticate Response消息,或者Nausf_UEAuthentication Authenticate Request,或者Nausf_HNAuthentication_Authenticate Response消息,或者Namf_HNAuthentication_Authenticate Response消息。NAMF_UEAuthentication服务和Nausf_UEAuthentication参考步骤304中的相关描述。
步骤308.AUSF对UE进行鉴权。具体地,AUSF将该鉴权响应与本地保存的鉴权响应比较,若一致则认为UE鉴权成功。
步骤305-步骤308根据所述第二鉴权向量确定UE鉴权成功的具体方法可以参考3GPP标准TS 33.501章节6.1中的相关描述。在此不再赘述。
步骤301-步骤308中描述的鉴权方法,AUSF响应于本地策略或者第三功能网元请求确定需要对终端进行鉴权的情况下,AUSF主动从本地存储的上下文或者第四功能网元获取鉴权材料,并进一步获取根据鉴权材料生成的鉴权向量后,发送第一鉴权请求消息至AMF以触发对UE的鉴权。不同于前述方法中AMF发起鉴权流程的是,本实施例中鉴权流程的发起点是在归属网络的AUSF,而不是来自AMF的请求。这样,AUSF不再依赖AMF的请求才可以触发对UE进行鉴权,减少了AMF与AUSF的信令交互。
可选地,在步骤301中当AUSF接收第三功能网元的参数请求,根据第三功能网元的参数请求消息确定对UE进行鉴权时,需要返回该参数至该第三功能网元。
如果在该步骤301中,AUSF接收来自第三功能网元的服务参数请求消息,AUSF还需回复参数响应消息至第三功能网元。AUSF还需回复参数响应消息至第三功能网元存在以下三种情况:
第一种情况,AUSF直接发送参数响应消息给第三功能网元。该参数响应消息携带请求的参数或者鉴权结果。
示例的,当第三功能网元是AAnF,并且参数请求消息用于请求一个新的KAKMA密钥时,则AUSF在对UE鉴权成功后,使用该鉴权过程中生成的KAUSF生成新的KAKMA密钥,并将新的KAKMA密钥携带在该参数响应消息。
示例的,当第三功能网元是UDM,并且UDM向AUSF发送的参数请求消息是请求对SoR或者UPU保护。AUSF确定对UE进行鉴权,在鉴权成功后,AUSF利用新生成的KAUSF对SoR数据或者UPU数据做安全保护,之后将安全保护的结果通过该参数响应消息发送给UDM。
示例的,当第三功能网元是UDM时,参数请求消息用于请求新KAKMA时,在AUSF决定对UE进行鉴权。AUSF在对UE鉴权成功后,使用该鉴权过程中生成的KAUSF生成新的KAKMA密钥,之后将新的KAKMA密钥通过返回参数消息发送给UDM。如果UDM是从第四功能网元,比如AAnF收到的请求更新KAKMA时,UDM要进一步地将收到的新的KAKMA密钥发送给该AAnF。
示例的,当第三功能网元是是3GPP内部AF,或者用于3GPP外部AF使用的NEF。参数请求消息用于请求对UE进行鉴权。AUSF决定对UE进行鉴权。在鉴权成功后,AUSF发送返回参数消息发送给UDM。可选地,该消息中携带鉴权结果。
示例的,当第三功能网元是UDM,UDM接收第四功能网元的请求消息用于请求对UE进行鉴权。AUSF确定对UE进行鉴权。在鉴权成功后,AUSF发送返回参数消息发送 给UDM。可选地,该返回参数消息中携带鉴权结果。UDM要进一步地将鉴权结果告知第四功能网元。
第二种情况,AUSF发送参数响应消息给第三功能网元,该返回响应消息用于告知第三功能网元参数请求消息收到。AUSF在对UE鉴权成功后,AUSF直接发送参数消息请求的参数,或者鉴权结果发送给第四功能网元,或者与第四功能网元同类型的网元。
第一种示例为,当第三功能网元是UDM时,并且UDM向AUSF发送请求对SoR数据或者UPU数据进行保护的保护消息。AUSF在接收到该保护消息后,因本地存储的KAUSF失效或即将失效,或者本地没有存储KAUSF,则确定对UE进行鉴权。同时,AUSF向UDM发送参数响应消息。该参数响应消息用于告知UDM请求失败。可选地,返回参数消息中携带原因值,原因值用于告知UDM没有密钥KAUSF,或者KAUSF失效或即将失效UDM可以在后续流程中可以重新发起该请求,比如在之后,UDM确定对UE鉴权成功后。本实施例不限制AUSF决定对UE进行鉴权和AUSF回复失败消息的先后顺序,也不限制UDM如何确定UE鉴权成功。
第二种示例为,当第三功能网元是UDM,请求消息用于请求更新KAKMA时。AUSF可在收到该请求消息后,AUSF确定对UE进行鉴权。同时,AUSF也向UDM发送返回参数消息。该参数响应消息用于告知UDM接收到参数请求消息。AUSF在对UE鉴权成功后,使用该鉴权过程中生成的KAUSF生成新的KAKMA密钥,并将新的KAKMA密钥直接发送给AAnF。该AAnF可以是向该UDM请求密钥KAKMA的AAnF,也可以是其他AAnF。如果UDM在参数请求消息中携带了AAnF ID,则AUSF可以发送KAUSF给该AAnF ID对应的AAnF。本实施例不限制AUSF决定对UE进行鉴权和参数响应消息的先后顺序。
第三种示例为,当第三功能网元是UDM时,UDM接收第四功能网元的请求消息用于请求对UE进行鉴权。AUSF决定对UE进行鉴权。在鉴权成功后,AUSF发送返回参数消息发送给UDM,该返回参数消息用于告知UDM接收到参数请求消息。
参考图4所示,本申请提供另一种由归属网络的功能网元触发鉴权的方法,与图3所示方法的不同之处在于,在本实施中,UDM获取鉴权材料。该方法包括但不限于:
步骤401.AUSF确定是否需要对UE进行鉴权。
该步骤可参考步骤301,在此不再赘述。
步骤402.在确定需要对终端进行鉴权的情况下,AUSF向UDM发送获取请求消息,该获取请求消息用于获取第一鉴权向量。其中,该获取请求消息包括SUPI。
可选地,该获取请求消息还包括指示信息,所述指示信息用于指示UDM需要对UE进行鉴权。指示信息可以是比特位指示信息,也可以是一个预先确定的SN-Name值。比如SN-Name的比特位为全0或者全1。
示例的,该获取请求消息为Nudm_UEAuthentication_Get Reques message,为或者Nudm_HNAuthentication Get Request消息。
步骤403.UDM接收该获取请求消息后,获取鉴权材料。
可选地,在UDM接收该获取请求消息后,获取鉴权材料前,UDM确定该UE需要鉴权。具体地,可以参考后文步骤501的相关描述。
UDM可以直接根据本地存储的信息获得鉴权材料,或者UDM可以从第四功能网元获取鉴权材料。例如,第四功能网元为AMF。
在一种实现方式中,UDM本地存储鉴权材料,UDM从本地存储获取鉴权材料。例如,前一次鉴权中使用的SN_name存储在UDM本地的上下文中。
再比如,UDM根据本地存储的与SUPI对应的上下文确定为UE服务的服务网络信息,比如,AMF ID或者PLMN ID。从该服务网络信息中获取MCC和MNC,根据MCC和MNC生成SN Name。
在另一种实现方式中,UDM从第四功能网元获取鉴权材料。其中,第四功能网元为存储鉴权材料的功能网元。
在一种具体实现方式中,第四功能网元为AMF,UDM从SUPI对应的上下文中获取正在为UE服务的AMF信息,比如AMF ID。UDM根据AMF ID确定AMF,向该AMF发送SN Name获取请求消息。该SN Name获取请求消息用于获取鉴权材料,例如SN Name。该SN Name获取请求消息中携带所述SUPI。该SN Name获取请求消息为Namf_UEAuthentication_AuthenticateRequest消息,或者Namf_HNAuthentication_Get Request消息。
AMF在收到所述SN Name获取请求消息后,确定为该SUPI服务,则发送SN Name至AUSF。
可选地,AMF可通过响应于该SN Name获取请求消息的响应消息发送SN Name至AUSF。比如,该响应消息为Namf_UEAuthentication_Authenticate Response,或者Nausf_UEAuthentication_Authenticate Response消息,或者Namf_HNAuthentication_Get Response消息。可选地,该消息中还携带SUPI。
可选地,AMF也可以通过AUSF鉴权请求消息发送该SN Name,比如,该消息为Nausf_UEAuthentication_Authenticate Request。此时,该消息中还携带SUPI。
上述过程可以理解的,UDM向第四功能网元发送获取请求消息以获取鉴权材料,第四功能网元响应于该获取请求消息,将存储或生成的鉴权材料发送给UDM。
上述过程可以理解的,UDM向第四功能网元发送获取请求消息以获取鉴权材料,第四功能网元响应于该获取请求消息,将存储或生成的鉴权材料发送给UDM。
步骤404.UDM根据获取的鉴权材料生成第一鉴权向量。
UDM根据SUPI确定鉴权方法,并根据鉴权材料生成第一鉴权向量。
步骤405.UDM向AUSF发送获取响应消息,所述获取响应消息包括第一鉴权向量。
该步骤可参考步骤303c,在此不再赘述。
步骤406.AUSF接收来自UDM的鉴权获取响应消息后,向AMF发送第一鉴权请求消息,该消息用于触发对UE进行鉴权。其中,第一鉴权请求消息包括第二鉴权向量。可选地,还携带用户的永久身份标识。
该步骤可参考步骤304,在此不再赘述。
步骤407-步骤409执行后续的鉴权流程,其实现后续鉴权流程的方法与步骤305-308相同,这里不再赘述。
参考图5所示,本申请提供的另一种由归属网络的功能网元触发鉴权的方法,在该方法中第一功能网元为UDM,该方法包括但不限于:
步骤501.UDM确定是否需要对UE进行鉴权。
UDM根据本地策略或第三功能网元的请求确定是否需要对UE进行鉴权。其中,第 三功能网元为除UDM以外的核心网网元。
在一种实现方式中,UDM根据本地策略确定是否需要对UE进行鉴权。
可选地,本地策略可以包括:UDM根据本地是否存储有AUSF ID来确定是否需要对UE进行鉴权。当UDM要发送漫游指导(Steering of roaming,SoR)数据或者UPU数据给UE,但是UDM没有存储对应的AUSF ID时,UDM无法找到对应的AUSF为SoR数据或者UPU数据提供安全保护,则UDM确定需要对UE进行鉴权。即,在UDM确定本地没有存储AUSF ID的情况下,UDM决定对UE进行鉴权。
可选地,本地策略可以包括:UDM根据UE是否被5G网络鉴权来确定是否需要对UE进行鉴权。比如,UE首次接入的是4G核心网,后来,在有5G网络覆盖的情况下,UE从4G网络移动到5G网络,并开始使用5G网络。根据现有标准,该过程中,AMF是可以不发起鉴权的。也就是说,UE在接入5G网络后,并没有被5G网络鉴权过。因此,UDM可以根据UE未被5G网络鉴权过,来确定对UE进行鉴权。
可选地,本地策略可以包括:UDM根据距离前一次鉴权成功的时间间隔是否满足预设值,确定是否需要对UE进行鉴权。若UDM发现前一次对UE鉴权成功的时间间隔超过或即将超过运营商策略规定时间,则UDM确定需要对UE进行鉴权。具体的,可通过一个计时器记录距离前一次对UE鉴权成功的时间间隔,该计时器与UE的永久身份SUPI绑定。当AUSF确定UE鉴权成功后,计时器开始计时,当该计时器记录的时间间隔超过或即将超过预设间隔值时,AUSF确定需要对UE进行鉴权。
在又一种实现方式中,UDM接收来自第三功能网元的参数请求消息,该参数请求消息用于向UDM请求参数,或者请求UDM为UE进行鉴权。该参数请求消息至少包括用户的永久身份。
比如,参数请求消息可以用于请求KAKMA。再比如,参数请求消息是请求发送SoR数据或者UPU数据的保护消息的响应消息,该响应消息用于表示请求失败。AUSF在接收参数请求消息后,因为本地存储的KAUSF失效或即将失效,或者本地没有存储KAUSF,则回复响应消息告知UDM请求失败。
第三功能网元为除UDM以外的核心网功能网元。该第三功能网元为AAnF,AUSF,或者AF等功能网元。
示例的,当第三功能网元是AAnF时,AAnF向UDM发送KAKMA更新请求消息。该KAKMA更新请求消息用于请求一个新的KAKMA密钥。AUSF确定需要更新KAKMA则确定需要对UE进行鉴权。具体的,该KAKMA更新请求消息为Nudm_AKMA_AnchorKey_Refresh message。
示例的,当第三功能网元是AUSF时,AUSF向UDM发送SoR数据或者UPU数据保护失败的结果。比如,该消息为Nausf_SoRProtection Response消息,或者Nausf_UPUProtection Response message。当UDM收到该消息时,UDM确定需要对UE进行鉴权。可选地,Nausf_SoRProtection Response消息,或者Nausf_UPUProtection Response消息携带失败原因值。比如,失败原因值用于指示没有密钥KAUSF。UDM根据失败原因值确定需要对UE进行鉴权。
示例的,当第三功能网元是AUSF时,AUSF接收来自第四功能网元的请求消息,比如来自AAnF的KAKMA更新请求消息,AUSF向UDM发送参数请求消息。此时,参数请 求消息用于请求对UE进行鉴权。UDM根据该参数请求消息确定需要对UE进行鉴权。具体的,参数请求消息为Nudm_UEAuthentication Get Request message。
示例的,当第三功能网元是AUSF时,AUSF接收来自第四功能网元的请求消息,比如来自NEF或者3GPP内部AF请求更新KAF时,AUSF会向UDM发送请求消息,UDM确定需要更新KAF对应的KAKMA则确定需要对UE进行鉴权。具体的,该请求消息为Nudm_UEAuthentication Get Request message。
示例的,当第三功能网元是NEF或者3GPP内部的AF,AF或者NEF向UDM发送请求消息。此时,该请求消息用于请求更新KAF。UDM确定需要更新KAF对应的KAKMA则确定需要对UE进行鉴权。比如,该消息为Nudm_UEAuthentication Authenticate Request消息。
示例的,当第三功能网元是AUSF,AUSF接收来自第四功能网元的鉴权请求消息,例如来自NEF或者3GPP内部的AF的鉴权请求消息,具体的,该鉴权请求消息为Nausf_UEAuthentication_Authenticate Request消息。之后,AUSF向UDM发送用于请求对UE进行鉴权的请求消息,UDM根据该请求消息确定需要对UE进行鉴权。具体的,该鉴权请求消息为Nudm_UEAuthentication Get Request消息。
在又一种实现方式中,UMD可以根据本地策略和第三功能网元的请求综合判断是否需要对UE进行鉴权。一个示例为,当第三功能网元是AUSF时,AUSF向UDM发送参数请求消息。此时,参数请求消息用于请求对UE进行鉴权。比如,该参数请求消息为Nausf_UEAuthentication_Authenticate Request。UMD在收到该参数请求消息后,UDM根据本地策略进一步判断是否对UE进行鉴权。比如,本地策略为距离前一次鉴权成功的时间间隔是否超过或即将超过运营商策略所规定的时间来确定是否需要对UE进行鉴权。若距离前一次鉴权成功的时间间隔小于预设值,则确定不对UE进行鉴权;距离前一次鉴权成功的时间间隔超过预设值,则确定对UE进行鉴权。
步骤502.在需要对终端进行鉴权的情况下,UDM获取鉴权材料。
需要说明的是,本实施例中,“获取”可理解为“主动获取”,包括但不限于UDM主动从本地存储或主动发起获取鉴权材料的请求消息。可以理解的,“获取”亦可理解为UDM可直接地或间接地从第四功能网元接收鉴权材料,第四功能网元为存储有或者能生成鉴权材料的功能网元。
鉴权材料的相关描述参考步骤302的相关描述,在此不再赘述。
UDM获取鉴权向量的描述参考步骤403的相关描述,再次不再赘述。
在一种实现方式中,UDM从本地存储的上下文中直接获取对UE进行鉴权所需的鉴权材料。例如,前一次鉴权中存储在UDM本地上下文中的SN_name。
在另一种实现方式中,UDM从本地存储的上下文中间接地获取对UE进行鉴权所需的鉴权材料,即根据本地存储的上下文生成鉴权材料。比如,当鉴权材料是SN Name时,UDM可以根据UE的永久身份SUPI中获取MCC和MNC,使用MCC和MNC生成SN Name。再比如,当鉴权材料是SN Name时,UDM可以使用存储的SUPI对应的PLMN ID中,获取MCC和MNC,再使用MCC和MNC进一步获得SN Name。再比如,当鉴权用于私网景时,则UDM可以根据鉴权所在的场景构造出鉴权材料。例如,如果SN Name需要NID组成,那么UDM可以从本地存储的上下文获取SUPI对应的NID。使用MCC 和MNC获得SN Name的方法可以参考步骤302中的项目描述,在此不再赘述。
在另一种实现方式中,UDM直接从第四功能网元获取对UE进行鉴权所需的鉴权材料。其中,第四功能网元为存储鉴权材料的功能网元。
可选地,当第四功能网元为AMF时,UDM从SUPI对应的上下文中获取正在为UE服务的AMF信息,比如AMF ID。UDM根据AMF ID确定AMF,向AMF发送第一请求消息。该第一请求消息携带需要鉴权的UE的用户的永久身份SUPI。
可选地,该第一请求消息为Namf_UEAuthentication_Authenticate消息,或者Nudm_SDM_Get_Response消息,或者Namf_HNAuthentication_Get Request消息。AMF在收到第一请求消息后,回复第一响应消息,第一响应消息携带鉴权材料。示例的,鉴权材料是SN Name。具体的,该第一响应消息为Namf_UEAuthentication_Authenticate Response message,或者Nudm_SDM_Info message,或者Namf_HNAuthentication_Get Response消息。
在另一种实现方式中,UDM在确定需要对UE进行鉴权后,UDM向第五功能网元发送第一请求消息,该第一请求消息携带需要鉴权的UE的用户永久身份SUPI。第一请求消息用于请求服务网络对UE进行鉴权。
可选地,UDM可以在本地没有存储AUSF ID的情况下,向第五功能网元发送第一请求消息。
可选地,UDM知晓鉴权材料存储在第五功能网元,UDM向第五功能网元发送第一请求消息,但是UDM从第四功能网元获取对UE进行鉴权所需的鉴权材料。具体地,第五功能网元响应于第一请求消息,向第四功能网元发送第二鉴权请求消息,所述第二鉴权请求消息携带鉴权材料。示例的,第四功能网元是AUSF,第五功能网元是AMF。第一请求消息为Namf_UEAuthentication_Authenticate消息,或者Nudm_SDM_Get_Response消息,或者Namf_HNAuthentication_Get Request消息;AMF在收到Namf_UEAuthentication_Authenticate消息,或者Nudm_SDM_Get_Response消息,或者Namf_HNAuthentication_Get Request消息后,AMF向AUSF发送第二鉴权请求消息,第二鉴权请求消息为Nausf_UEAuthentication_Authenticate Request消息。所述Nausf_UEAuthentication_Authenticate Request消息中携带有SN Name和SUPI。AUSF在收到Nausf_UEAuthentication_Authenticate Request消息后,AUSF向UDM发送Nudm_UEAuthentication Get Request.该Nudm_UEAuthentication Get Request消息中携带SUPI和SN Name。需要说明的是,该方法可以发生在以下情况中:UDM在确定对UE进行鉴权,但是本地没有存储AUSF ID的情况下。UDM只能根据本地存储的SUPI对应的AMF信息,比如AMF ID,向为UE服务的AMF请求对UE进行鉴权。那么AMF在收到请求消息后,根据SUPI选择一个AUSF,并开始执行步骤201至步骤208所述流程。
可选地,第五功能网元在收到第一请求消息后,回复第一响应消息至UDM。该第一响应消息用于告知UDM收到第一请求消息。该第一响应消息可以不携带任何内容。比如,第一响应消息为Namf_UEAuthentication_Authenticate Response消息,或者Nudm_SDM_Info消息。本实施例不限制第五功能网元发送第一响应消息和第二鉴权请求消息的顺序。
本实施例不限制鉴权材料的获取方法。本实施例不对消息名称做限定。
步骤503.UDM根据鉴权材料生成第一鉴权向量。
参考步骤303,在此不再赘述。
步骤504.UDM生成第一鉴权向量后,向AUSF发送第一消息。相应的,AUSF接收第一消息。其中,第一消息包括第一鉴权向量
可选地,还可能包括用户身永久份标识。
在一种可能的实现方法中,在UDM没有收到AUSF鉴权获取请求消息的情况下,UDM先根据本地存储的AUSF ID确定AUSF,再向所述AUSF发送第一消息。比如,UDM根据本地存储获取鉴权材料或者从AMF直接获得鉴权材料,并且UDM根据本地策略决定UE需要鉴权。第一消息是Nudm_UEAuthentication Get Request或者Nausf_UEAuthentication_Authenticate Request或者Nausf_HNAuthentication_Authenticate Request。
在另一种可能的实现方法中,UDM根据接收的第三功能网元的请求消息确定需要对UE进行鉴权,且该第三功能网元不是AUSF的情况下,第一消息是Nudm_UEAuthentication Get Request或者Nausf_UEAuthentication_Authenticate Request或者Nausf_HNAuthentication_Authenticate Request。
在另一种可能的实现方法中,UDM根据接收的第三功能网元的请求消息确定需要对UE进行鉴权,且该第三功能网元不是AUSF的情况下,UDM向AMF发送第三鉴权请求消息,第三鉴权请求消息用于告知AMF执行对UE进行鉴权的流程,是一条服务化请求消息。比如,该消息是NAMF_UEAuthentication_Request消息,或者Nudm_UEAuthentication Authenticate Reques消息,或者Nudm_UEAuthentication Authenticate Response消息,或者Namf_HNAuthentication_Authenticate Request消息。
当第三鉴权请求消息为Namf_HNAuthentication_Authenticate Request时,表示UDM使用的是AMF的家乡网络鉴权服务,该第一鉴权请求消息的是家乡网络请求对UE进行鉴权的操作。此时,AMF需要检查该第一鉴权请求消息是否来自于归属网络的功能网元。比如,AMF检查该第一鉴权请求消息是否来自于AUSF或者UDM。如果是,则AMF处理该消息,执行步骤506;如果不是,则丢弃该消息。
当第三鉴权请求消息为NAMF_UEAuthentication_Request时,表示UDM使用的是AMF的服务,该第一鉴权请求消息的是请求对UE进行鉴权的操作。此时,AMF需要检查该第一鉴权请求消息是否来自于归属网络的功能网元。比如,AMF检查该第一鉴权请求消息是否来自于AUSF或者UDM。如果是,则AMF处理该消息,执行步骤506;如果不是,则丢弃该消息。
当第三鉴权请求消息是Nudm_UEAuthentication Authenticate Request消息时,表明该消息是UDM的UEAuthentication服务,并且该消息是一条请求消息。
UDM向UE发送第三鉴权请求消息后,AMF开始执行步骤201,UDM可以在步骤202中收到AUSF的请求消息。该鉴权获取请求消息可以是Nudm_UEAuthentication Get Request消息。所述鉴权获取响应消可以是Nudm_UEAuthentication Get Response消息。
在另一种可能的实现方式中,在UDM接收到AUSF发送的鉴权获取请求消息的情况下,UDM响应于该鉴权获取请求消息,回复第一消息给该AUSF,此时,第一消息为鉴权获取响应消息。
本实施例不对具体的消息名称做限定。
步骤505.AUSF向AMF发送第一鉴权请求消息,第一鉴权请求消息用于触发对UE进行鉴权。第一鉴权请求消息包括第一鉴权向量。可选地,第一鉴权请求消息还携带用户永久身份标识。
参考步骤304相关描述,在此不再赘述。步骤506-步骤508执行后续的鉴权流程,其实现后续鉴权流程的方法与步骤305-308相同,这里不再赘述。
此外,若步骤501中UDM收来自第三功能网元的服务参数请求消息的情况下,所述UDM还需回复参数响应消息给第三功能网元。若第三功能网元是AUSF,则参数响应消息可以是鉴权获取响应消息,或者一条单独的,用于告知收到的消息。若第三功能网元是AAnF或者AF,或者外部AF使用的NEF,并且参数请求消息是用于请求对UE的鉴权,则参数响应消息可以用于告知消息收到,也可以用于传递鉴权结果的指示信息。用于告知第三功能网元鉴权成功还是失败。
需要说明的是,UDM何时向外部网元发送参数请求响应本申请不做具体限制。
对应于上述方法实施例给出的方法,本申请实施例还提供了相应的装置,包括用于执行上述实施例相应的模块。所述模块可以是软件,也可以是硬件,或者是软件和硬件结合。
参见图6,为本申请实施例提供的一种鉴权装置的结构示意图,该鉴权装置600包括:处理模块610和收发模块620。所述收发模块620用于执行上述图2-5实施例中发送和接收消息相关的操作,处理模块610可以用于执行上述图2-5实施例中除了发送和接收消息以外相关的操作。
该通信装置可以作为AUSF网元,用于实现图3所示实施例中的鉴权方法。当该鉴权装置作为AUSF网元,执行图3中所示的方法实施例时,例如,处理模块610用于确定是否需要对终端进行鉴权;在需要对所述终端进行鉴权的情况下,获取鉴权材料;根据所述鉴权材料获取鉴权向量;收发模块620,可以用于向AMF发送第一鉴权请求消息以触发对终端进行鉴权,其中,第一鉴权请求消息包括所述鉴权向量。
当鉴权装置作为UDM,执行图5中所示的方法实施例时,当该鉴权装置作为UDM,执行图5中所示的方法实施例时,例如,处理模块610用于确定是否需要对终端进行鉴权;在需要对所述终端进行鉴权的情况下,获取鉴权材料;根据所述鉴权材料获取鉴权向量;收发模块用于向AMF发送第一鉴权请求消息以触发对终端进行鉴权,其中,第一鉴权请求消息包括所述鉴权向量。
本实施例还提供另一种鉴权装置。如图7所示,该鉴权装置700包括处理器710、存储器720和收发器730。本申请实施例中不限定上述处理器710以及收发器720之间的具体连接介质。图7中以处理器710以及收发器720之间通过总线730连接为例,总线740在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线740可以分为地址总线、数据总线、控制总线等。为便于表示,图7中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器710可以具有数据收发功能,能够与其他设备进行通信,在如图7所示的装置中,也可以设置独立的数据收发模块,例如收发器730,用于收发数据;处理器710在与其他设备进行通信时,可以通过收发器730进行数据传输。
存储器中720存储指令或程序,处理器710用于执行存储器中存储的指令或程序。存 储器中存储的指令或程序被执行时,该处理器710用于执行上述方法实施例中处理模块执行的操作,通信接口用于执行上述实施例中收发模块执行的操作。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各种说明性逻辑块(illustrative logical block)和步骤(step),能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以基于前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
在上述实施例中,各功能单元的功能可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令(程序)。在计算机上加载和执行所述计算机程序指令(程序)时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存 取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (15)

  1. 一种鉴权方法,其特征在于,所述方法包括:
    归属网络的第一功能网元确定是否需要对终端进行鉴权;
    在需要对所述终端进行鉴权的情况下,所述第一功能网元获取鉴权材料;
    所述第一功能网元根据所述鉴权材料,获取第一鉴权向量;
    所述第一功能网元向接入和移动管理网元发送第一鉴权请求消息以触发对所述终端进行鉴权,其中,所述第一鉴权请求消息包括所述第一鉴权向量。
  2. 根据权利要求1所述的鉴权方法,其特征在于,所述第一功能网元确定是否需要对所述终端进行鉴权,包括:
    所述第一功能网元接收来自第三功能网元的服务请求,所述服务请求用于向所述第一功能网元请求指定服务;
    响应于所述第三功能网元的服务请求,所述第一功能网元确定是否需要对所述终端进行鉴权。
  3. 根据权利要求1所述的鉴权方法,其特征在于,所述第一功能网元为鉴权服务功能网元,所述第一功能网元获取所述鉴权材料,包括:
    所述第一功能网元从存储的上下文中获取所述鉴权材料;
    或者所述第一功能网元从第四功能网元获取所述鉴权材料,所述第四功能网元为存储有所述鉴权材料的网元。
  4. 根据权利要求3所述的鉴权方法,其特征在于,所述第一功能网元根据所述鉴权材料,获取第一鉴权向量,包括:
    所述鉴权服务功能网元向统一数据管理网元发送鉴权向量请求消息,其中,所述鉴权向量请求消息包括所述鉴权材料;
    所述鉴权服务功能网元接收来自所述统一数据管理网元的鉴权向量响应消息,所述鉴权向量响应消息包括所述第一鉴权向量。
  5. 根据权利要求1所述的鉴权方法,其特征在于,所述第一功能网元为统一数据管理网元,所述第一功能网元获取所述鉴权材料,包括:
    所述第一功能网元从存储的上下文中获取所述鉴权材料;
    或者,所述第一功能网元从第四功能网元获取所述鉴权材料,所述第四功能网元为存储有所述鉴权材料的网元。
  6. 根据权利要求5所述的鉴权方法,其特征在于,所述第一功能网元根据所述鉴权材料,获取第一鉴权向量,包括:
    所述第一功能网元根据所述鉴权材料,生成所述第一鉴权向量。
  7. 根据权利要求1-6任一项所述的鉴权方法,其特征在于,所述鉴权材料包括以下一种或多种:服务网络名称,服务网络标识,网络标识符,移动国家码或移动网号。
  8. 一种通信装置,其特征在于,包括:
    处理模块,用于确定是否需要对终端进行鉴权;在需要对所述终端进行鉴权的情况下,获取鉴权材料;根据所述鉴权材料,获取第一鉴权向量;
    收发模块,用于向接入和移动管理网元发送第一鉴权请求消息以触发对所述终端进行鉴权,其中,所述第一鉴权请求消息包括所述第一鉴权向量。
  9. 根据权利要求8所述的通信装置,其特征在于,所述处理模块,用于确定是否需要对所述终端进行鉴权,具体为:
    接收来自第三功能网元的服务请求,所述服务请求用于请求指定服务;
    响应于所述服务请求,确定是否需要对所述终端进行鉴权。
  10. 根据权利要求8所述的通信装置,其特征在于,所述处理模块,用于获取所述鉴权材料,具体为:
    从存储的上下文中获取所述鉴权材料;
    或者从第四功能网元获取所述鉴权材料,所述第四功能网元为存储有所述鉴权材料的网元。
  11. 根据权利要求8所述的通信装置,其特征在于,所述处理模块,用于根据所述鉴权材料,获取所述第一鉴权向量,具体为:
    向统一数据管理网元发送鉴权向量请求消息,其中,所述鉴权向量请求消息包括所述鉴权材料;
    接收来自所述统一数据管理网元的鉴权向量响应消息,所述鉴权向量响应消息包括所述第一鉴权向量。
  12. 根据权利要求8所述的通信装置,其特征在于,所述处理模块,用于根据所述鉴权材料,获取所述第一鉴权向量,具体为:
    根据所述鉴权材料,生成所述第一鉴权向量。
  13. 根据权利要求8-12任一所述的通信装置,其特征在于,所述鉴权材料包括以下一种或多种:服务网络名称,服务网络标识,网络标识符,移动国家码或移动网号。
  14. 一种通信装置,其特征在于,包括:一个处理器,所述至少一个处理器执行用于执行存储在存储器中的指令,使得所述通信装置进行如权利要求1-7任一项所述的方法的操作。
  15. 一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得所述计算机 执行如权利要求1-7任一项所述的方法。
PCT/CN2023/092298 2022-05-06 2023-05-05 鉴权方法、通信装置和计算机可读存储介质 WO2023213301A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210489884.6 2022-05-06
CN202210489884.6A CN117062071A (zh) 2022-05-06 2022-05-06 鉴权方法、通信装置和计算机可读存储介质

Publications (1)

Publication Number Publication Date
WO2023213301A1 true WO2023213301A1 (zh) 2023-11-09

Family

ID=88646300

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/092298 WO2023213301A1 (zh) 2022-05-06 2023-05-05 鉴权方法、通信装置和计算机可读存储介质

Country Status (2)

Country Link
CN (1) CN117062071A (zh)
WO (1) WO2023213301A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117596588A (zh) * 2024-01-18 2024-02-23 中国电子科技集团公司第三十研究所 移动通信网络长期密钥动态更新方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110891271A (zh) * 2018-09-10 2020-03-17 大唐移动通信设备有限公司 一种鉴权方法及装置
CN111404944A (zh) * 2020-03-19 2020-07-10 中国电子科技集团公司第三十研究所 一种实现主认证增强的安全udm/hss设计方法及系统
WO2021094109A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Home network initiated primary authentication/reauthentication
WO2021201558A1 (en) * 2020-03-30 2021-10-07 Samsung Electronics Co., Ltd. Method and apparatus for providing akma service in wireless communication system
CN114339745A (zh) * 2021-12-28 2022-04-12 中国电信股份有限公司 密钥分发方法、系统和相关设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110891271A (zh) * 2018-09-10 2020-03-17 大唐移动通信设备有限公司 一种鉴权方法及装置
WO2021094109A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Home network initiated primary authentication/reauthentication
CN111404944A (zh) * 2020-03-19 2020-07-10 中国电子科技集团公司第三十研究所 一种实现主认证增强的安全udm/hss设计方法及系统
WO2021201558A1 (en) * 2020-03-30 2021-10-07 Samsung Electronics Co., Ltd. Method and apparatus for providing akma service in wireless communication system
CN114339745A (zh) * 2021-12-28 2022-04-12 中国电信股份有限公司 密钥分发方法、系统和相关设备

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117596588A (zh) * 2024-01-18 2024-02-23 中国电子科技集团公司第三十研究所 移动通信网络长期密钥动态更新方法及装置
CN117596588B (zh) * 2024-01-18 2024-03-26 中国电子科技集团公司第三十研究所 移动通信网络长期密钥动态更新方法及装置

Also Published As

Publication number Publication date
CN117062071A (zh) 2023-11-14

Similar Documents

Publication Publication Date Title
US11228905B2 (en) Security implementation method, related apparatus, and system
US12028707B2 (en) Apparatus, system, method, and computer-readable medium for performing a message service and identity service in a 5G network
US20210400489A1 (en) 3gpp private lans
EP4120619A1 (en) Communication system, method and apparatus
WO2021136211A1 (zh) 授权结果的确定方法及装置
EP4124085A1 (en) Communication system, method and apparatus
KR20220164762A (ko) Eap 절차에서의 통보
CN116723507B (zh) 针对边缘网络的终端安全方法及装置
CN113676904B (zh) 切片认证方法及装置
WO2023213301A1 (zh) 鉴权方法、通信装置和计算机可读存储介质
US20240179525A1 (en) Secure communication method and apparatus
WO2021073382A1 (zh) 注册方法及装置
CN116438824A (zh) 用于无线网络中核心网装置重分配的方法、装置及系统
CN115396126A (zh) Nswo业务的认证方法、设备和存储介质
WO2023072271A1 (zh) 管理安全上下文的方法和装置
WO2023216273A1 (zh) 密钥管理方法、装置、设备及存储介质
WO2024060626A1 (zh) 鉴权方法、通信装置及通信系统
WO2023216274A1 (zh) 密钥管理方法、装置、设备和存储介质
US20230284030A1 (en) Uas authentication and security establishment
US20230336992A1 (en) Method and apparatus for authenticating user equipment in wireless communication system
WO2023216272A1 (zh) 密钥管理方法、装置、设备及存储介质
KR20240140890A (ko) 통신 네트워크에서의 보안 구성 업데이트
CN116996985A (zh) 一种基于边缘网络的通信方法及装置
CN117793737A (zh) 用户终端策略的配置方法、装置、介质及芯片
CN117044249A (zh) 基于能力的注册认证

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23799287

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023799287

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2023799287

Country of ref document: EP

Effective date: 20240923