WO2023230924A1 - 认证方法、装置、通信设备和存储介质 - Google Patents

认证方法、装置、通信设备和存储介质 Download PDF

Info

Publication number
WO2023230924A1
WO2023230924A1 PCT/CN2022/096480 CN2022096480W WO2023230924A1 WO 2023230924 A1 WO2023230924 A1 WO 2023230924A1 CN 2022096480 W CN2022096480 W CN 2022096480W WO 2023230924 A1 WO2023230924 A1 WO 2023230924A1
Authority
WO
WIPO (PCT)
Prior art keywords
pine
authentication
pegc
parameters
network
Prior art date
Application number
PCT/CN2022/096480
Other languages
English (en)
French (fr)
Inventor
梁浩然
陆伟
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to PCT/CN2022/096480 priority Critical patent/WO2023230924A1/zh
Priority to CN202280001898.7A priority patent/CN117597961A/zh
Publication of WO2023230924A1 publication Critical patent/WO2023230924A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Definitions

  • This application relates to the field of wireless communication technology but is not limited to the field of wireless communication technology, and particularly relates to authentication methods, devices, communication equipment and storage media.
  • PIN Personal IoT Networks
  • devices with gateway capabilities such as private IoT gateways (AKA PIN Element with Gateway Capability, PEGC), devices with management capabilities (AKA PIN Element with Management Capability, PEMC) and Devices without gateway and management functions, such as Private IoT Unit (PIN Element, PINE).
  • PEGC and PEMC are user equipment (User Equipment, UE) that can directly access the fifth generation cellular mobile communication system ( 5th Generation System, 5GS). PEMC is also able to access 5GS through PEGC. PINE cannot directly access 5GS.
  • embodiments of the present disclosure provide an authentication method, device, communication device, and storage medium.
  • an authentication method is provided, which is executed by a core network device of a first-type network, including:
  • the identity authentication for PINE includes:
  • identity authentication is performed on the PINE.
  • the first credential is stored in the core network device.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • performing the identity authentication on the PINE based on the expected authentication parameters includes:
  • sending the calculation parameters to the PEGC via the base station through the first type network includes:
  • the Unified Data Management (UDM) in the core network device sends a UDM response carrying the calculation parameters to the Authentication Server Function (AUSF) in the core network device;
  • AUSF Authentication Server Function
  • the AUSF sends an AUSF response carrying the calculation parameter to the Security Anchor Function (SEAF) in the core network device;
  • SEAF Security Anchor Function
  • the SEAF sends an authentication request carrying the calculation parameters to the PEGC via the base station through the first type network.
  • receiving the authentication parameters sent by the PEGC through the first type network via the base station includes at least one of the following:
  • the SEAF receives an authentication response carrying the authentication parameters sent by the PEGC through the first type network and the base station, wherein the authentication parameters are carried by the PINE in the PINE authentication response and passed through the Sent by the second type of network to the PEGC;
  • the AUSF receives the AUSF authentication request carrying the authentication parameters sent by the SEAF.
  • the identity authentication of the PINE based on the authentication parameters and the expected authentication parameters includes at least one of the following:
  • the SEAF determines a hash authentication parameter based on the authentication parameter, and performs identity authentication on the PINE based on the hash authentication parameter and a hash expected authentication parameter, wherein the hash expected authentication parameter is determined by the AUSF based on Expect authentication parameters to be determined and sent to SEAF;
  • the AUSF performs identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • the authentication parameters, the expected authentication parameters, the hash authentication parameters and the hash expected authentication parameters are identified by at least one of the following:
  • At least one of the UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response and the AUSF authentication request carries Have at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication indicator is used to indicate that the core network device does not perform at least one of the following:
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carries There is the PINE logo indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the method further includes: in response to the PINE identification being a security-protected PINE identification, restoring the security-protected PINE identification to a plaintext PINE identification;
  • At least one of the UDM response, the AUSF response and the AUSF authentication request carries the PINE identifier in the clear text state
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identifier.
  • the method further includes: determining whether the PEGC is a legal gateway for the PEGC to access the first type of network based on judgment information, wherein the judgment information includes at least one of the following:
  • the subscription information of the PEGC is the subscription information of the PEGC.
  • Determining expected authentication parameters based on at least the first credential and calculation parameters of the PINE including:
  • the desired authentication parameters are determined based on the first credential and the calculated parameters of the PINE.
  • determining the expected authentication parameters based on at least the first credential and calculation parameters of the PINE includes:
  • the authentication parameter is determined by the PINE based on at least the second certificate, the calculation parameter and the service network identifier.
  • the calculation parameters and/or the service network identifier are sent by the PEGC to the PINE through the second type network.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • an authentication method is provided, wherein the authentication method is performed by a private Internet of Things gateway PEGC, including:
  • the authentication information is transmitted during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the PEGC, wherein the PINE and the PEGC pass through the second Class network connection.
  • the information transmitted during the identity authentication process of PINE by the core network equipment of the first type network includes:
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the information transmitted during the identity authentication process of PINE by the core network equipment of the first type network includes:
  • the authentication parameters are sent to the core network device via the base station through the first type network, where the authentication parameters are used for the core network device to perform the PINE based on at least the expected authentication parameters. Authentication.
  • the calculation parameters sent by the receiving core network device to the PEGC via the base station through the first type network include:
  • the sending of the calculation parameters to the PINE through the second type of network includes:
  • the receiving the authentication parameters sent by the PINE through the second type network includes:
  • the sending of the authentication parameters to the core network device via the base station through the first type network includes:
  • the PINE authentication request also carries the service network identifier.
  • the expected authentication parameters are determined by the core network device based on at least the first credential, the calculation parameters and the service network identifier.
  • the authentication parameters are determined by the PINE based on at least the second certificate, the calculation parameters and the service network identification.
  • At least one of the authentication request, the authentication response, the PINE authentication request and the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the PEGC includes user equipment UE.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • an authentication method is provided, wherein, executed by PINE, it includes:
  • the authentication information is transmitted during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the private Internet of Things gateway PEGC, wherein the PINE and the PEGC is connected via a type 2 network.
  • the authentication information transmitted during the identity authentication process of the PINE by the core network equipment of the first type network includes:
  • the calculation parameters sent by the PEGC are received through the second type of network, where the calculation parameters are sent by the core network equipment to the PEGC via the base station through the first type network, where the calculation parameters are used by The core network device determines expected authentication parameters in combination with at least the first credential, where the expected authentication parameters are used for the core network device to perform identity authentication on the PINE.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the method further includes: determining authentication parameters based on at least the second credential and the calculation parameters;
  • the authentication information transmitted during the identity authentication process of the PINE by the core network equipment of the first type network includes:
  • the authentication parameters are sent to the PEGC through the second type network, and the authentication parameters are used to be sent by the PEGC to the core network device via the base station through the first type network, and are used by the PEGC
  • the core network device performs identity authentication of the PINE based on at least the authentication parameter and the expected authentication parameter.
  • receiving the calculation parameters sent by the PEGC through the second type of network includes:
  • the sending of the authentication parameters to the PEGC through the second type network includes:
  • a PINE authentication response carrying the authentication parameters sent to the PEGC through the second type network carrying the authentication parameters sent to the PEGC through the second type network.
  • the PINE authentication request also carries the service network identifier.
  • the desired authentication parameters are determined based on at least the first credential, the calculation parameters and a service network identification.
  • Determining authentication parameters based on at least the second credential and the calculation parameters includes:
  • the authentication parameters are determined based on at least the second credential, the calculation parameters and a service network identification.
  • the PINE authentication request and/or the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication request and/or the PINE authentication response carries a PINE identifier indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • an authentication device wherein the core network equipment applied to the first type of network includes:
  • a processing module configured to perform identity authentication on PINE, wherein the PINE is connected to the first type of network through a private Internet of Things gateway PEGC, and wherein the PINE and the PEGC are connected through a second type of network.
  • the processing module is specifically configured as:
  • identity authentication is performed on the PINE.
  • the first credential is stored in the core network device.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the device further includes:
  • a transceiver module configured to send the calculation parameters to the PEGC via a base station through a first-type network, wherein the calculation parameters are sent by the PEGC to the PINE through a second-type network;
  • the transceiver module is further configured to receive authentication parameters sent by the PEGC through the first type network via the base station, wherein the authentication parameters are determined by the PINE based on at least the second credential and the calculation parameter. , and sent to the PEGC through the second type network;
  • the processing module is specifically configured to perform identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • the transceiver module is specifically configured as:
  • the unified data management UDM in the core network device sends a UDM response carrying the calculation parameters to the authentication service function AUSF in the core network device;
  • the AUSF sends an AUSF response carrying the calculation parameters to the security anchor function SEAF in the core network device;
  • the SEAF sends an authentication request carrying the calculation parameters to the PEGC via the base station through the first type network.
  • the transceiver module is specifically configured to be at least one of the following:
  • the SEAF receives an authentication response carrying the authentication parameters sent by the PEGC through the first type network and the base station, wherein the authentication parameters are carried by the PINE in the PINE authentication response and passed through the Sent by the second type of network to the PEGC;
  • the AUSF receives the AUSF authentication request carrying the authentication parameters sent by the SEAF.
  • the processing module is specifically configured to be at least one of the following:
  • the SEAF determines a hash authentication parameter based on the authentication parameter, and performs identity authentication on the PINE based on the hash authentication parameter and a hash expected authentication parameter, wherein the hash expected authentication parameter is determined by the AUSF based on Expect authentication parameters to be determined and sent to SEAF;
  • the AUSF performs identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • the authentication parameters, the expected authentication parameters, the hash authentication parameters and the hash expected authentication parameters are identified by at least one of the following:
  • At least one of the UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response and the AUSF authentication request carries Have at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication indicator is used to indicate that the core network device does not perform at least one of the following:
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carries There is the PINE logo indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the processing module is further configured to, in response to the PINE identification being a security-protected PINE identification, restore the security-protected PINE identification to a plaintext PINE identification;
  • At least one of the UDM response, the AUSF response and the AUSF authentication request carries the PINE identifier in the clear text state
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identifier.
  • the processing module is further configured to: determine whether the PEGC is a legal gateway for the PEGC to access the first type of network based on judgment information, wherein the judgment information includes at least one of the following :
  • the subscription information of the PEGC is the subscription information of the PEGC.
  • Determining expected authentication parameters based on at least the first credential and calculation parameters of the PINE including:
  • the desired authentication parameters are determined based on the first credential and the calculated parameters of the PINE.
  • the processing module is specifically configured to: determine the expected authentication parameters based on at least the first credential, the calculation parameter and the service network identifier;
  • the authentication parameter is determined by the PINE based on at least the second certificate, the calculation parameter and the service network identifier.
  • the calculation parameters and/or the service network identifier are sent by the PEGC to the PINE through the second type network.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • an authentication device is provided, which is applied to a private Internet of Things gateway PEG, including:
  • the transceiver module is configured to transmit authentication information during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the PEGC, wherein the PINE and the PINE The PEGC is connected via a type 2 network.
  • the transceiver module is specifically configured as:
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the transceiver module is specifically configured as:
  • the authentication parameters are sent to the core network device via the base station through the first type network, where the authentication parameters are used for the core network device to perform the PINE based on at least the expected authentication parameters. Authentication.
  • the transceiver module is specifically configured to be at least one of the following:
  • the PINE authentication request also carries the service network identifier.
  • the expected authentication parameters are determined by the core network device based on at least the first credential, the calculation parameters and the service network identifier.
  • the authentication parameters are determined by the PINE based on at least the second certificate, the calculation parameters and the service network identification.
  • At least one of the authentication request, the authentication response, the PINE authentication request and the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the PEGC includes user equipment UE.
  • an authentication device which, applied to PINE, includes:
  • the transceiver module is configured to transmit authentication information during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the private Internet of Things gateway PEGC, wherein the The PINE and the PEGC are connected through a second type network.
  • the transceiver module is specifically configured as:
  • the calculation parameters sent by the PEGC are received through the second type of network, where the calculation parameters are sent by the core network equipment to the PEGC via the base station through the first type network, where the calculation parameters are used by The core network device determines expected authentication parameters in combination with at least the first credential, where the expected authentication parameters are used for the core network device to perform identity authentication on the PINE.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the apparatus further includes: a processing module configured to determine an authentication parameter based on at least the second credential and the calculation parameter;
  • the transceiver module is specifically configured to: send the authentication parameters to the PEGC through the second type network, and the authentication parameters are used to be sent by the PEGC to the base station through the first type network.
  • the core network device performs identity authentication of the PINE based on at least the authentication parameter and the expected authentication parameter.
  • the transceiver module is specifically configured to be at least one of the following:
  • a PINE authentication response carrying the authentication parameters sent to the PEGC through the second type network carrying the authentication parameters sent to the PEGC through the second type network.
  • the PINE authentication request also carries the service network identifier.
  • the desired authentication parameters are determined based on at least the first credential, the calculation parameters and a service network identification.
  • the specific configuration of the processing module is:
  • the authentication parameters are determined based on at least the second credential, the calculation parameters and a service network identification.
  • the PINE authentication request and/or the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication request and/or the PINE authentication response carries a PINE identifier indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • a communication equipment device including a processor, a memory, and an executable program stored on the memory and capable of being run by the processor, wherein the processor runs the executable program.
  • steps of the authentication method described in the first aspect, the second aspect, or the third aspect are performed.
  • a storage medium on which an executable program is stored, wherein when the executable program is executed by a processor, the executable program implements the first aspect, the second aspect, or the third aspect. Describe the steps of the authentication method.
  • Embodiments of the present disclosure provide authentication methods, devices, communication devices, and storage media.
  • the core network device performs identity authentication on the PINE, wherein the PINE is connected to the first type network through PEGC, and the PINE and the PEGC are connected through the second type network.
  • identity authentication of PINE by the core network equipment can enable PINE to directly access the cellular mobile communication network.
  • the communication of PINE in the first type network can be managed by the core network equipment, which satisfies the requirements of the core network equipment for accessing the first type of network. Network equipment management needs. Meet PINE's data transmission needs and improve data transmission reliability.
  • Figure 1 is a schematic structural diagram of a wireless communication system according to an exemplary embodiment
  • Figure 2 is a schematic flow chart of an authentication method according to an exemplary embodiment
  • Figure 3 is a schematic flowchart of a method for triggering core network equipment to perform authentication according to an exemplary embodiment
  • Figure 4 is a schematic flow chart of an authentication method according to an exemplary embodiment
  • Figure 5 is a schematic flow chart of an authentication method according to an exemplary embodiment
  • Figure 6 is a schematic flowchart of an authentication method according to an exemplary embodiment
  • Figure 7 is a schematic flow chart of an authentication method according to an exemplary embodiment
  • Figure 8 is a schematic flow chart of an authentication method according to an exemplary embodiment
  • Figure 9 is a schematic flow chart of an authentication method according to an exemplary embodiment
  • Figure 10 is a schematic diagram of authentication interaction according to an exemplary embodiment
  • Figure 11 is a block diagram of an authentication device according to an exemplary embodiment
  • Figure 12 is a block diagram of an authentication device according to an exemplary embodiment
  • Figure 13 is a block diagram of an authentication device according to an exemplary embodiment
  • Figure 14 is a block diagram of an apparatus for authentication according to an exemplary embodiment.
  • first, second, third, etc. may be used to describe various information in the embodiments of the present disclosure, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
  • first information may also be called second information, and similarly, the second information may also be called first information.
  • word “if” as used herein may be interpreted as "when” or "when” or "in response to determining.”
  • FIG. 1 shows a schematic structural diagram of a wireless communication system provided by an embodiment of the present disclosure.
  • the wireless communication system is a communication system based on cellular mobile communication technology.
  • the wireless communication system may include several terminals 11 and several base stations 12 .
  • the terminal 11 may be a device that provides voice and/or data connectivity to the user.
  • the terminal 11 can communicate with one or more core network devices via a Radio Access Network (RAN).
  • RAN Radio Access Network
  • the terminal 11 can be an Internet of Things terminal, such as a sensor device, a mobile phone (or a "cellular" phone) and
  • a computer with an IoT terminal may, for example, be a fixed, portable, pocket-sized, handheld, built-in computer or vehicle-mounted device.
  • station STA
  • subscriber unit subscriber unit
  • subscriber station subscriber station
  • mobile station mobile station
  • mobile station mobile station
  • remote station remote station
  • access terminal remote terminal
  • access terminal user terminal, user agent, user device, or user equipment (UE).
  • the terminal 11 may be a device of an unmanned aerial vehicle.
  • the terminal 11 may also be a vehicle-mounted device, for example, it may be an on-board computer with a wireless communication function, or a wireless communication device connected to an external on-board computer.
  • the terminal 11 may also be a roadside device, for example, it may be a streetlight, a signal light or other roadside device with wireless communication function.
  • the base station 12 may be a network-side device in a wireless communication system.
  • the wireless communication system can be the 4th generation mobile communication technology (the 4th generation mobile communication, 4G) system, also known as the Long Term Evolution (LTE) system; or the wireless communication system can also be a 5G system, Also called new radio (NR) system or 5G NR system.
  • the wireless communication system may also be a next-generation system of the 5G system.
  • the access network in the 5G system can be called NG-RAN (New Generation-Radio Access Network).
  • MTC system New Generation-Radio Access Network
  • the base station 12 may be an evolved base station (eNB) used in the 4G system.
  • the base station 12 may also be a base station (gNB) that adopts a centralized distributed architecture in the 5G system.
  • eNB evolved base station
  • gNB base station
  • the base station 12 adopts a centralized distributed architecture it usually includes a centralized unit (central unit, CU) and at least two distributed units (distributed unit, DU).
  • the centralized unit is equipped with a protocol stack including the Packet Data Convergence Protocol (PDCP) layer, the Radio Link Control protocol (Radio Link Control, RLC) layer, and the Media Access Control (Media Access Control, MAC) layer; distributed
  • PDCP Packet Data Convergence Protocol
  • RLC Radio Link Control
  • MAC Media Access Control
  • the unit is provided with a physical (Physical, PHY) layer protocol stack, and the embodiment of the present disclosure does not limit the specific implementation of the base station 12.
  • a wireless connection can be established between the base station 12 and the terminal 11 through a wireless air interface.
  • the wireless air interface is a wireless air interface based on the fourth generation mobile communication network technology (4G) standard; or the wireless air interface is a wireless air interface based on the fifth generation mobile communication network technology (5G) standard, such as
  • the wireless air interface is a new air interface; alternatively, the wireless air interface may also be a wireless air interface based on the next generation mobile communication network technology standard of 5G.
  • an E2E (End to End) connection can also be established between terminals 11.
  • V2V vehicle to vehicle, vehicle to vehicle
  • V2I vehicle to infrastructure, vehicle to roadside equipment
  • V2P vehicle to pedestrian, vehicle to person
  • the above-mentioned wireless communication system may also include a network management device 13.
  • the network management device 13 may be a core network device in a wireless communication system.
  • the network management device 13 may be a mobility management entity (Mobility Management Entity) in an evolved packet core network device (Evolved Packet Core, EPC). , MME).
  • the network management device can also be other core network devices, such as serving gateway (Serving GateWay, SGW), public data network gateway (Public Data Network GateWay, PGW), policy and charging rules functional unit (Policy and Charging Rules) Function, PCRF) or Home Subscriber Server (HSS), etc.
  • serving gateway Serving GateWay, SGW
  • public data network gateway Public Data Network GateWay, PGW
  • Policy and Charging Rules Policy and Charging Rules
  • PCRF Policy and Charging Rules
  • HSS Home Subscriber Server
  • PINE cannot directly access cellular mobile communication networks, such as 5GS networks. How to enable PINE to directly access the cellular mobile communication network is a problem that needs to be solved urgently.
  • this exemplary embodiment provides an authentication method that can be executed by the core network equipment of the cellular mobile communication system, including:
  • Step 201 Perform identity authentication on PINE, where the PINE is connected to the first type of network through PEGC, and wherein the PINE and the PEGC are connected through a second type of network.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • the first type of network may be a cellular mobile communication network that complies with 3GPP standards, such as a 5GS network, etc.
  • the second type of network may be a non-3GPP standard network, and the second type of network includes but is not limited to at least one of the following: Wi-Fi network, Bluetooth network, ZigBee, etc.
  • PINE can be communication devices in the Internet of Things that cannot directly access the first type of network (such as 5GS and other cellular mobile communication networks).
  • PINE can be wearable devices, smart home appliances, smart office equipment, etc.
  • the PEGC may be a communication device that can directly access a first-type network (such as a cellular mobile communication network).
  • PEGC can have access capabilities to both Type 1 and Type 2 networks.
  • PEGC can provide gateway services for accessing Category 1 networks (such as cellular mobile communication networks) for communication devices that cannot directly access Category 1 networks (such as PINE).
  • PEGC and communication equipment that cannot directly access the first type of network can be connected through the second type of network.
  • the PEGC includes user equipment UE.
  • the PEGC may be a UE with access capabilities to both the first type of network and the second type of network.
  • PEGC can be a terminal device such as a mobile phone.
  • PINE can access 5GS through PEGC, and 5GS needs to recognize PINE for enhanced management. For example, 5GS needs to determine the quality of service (QoS) for different PINEs. Therefore, the identity authentication of PINE can be performed by the core network equipment.
  • QoS quality of service
  • the identity authentication of PINE can be performed by the core network equipment.
  • PINE and core network equipment can mutually transmit authentication information that needs to be transmitted during the authentication process through PEGC.
  • the authentication information here can include: PINE logo, root key (Root Key), etc.
  • the core network equipment After the core network equipment authenticates the PINE, it can implement management that complies with 3GPP requirements for the PINE. For example, corresponding QoS, security policies, etc. can be adopted for PINE data transmission.
  • the identity authentication of PINE by the core network equipment can enable PINE to directly access the cellular mobile communication network.
  • the communication of PINE in the first type network can be managed by the core network equipment, which satisfies the requirements of the core network equipment for accessing the first type of network. Management needs of network equipment. Meet PINE's data transmission needs and improve data transmission reliability.
  • the cellular mobile communication network needs to provide credentials for PINE. Using the credentials, cellular mobile communication networks can authenticate and identify PINEs connected to PEGC.
  • identity authentication of PINE can be triggered by PINE, PRGC and/or core network equipment. Triggering the identity authentication method for PINE, as shown in Figure 3, can include:
  • Step 301 PINE sends its PINE identity (ie, PINE's device identifier) to PEGC through a non-3GPP connection (Type 2 network), and also sends the authentication method and PINE authentication indicator.
  • the non-3GPP connection (Type 2 network) established between PINE and PEGC can be a secure connection. How to establish a non-3GPP secure link is not limited here.
  • Step 302 PEGC sends the PINE authentication indicator, PINE identification, authentication method, PEGC's SUCI or 5G-GUTI to the AMF/SEAF network element in the core network equipment through the NAS message.
  • Step 303 Whenever AMF wishes to start PINE, AMF can call the Nausf_UEAuthentication service by sending a Nausf_UEAuthentication_Authenticate Request message to AUSF.
  • the Nausf_UEAuthentication_AuthenticateRequest message can contain the PINE authentication indicator, PINE identification, authentication method, and service network identification (Service Network Name, SN-Name).
  • Step 304 After the AUSF receives the Nausf_UEAuthentication_AuthenticateRequest message, the AUSF can check whether the requesting AMF in the service network has the right to use the Nausf_UEAuthentication_Authenticate Request by comparing the service network identification (SN-Name) with the expected service network identification (SN-Name). The service network identifier in . AUSF will temporarily store the received service network identification. If the service network is not authorized to use the service network identity, the AUSF shall respond with "Service Network Not Authorized" in Nausf_UEAuthentication_AuthenticateResponse. If the service network is authorized to use the service network identity, AUSF sends a Nudm_UEAuthentication_GetRequest message to UDM.
  • the Nudm_UEAuthentication_GetRequest message may include: PINE authentication indicator, PINE identity, PEGC's SUPI or SUCI, authentication method, and service network identity.
  • Step 305 After receiving the Nudm_UEAuthentication_Get Request, if the UDM receives SUCI, the UDM will call the subscription identifier de-concealing function (SIDF) to decrypt the SUCI and obtain SUPI.
  • SIDF subscription identifier de-concealing function
  • Step 306 UDM/ARPF allows PEGC to perform the authentication process of PINE based on PEGC's SUPI and device identifier and PEGC's subscription verification, and then selects the authentication method for PINE based on the PINE identification and the authentication method sent by PINE.
  • PINE can locally store the credentials provided by PEGC's home network, that is, the second type of network. And the PINE identification of PINE can be associated with the subscription information of PEGC.
  • PEGC can be a gateway that has been registered in 5GC, and the connection between PEGC and AMF is protected by NAS security. AMF is collocated with SEAF.
  • the identity authentication for PINE includes:
  • identity authentication is performed on the PINE.
  • the expected authentication parameter can be represented by XRES*
  • the authentication parameter can be represented by RES*
  • the hash expected authentication parameter can be represented by HXRES*
  • the hash authentication parameter can be represented by HRES*.
  • the PINE credentials configured for PINE by the first network may include: a first credential stored in the core network device and a second credential stored in PINE.
  • the first voucher is equal to the second voucher.
  • PINE credentials can be used as the root key (Root Key) for PINE identity authentication.
  • the first network may be configured for PINE.
  • Different PINE credentials can correspond to different PINEs.
  • the first credential is stored in the core network device.
  • the first credential is stored in UDM.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first certificate may correspond to the PINE identifier of PINE.
  • the PINE identification may include a protected PINE identification, or a clear PINE identification.
  • the protected PINE identifier may include one of the following: an anonymized PINE identifier; an encrypted PINE identifier.
  • the first certificate may correspond to the PINE identifier of PINE and/or the PEGC identifier of PINE's PEGC.
  • the PINE identifier can uniquely identify PINE.
  • the PEGC logo can uniquely identify PEGC.
  • the core network device may determine the first certificate corresponding to the PINE based on the PINE identifier and/or the PEFC identifier of the PINE.
  • the PINE identifier may be carried by trigger information that triggers the core network device to perform PINE authentication.
  • the trigger information can be Nudm_UEAuthentication_Get Request, etc.
  • the core network device may determine XRES* based on at least the first credential and the calculation parameters.
  • the calculation parameter may be at least one parameter used in the calculation of XRES*.
  • the calculation method used by the core network equipment to determine XRES* can be the same as the calculation method used by PINE to determine RES*.
  • the calculation parameters include at least a random number RAND.
  • the calculation parameters can be random numbers used to calculate XRES*.
  • determining the expected authentication parameters based on at least the first credential and calculation parameters of the PINE includes:
  • the RES* is determined by the PINE based on at least the second certificate, the calculation parameter and the service network identifier.
  • the core network device may determine XRES* based on a predetermined calculation method and at least one of the following:
  • the core network device can send the calculation parameters and/or SN-Name to PINE, and PINE determines RES* in combination with the stored second certificate.
  • PINE can determine RES* based on the above-mentioned similar method, which will not be described again here.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • Trigger information that triggers authentication of PINE can be sent to UDM.
  • the UDM may determine the first credential of the PINE based on the PINE identity and/or the PEFC identity of the PEGC.
  • the first credential can be stored in UDM, and XRES* can be determined by UDM, thereby initiating identity authentication for PINE.
  • XRES* can be used to compare with the RES* calculated by PINE to confirm whether the second credentials of PINE are the same as the first credentials in UDM, thereby determining the identity of PINE and completing the identity authentication of the first PINE.
  • UDM can include Authentication Credential Storage and Processing Function (ARPF).
  • UDM/ARPF should create a 5G HE AV for PINE based on the locally stored PINE credential, that is, the first credential. UDM/ARPF achieves this by generating AVs with the Authentication Management Field (AMF) delimiter bit set to "1". UDM/ARPF can then calculate XRES*. UDM/ARPF can create a 5G HE AV, and the 5G HE AV can include: RAND, authentication token AUTN, and XRES*.
  • AMF Authentication Management Field
  • the method further includes: determining whether the PEGC is a legal gateway for the PEGC to access the first type of network based on judgment information, wherein the judgment information includes at least one of the following:
  • the subscription information of the PEGC is the subscription information of the PEGC.
  • Determining expected authentication parameters based on at least the first credential and calculation parameters of the PINE including:
  • the desired authentication parameters are determined based on the first credential and the calculated parameters of the PINE.
  • UDM can also determine whether PEGC is a legal gateway of PINE: First, UDM can determine whether PEGC is a legal gateway in the first type of network based on the judgment information. For example, UDM can make judgments based on PEGC identification. Then UDM can determine whether PEGC is a legal gateway of PINE. For example, it can determine whether PEGC is allowed to connect PINE to the first type network. The UDM may make a determination based on the PEGC identifier, the PINE identifier of the PINE, and the PEGC subscription information. For example, when the PEGC subscription information identified by the PEGC identifier has the PINE identifier of PINE, the PEGC is determined to be the legal gateway of PINE.
  • PEGC identification may include: User Concealed Identifier (Subscriptionconcealed Identifier, SUCI) and/or User Permanent Identifier (Subscription Permanent Identifier, SUPI).
  • SUCI User Concealed Identifier
  • SUPI User Permanent Identifier
  • performing the identity authentication on the PINE based on the expected authentication parameters may include:
  • Step 401 Send the calculation parameters to the PEGC via the base station through the first type network, wherein the calculation parameters are sent by the PEGC to the PINE through the second type network;
  • Step 402 Receive authentication parameters sent by the PEGC via the first type network via the base station, wherein the authentication parameters are determined by the PINE based on at least the second credential and the calculation parameters, and are determined by the Sent by the second type of network to the PEGC;
  • Step 403 Perform identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • the core network equipment can send calculation parameters to PINE's PEGC through the second type network.
  • the calculation parameters can be sent by PEGC to PINE, and PINE determines RES* based on the second voucher, calculation parameters, etc.
  • the second certificate may be determined by the first network, for example, it may be determined by the core network device of the first network. It can be sent by the first network to PINE via PEGC.
  • the core network equipment can determine whether the PINE identity authentication is successful based on the comparison results of RES* and XRES*.
  • the RES* and ERES* determined based on the same calculation parameters are also the same, then the PINE identity authentication is successful.
  • the RES* and ERES* determined based on the same calculation parameter are also different, and the PINE identity authentication fails.
  • performing identity authentication on the PINE based on the RES* and the expected authentication parameters may also include:
  • the PINE is authenticated based on the HRES* determined from the RES* and the HRES* determined from the desired authentication parameters.
  • step 401 may include:
  • Step 501 The UDM in the core network device sends a UDM response carrying the calculation parameters to the AUSF in the core network device;
  • Step 502 The AUSF sends an AUSF response carrying the calculation parameters to the SEAF in the core network device;
  • Step 503 The SEAF sends an authentication request carrying the calculation parameters to the PEGC via the base station through the first type network.
  • UDM can carry calculation parameters (such as RAND) in the UDM response and send it to AUSF.
  • the UDM response can be Nudm_UEAuthentication_Get Responses.
  • UDM can return 5G HE AV to AUSF in Nudm_UEAuthentication_Get Response.
  • 5G HE AV can include: RAND, AUTN and XRES*.
  • the UDM response may carry a PINE authentication indicator indicating identity authentication of the PINE.
  • AUSF may determine the UDM response for authentication to PINE based on the PINE authentication indicator.
  • UDM will include the PINE identifier and PEGI's SUPI in Nudm_UEAuthentication_Get Response after SIDF de-conceals the SUCI.
  • AUSF can store XRES*, PINE flags and SUPI. Then, AUSF can be calculated by calculating HXRES* from XRES*. AUSF can generate 5G AV based on the 5G HE AV received from UDM/ARPF and replace XRES* with HXRES*. 5G HE AV can include: RAND, AUTN, HXRES*.
  • AUSF can return 5G SE AV (RAND, AUTN, HXRES*), PINE authentication indicator, PEGC's SUPI, and PINE identification to SEAF in the AUSF response (such as Nausf_UEAuthentication_Authenticate Response).
  • SEAF can store received HXRES*.
  • SEAF can send the PINE authentication indicator, RAND, AUTN, and PINE identification to PEGC in the authentication request (such as NAS message).
  • the authentication request can be an Authentication Request.
  • the calculation parameters and/or the service network identifier are sent by the PEGC to the PINE through the second type network.
  • PEGC may forward the SN-name, RAND, AUTN and PINE authentication indicators received in the authentication request to PINE through the secure non-3GPP second network.
  • PEGC may carry calculation parameters and/or the SN-Name in the PINE authentication request.
  • PINE After PINE receives the RAND, AUTN and SN-Name carried in the PINE authentication request, PINE can determine whether it can accept the PINE authentication request by checking the AUTN. For example, PINE can verify the freshness of received AUTN. If PINE determines that the PINE authentication request is acceptable, then PINE may calculate RES*. For example, PINE can first calculate RES, CK, and IK. PINE ME can then calculate RES* from RES.
  • step 402, as shown in Figure 6, may include:
  • Step 601 The SEAF receives an authentication response carrying the authentication parameters sent by the PEGC through the first type network and the base station, wherein the authentication parameters are carried by the PINE in the PINE authentication response. Sent to the PEGC through the second type of network;
  • Step 602 The AUSF receives the AUSF authentication request carrying the authentication parameters sent by the SEAF.
  • PINE After PINE determines RES*, it can send RES* to the core network device.
  • PINE can return a PINE authentication response to PEGC through a secure non-3GPP Type 2 network.
  • the PINE authentication response can include: RES*, PINE logo and PINE authentication indicator.
  • the PINE authentication response can be PINE Authentication Response.
  • PEGC may send an authentication response to SEAF in a NAS message, where the authentication response may include: RES*, PINE identifier and PINE authentication indicator.
  • the authentication response can be: Authentication Response.
  • SEAF can send RES*, PINE identification, PINE authentication indicator and PEGI's SUPI to AUSF in the AUSF authentication request (Nausf_UEAuthentication_Authenticate Request).
  • the identity authentication of the PINE based on the authentication parameters and the expected authentication parameters includes at least one of the following:
  • the SEAF determines a hash authentication parameter based on the authentication parameter, and performs identity authentication on the PINE based on the hash authentication parameter and a hash expected authentication parameter, wherein the hash expected authentication parameter is determined by the AUSF based on Expect authentication parameters to be determined and sent to SEAF;
  • the AUSF performs identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • SEAF can calculate HRES* through RES*, and SEAF can compare HRES* and HXRES*. For example, SEAF may locate PINE's HXRES* based on the PINE identity and/or PEGC's SUPI. If they are consistent, SEAF will consider the authentication successful from the service network's perspective. If not, SEAF can determine that authentication was not successful. If the SEAF never receives the RES*, the SEAF shall consider the authentication to have failed and indicate to the AUSF that the PINE identity authentication failed.
  • AUSF When AUSF receives the AUSF authentication request (Nausf_UEAuthentication_Authenticate Request message) including RES* as the authentication confirmation, it can verify whether the 5G AV has expired. If the 5G AV has expired, AUSF may consider the PINE identity authentication unsuccessful. AUSF shall compare the received RES* with the stored XRES*. If RES* and XRES* are equal, the AUSF shall consider the authentication successful from the perspective of the home network. AUSF shall notify UDM of the certification results.
  • the AUSF can indicate to the SEAF whether the PINE identity authentication is successful from the perspective of the home network in the AUSF authentication response (Nausf_UEAuthentication_Authenticate Response).
  • SEAF can determine HRES* based on RES*
  • AUSF can determine HXRES* based on XRES*
  • SEAF and AUSF can use the SHA-256 hash algorithm to determine HRES* and HXRES* respectively.
  • Parameters used by the SHA-256 hashing algorithm include but are not limited to:
  • HRES* and HXRES* are identified by the 128 least significant bits output by the SHA-256 function.
  • the authentication parameters, the expected authentication parameters, the hash authentication parameters and the hash expected authentication parameters are identified by at least one of the following:
  • RES* When core network equipment stores RES*, For example, SEAD can use the PINE flag when storing XRES* and HXRES*.
  • the PINE identifier and/or PEFC identifier carried in the transmission message can be used for identification.
  • the transmission message may include at least one of the following: UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response, and the AUSF authentication request.
  • At least one of the UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response and the AUSF authentication request carries Have at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication indicator can indicate to core network equipment (such as UDM, AUSF, SEAF), PEGC, and PINE that the received message is used for identity authentication of PINE.
  • core network equipment such as UDM, AUSF, SEAF
  • PEGC PEGC
  • PINE that the received message is used for identity authentication of PINE.
  • SUPI can indicate to the core network equipment (such as UDM, AUSF, SEAF), PEGC, and PINE the PEGC connected to the PINE for identity authentication.
  • the core network equipment and/or PINE may send corresponding information to the PEGC indicated by SUPI.
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carries There is the PINE logo indicating the PINE.
  • the PINE authentication indicator can indicate the PINE for identity authentication to the core network equipment and PEGC.
  • the PINE identity is a security-protected PINE identity.
  • Security-protected PINE identifiers may include encrypted PINE identifiers, anonymous PINE identifiers, etc.
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carrying the securely protected PINE logo.
  • the method further includes: in response to the PINE identification being a security-protected PINE identification, restoring the security-protected PINE identification to a plaintext PINE identification;
  • At least one of the UDM response, the AUSF response and the AUSF authentication request carries the PINE identifier in the clear text state
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identifier.
  • the core network equipment network element (such as UDM) receives the PINE identifier as a protected PINE identifier, it needs to convert the protected PINE identifier into a plain text PINE identifier through deanonymization, decryption, etc. logo.
  • the PINE identifier in plain text state can be used.
  • at least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identity.
  • the protected PINE identifier can be used. That is, between the three communications of SEAF-PEGC-PINE, a protected PINE identifier is used, for example, at least one of the authentication request, the PINE authentication request, the PINE authentication response and the authentication response, Carrying the said secure PINE logo
  • the PINE identifier received by UDM is unprotected information (that is, the PINE identifier in clear text state).
  • unprotected information PINE identification in clear text state
  • at least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier in plain text.
  • the PINE authentication indicator is used to indicate that the core network device does not perform at least one of the following:
  • UDM needs to determine the Kausf during the identity authentication process.
  • the UDM can determine the Kausf and no longer transmit the Kausf, thereby reducing the load on the core network equipment.
  • Authentication service function key KAUSF generates security anchor function key KSEAF
  • AUSF needs to determine Kseaf during the identity authentication process.
  • AUSF can determine Kseaf and no longer transmit Kseaf, thereby reducing the load on core network equipment.
  • the key set identifier ngKSI is the identifier of the key set used by the UE in the first type network, and is used to indicate that the first type network uses the same key set as the UE.
  • ABBA parameters are used by AMF network elements to generate KAMF.
  • Key set identifier (ngKSI, key setidentifier in 5G) can be used to create a local security context after successful authentication, and anti-bidding downbetween architectures (ABBA, anti-bidding downbetween architectures) parameters can be used to differentiate version security feature indication parameters to prevent confusion.
  • ngKSI key set identifier in 5G
  • ABBA anti-bidding downbetween architectures
  • PINE accesses the first type of network through PEGC. Therefore, SEAF can no longer determine the ngKSI and ABBA parameters and no longer transmit them, thereby reducing the load on core network equipment.
  • this exemplary embodiment provides an authentication method that can be executed by the private IoT gateway PEGC of the cellular mobile communication system, including:
  • Step 701 Transmit authentication information during the identity authentication process of PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the PEGC, wherein the PINE and the PEGC Connect via a type 2 network.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • the first type of network may be a cellular mobile communication network that complies with 3GPP standards, such as a 5GS network, etc.
  • the second type of network may be a non-3GPP standard network, and the second type of network includes but is not limited to at least one of the following: Wi-Fi network, Bluetooth network, ZigBee, etc.
  • PINE can be communication devices in the Internet of Things that cannot directly access the first type of network (such as 5GS and other cellular mobile communication networks).
  • PINE can be wearable devices, smart home appliances, smart office equipment, etc.
  • the PEGC may be a communication device that can directly access a first-type network (such as a cellular mobile communication network).
  • PEGC can have access capabilities to both Type 1 and Type 2 networks.
  • PEGC can provide gateway services for accessing Category 1 networks (such as cellular mobile communication networks) for communication devices that cannot directly access Category 1 networks (such as PINE).
  • PEGC and communication equipment that cannot directly access the first type of network can be connected through the second type of network.
  • the PEGC includes user equipment UE.
  • the PEGC may be a UE with access capabilities to both the first type of network and the second type of network.
  • PEGC can be a terminal device such as a mobile phone.
  • PINE can access 5GS through PEGC, and 5GS needs to recognize PINE for enhanced management. For example, 5GS needs to determine service quality for different PINEs. Therefore, the identity authentication of PINE can be performed by the core network equipment.
  • the identity authentication of PINE can be performed by the core network equipment.
  • PINE and core network equipment can mutually transmit authentication information that needs to be transmitted during the authentication process through PEGC.
  • the authentication information here can include: PINE logo, root key (Root Key), etc.
  • the core network equipment After the core network equipment authenticates the PINE, it can implement management that complies with 3GPP requirements for the PINE. For example, corresponding QoS, security policies, etc. can be adopted for PINE data transmission.
  • the identity authentication of PINE by the core network equipment can enable PINE to directly access the cellular mobile communication network.
  • the communication of PINE in the first type network can be managed by the core network equipment, which satisfies the requirements of the core network equipment for accessing the first type of network. Management needs of network equipment. Meet PINE's data transmission needs and improve data transmission reliability.
  • the information transmitted during the identity authentication process of PINE by the core network equipment of the first type network includes:
  • the expected authentication parameter can be represented by XRES*
  • the authentication parameter can be represented by RES*
  • the hash expected authentication parameter can be represented by HXRES*
  • the hash authentication parameter can be represented by HRES*.
  • the PINE credentials configured for PINE by the first network may include: a first credential stored in the core network device and a second credential stored in PINE.
  • the first voucher is equal to the second voucher.
  • PINE credentials can be used as the root key (Root Key) for PINE identity authentication.
  • the first network may be configured for PINE.
  • Different PINE credentials can correspond to different PINEs.
  • the first credential is stored in the core network device.
  • the first credential is stored in UDM.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first certificate may correspond to the PINE identifier of PINE.
  • the PINE identification may include a protected PINE identification, or a clear PINE identification.
  • the protected PINE identifier may include one of the following: an anonymized PINE identifier; an encrypted PINE identifier.
  • the first certificate may correspond to the PINE identifier of PINE and/or the PEGC identifier of PINE's PEGC.
  • the PINE identifier can uniquely identify PINE.
  • the PEGC logo can uniquely identify PEGC.
  • the core network device may determine the first certificate corresponding to the PINE based on the PINE identifier and/or the PEFC identifier of the PINE.
  • the PINE identifier may be carried by trigger information that triggers the core network device to perform PINE authentication.
  • the trigger information can be Nudm_UEAuthentication_Get Request, etc.
  • the core network device may determine XRES* based on at least the first credential and the calculation parameters.
  • the calculation parameter may be at least one parameter used in the calculation of XRES*.
  • the calculation method used by the core network equipment to determine XRES* can be the same as the calculation method used by PINE to determine RES*.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • Trigger information that triggers authentication of PINE can be sent to UDM.
  • the UDM may determine the first credential of the PINE based on the PINE identity and/or the PEFC identity of the PEGC.
  • the first credential can be stored in UDM, and XRES* can be determined by UDM, thereby initiating identity authentication for PINE.
  • XRES* can be used to compare with the RES* calculated by PINE to confirm whether the second credentials of PINE are the same as the first credentials in UDM, thereby determining the identity of PINE and completing the identity authentication of the first PINE.
  • UDM can include Authentication Credential Storage and Processing Function (ARPF).
  • UDM/ARPF should create a 5G HE AV for PINE based on the locally stored PINE credential, that is, the first credential. UDM/ARPF achieves this by generating AVs with the Authentication Management Field (AMF) delimiter bit set to "1". UDM/ARPF can then calculate XRES*. UDM/ARPF can create a 5G HE AV, and the 5G HE AV can include: RAND, authentication token AUTN, and XRES*.
  • AMF Authentication Management Field
  • UDM can also determine whether PEGC is a legal gateway of PINE: First, UDM can determine whether PEGC is a legal gateway in the first type of network based on the judgment information. For example, UDM can make judgments based on PEGC identification. Then UDM can determine whether PEGC is a legal gateway of PINE. For example, it can determine whether PEGC is allowed to connect PINE to the first type network. The UDM may make a determination based on the PEGC identifier, the PINE identifier of the PINE, and the PEGC subscription information. For example, when the PEGC subscription information identified by the PEGC identifier has the PINE identifier of PINE, the PEGC is determined to be the legal gateway of PINE.
  • the judgment information includes at least one of the following: the PEGC identification of the PEGC; the PINE identification of the PINE; and the subscription information of the PEGC.
  • PEGC identification may include: User Concealed Identifier (Subscriptionconcealed Identifier, SUCI) and/or User Permanent Identifier (Subscription Permanent Identifier, SUPI).
  • the calculation parameters include at least a random number RAND.
  • the calculation parameters can be random numbers used to calculate XRES*.
  • the information transmitted during the identity authentication process of PINE by the core network device of the first type network includes:
  • Step 801 Send the calculation parameters to the PINE through the second type network
  • Step 802 Receive authentication parameters sent by the PINE through the second type of network, wherein the authentication parameters are determined by the PINE based on at least the second certificate and the calculation parameters;
  • Step 803 Send the authentication parameters to the core network device via the base station through the first type network, where the authentication parameters are used for the core network device to perform all operations based on at least the expected authentication parameters. Describe PINE's identity authentication.
  • the core network equipment can send calculation parameters to PINE's PEGC through the second type network.
  • the calculation parameters can be sent by PEGC to PINE, and PINE determines RES* based on the second voucher, calculation parameters, etc.
  • the second certificate may be determined by the first network, for example, it may be determined by a core network device of the first network. It can be sent by the first network to PINE via PEGC.
  • the core network equipment can determine whether the PINE identity authentication is successful based on the comparison results of RES* and XRES*.
  • the RES* and ERES* determined based on the same calculation parameters are also the same, then the PINE identity authentication is successful.
  • the RES* and ERES* determined based on the same calculation parameter are also different, and the PINE identity authentication fails.
  • performing identity authentication on the PINE based on the RES* and the XRES* may also include:
  • the PINE is authenticated based on the HRES* determined from RES* and the HRES* determined from XRES*.
  • the calculation parameters sent by the receiving core network device to the PEGC via the base station through the first type network include:
  • the sending of the calculation parameters to the PINE through the second type of network includes:
  • the receiving the authentication parameters sent by the PINE through the second type network includes:
  • the sending of the authentication parameters to the core network device via the base station through the first type network includes:
  • UDM can carry calculation parameters (such as RAND) in the UDM response and send it to AUSF.
  • the UDM response can be Nudm_UEAuthentication_Get Responses.
  • UDM can return 5G HE AV to AUSF in Nudm_UEAuthentication_Get Response.
  • 5G HE AV can include: RAND, AUTN and XRES*.
  • the UDM response may carry a PINE authentication indicator indicating identity authentication of the PINE.
  • AUSF may determine the UDM response for authentication to PINE based on the PINE authentication indicator.
  • UDM will include the PINE identifier and PEGI's SUPI in Nudm_UEAuthentication_Get Response after SIDF de-conceals the SUCI.
  • AUSF can store XRES*, PINE flags and SUPI. Then, AUSF can be calculated by calculating HXRES* from XRES*. AUSF can generate 5G AV based on the 5G HE AV received from UDM/ARPF and replace XRES* with HXRES*. 5G HE AV can include: RAND, AUTN, HXRES*.
  • AUSF can return 5G SE AV (RAND, AUTN, HXRES*), PINE authentication indicator, PEGC's SUPI, and PINE identification to SEAF in the AUSF response (such as Nausf_UEAuthentication_Authenticate Response).
  • SEAF can store received HXRES*.
  • SEAF can send the PINE authentication indicator, RAND, AUTN, and PINE identification to PEGC in the authentication request (such as NAS message).
  • the authentication request can be an Authentication Request.
  • the PINE authentication request also carries the service network identification service network identification.
  • PEGC may forward the SN-name, RAND, AUTN and PINE authentication indicators received in the authentication request to PINE through the secure non-3GPP second network.
  • PEGC may carry calculation parameters and/or the SN-Name in the PINE authentication request.
  • PINE After PINE receives the RAND, AUTN and SN-Name carried in the PINE authentication request, PINE can determine whether it can accept the PINE authentication request by checking the AUTN. For example, PINE can verify the freshness of received AUTN. If PINE determines that the PINE authentication request is acceptable, then PINE may calculate RES*. For example, PINE can first calculate RES, CK, and IK. PINE ME can then calculate RES* from RES.
  • PINE After PINE determines RES*, it can send RES* to the core network device.
  • PINE can return a PINE authentication response to PEGC through a secure non-3GPP Type 2 network.
  • the PINE authentication response can include: RES*, PINE logo and PINE authentication indicator.
  • the PINE authentication response can be PINE Authentication Response.
  • PEGC may send an authentication response to SEAF in a NAS message, where the authentication response may include: RES*, PINE identifier and PINE authentication indicator.
  • the authentication response can be: Authentication Response.
  • SEAF can send RES*, PINE identification, PINE authentication indicator and PEGI's SUPI to AUSF in the AUSF authentication request (Nausf_UEAuthentication_Authenticate Request).
  • the expected authentication parameters are determined by the core network device based on at least the first credential, the calculation parameters and the service network identifier;
  • the authentication parameters are determined by the PINE based on at least the second certificate, the calculation parameters and the service network identification.
  • the core network device may determine XRES* based on a predetermined calculation method and at least one of the following:
  • the core network device can send the calculation parameters and/or SN-Name to PINE, and PINE determines RES* in combination with the stored second certificate.
  • PINE can determine RES* based on the above-mentioned similar method, which will not be described again here.
  • SEAF can calculate HRES* through RES*, and SEAF can compare HRES* and HXRES*. For example, SEAF may locate PINE's HXRES* based on the PINE identity and/or PEGC's SUPI. If they are consistent, SEAF will consider the authentication successful from the service network's perspective. If not, SEAF can determine that authentication was not successful. If the SEAF never receives the RES*, the SEAF shall consider the authentication to have failed and indicate to the AUSF that the PINE identity authentication failed.
  • AUSF When AUSF receives the AUSF authentication request (Nausf_UEAuthentication_Authenticate Request message) including RES* as the authentication confirmation, it can verify whether the 5G AV has expired. If the 5G AV has expired, AUSF may consider the PINE identity authentication unsuccessful. AUSF shall compare the received RES* with the stored XRES*. If RES* and XRES* are equal, the AUSF shall consider the authentication successful from the perspective of the home network. AUSF shall notify UDM of the certification results.
  • the AUSF can indicate to the SEAF whether the PINE identity authentication is successful from the perspective of the home network in the AUSF authentication response (Nausf_UEAuthentication_Authenticate Response).
  • SEAF can determine HRES* based on RES*
  • AUSF can determine HXRES* based on XRES*
  • SEAF and AUSF can use the SHA-256 hash algorithm to determine HRES* and HXRES* respectively.
  • Parameters used by the SHA-256 hashing algorithm include but are not limited to:
  • HRES* and HXRES* are identified by the 128 least significant bits output by the SHA-256 function.
  • the authentication parameters, the expected authentication parameters, the hash authentication parameters and the hash expected authentication parameters are identified by at least one of the following:
  • RES* When core network equipment stores RES*, For example, SEAD can use the PINE flag when storing XRES* and HXRES*.
  • the PINE identifier and/or PEFC identifier carried in the transmission message can be used for identification.
  • the transmission message may include at least one of the following: UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response, and the AUSF authentication request.
  • At least one of the authentication request, the authentication response, the PINE authentication request and the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication indicator can indicate to core network equipment (such as UDM, AUSF, SEAF), PEGC, and PINE that the received message is used for identity authentication of PINE.
  • core network equipment such as UDM, AUSF, SEAF
  • PEGC PEGC
  • PINE that the received message is used for identity authentication of PINE.
  • SUPI can indicate to the core network equipment (such as UDM, AUSF, SEAF), PEGC, and PINE the PEGC connected to the PINE for identity authentication.
  • the core network equipment and/or PINE may send corresponding information to the PEGC indicated by SUPI.
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier indicating the PINE.
  • the PINE authentication indicator can indicate the PINE for identity authentication to the core network equipment and PEGC.
  • the PINE identity is a security-protected PINE identity.
  • Security-protected PINE identifiers may include encrypted PINE identifiers, anonymous PINE identifiers, etc.
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carrying the securely protected PINE logo.
  • the PINE identity is a security-protected PINE identity.
  • the core network equipment network element (such as UDM) receives the PINE identifier as a protected PINE identifier, it needs to convert the protected PINE identifier into a plain text PINE identifier through deanonymization, decryption, etc. logo.
  • the PINE identifier in plain text state can be used.
  • at least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identity.
  • the protected PINE identifier can be used. That is, between the three communications of SEAF-PEGC-PINE, a protected PINE identifier is used, for example, at least one of the authentication request, the PINE authentication request, the PINE authentication response and the authentication response, Carrying the said secure PINE logo
  • the PINE identifier received by UDM is unprotected information (that is, the PINE identifier in plain text state).
  • unprotected information PINE identification in clear text state
  • at least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier in plain text.
  • UDM needs to determine the Kausf during the identity authentication process.
  • the UDM can determine the Kausf and no longer transmit the Kausf, thereby reducing the load on the core network equipment.
  • Authentication service function key KAUSF generates security anchor function key KSEAF
  • AUSF needs to determine Kseaf during the identity authentication process.
  • AUSF can determine Kseaf and no longer transmit Kseaf, thereby reducing the load on core network equipment.
  • the key set identifier ngKSI is the identifier of the key set used by the UE in the first type network, and is used to indicate that the first type network uses the same key set as the UE.
  • ABBA parameters are used by AMF network elements to generate KAMF.
  • Key set identifier (ngKSI, key setidentifier in 5G) can be used to create a local security context after successful authentication, and anti-bidding downbetween architectures (ABBA, anti-bidding downbetween architectures) parameters can be used to differentiate version security feature indication parameters to prevent confusion.
  • ngKSI key set identifier in 5G
  • ABBA anti-bidding downbetween architectures
  • PINE accesses the first type of network through PEGC. Therefore, SEAF can no longer determine the ngKSI and ABBA parameters and no longer transmit them, thereby reducing the load on the core network equipment.
  • this exemplary embodiment provides an authentication method that can be executed by PINE, including:
  • Step 901 Transmit authentication information during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the private Internet of Things gateway PEGC, where the PINE Connected to the PEGC via a Category 2 network.
  • the first type of network includes: the Third Generation Partnership Project 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • the first type of network may be a cellular mobile communication network that complies with 3GPP standards, such as a 5GS network, etc.
  • the second type of network may be a non-3GPP standard network, and the second type of network includes but is not limited to at least one of the following: Wi-Fi network, Bluetooth network, ZigBee, etc.
  • PINE can be communication devices in the Internet of Things that cannot directly access the first type of network (such as 5GS and other cellular mobile communication networks).
  • PINE can be wearable devices, smart home appliances, smart office equipment, etc.
  • the PEGC may be a communication device that can directly access a first-type network (such as a cellular mobile communication network).
  • PEGC can have access capabilities to both Type 1 and Type 2 networks.
  • PEGC can provide gateway services for accessing Category 1 networks (such as cellular mobile communication networks) for communication devices that cannot directly access Category 1 networks (such as PINE).
  • PEGC and communication equipment that cannot directly access the first type of network can be connected through the second type of network.
  • the PEGC includes user equipment UE.
  • the PEGC may be a UE with access capabilities to both the first type of network and the second type of network.
  • PEGC can be a terminal device such as a mobile phone.
  • PINE can access 5GS through PEGC, and 5GS needs to recognize PINE for enhanced management. For example, 5GS needs to determine service quality for different PINEs. Therefore, the identity authentication of PINE can be performed by the core network equipment.
  • the identity authentication of PINE can be performed by the core network equipment.
  • PINE and core network equipment can mutually transmit authentication information that needs to be transmitted during the authentication process through PEGC.
  • the authentication information here can include: PINE logo, root key (Root Key), etc.
  • the core network equipment After the core network equipment authenticates the PINE, it can implement management that complies with 3GPP requirements for the PINE. For example, corresponding QoS, security policies, etc. can be adopted for PINE data transmission.
  • the identity authentication of PINE by the core network equipment can enable PINE to directly access the cellular mobile communication network.
  • the communication of PINE in the first type network can be managed by the core network equipment, which satisfies the requirements of the core network equipment for accessing the first type of network. Management needs of network equipment. Meet PINE's data transmission needs and improve data transmission reliability.
  • the authentication information transmitted during the identity authentication process of the PINE by the core network equipment of the first type network includes:
  • the calculation parameters sent by the PEGC are received through the second type of network, where the calculation parameters are sent by the core network equipment to the PEGC via the base station through the first type network, where the calculation parameters are used by The core network device determines expected authentication parameters in combination with at least the first credential, where the expected authentication parameters are used for the core network device to perform identity authentication on the PINE.
  • the expected authentication parameter can be represented by XRES*
  • the authentication parameter can be represented by RES*
  • the hash expected authentication parameter can be represented by HXRES*
  • the hash authentication parameter can be represented by HRES*.
  • the PINE credentials configured for PINE by the first network may include: a first credential stored in the core network device and a second credential stored in PINE.
  • the first voucher is equal to the second voucher.
  • PINE credentials can be used as the root key (Root Key) for PINE identity authentication.
  • the first network may be configured for PINE.
  • Different PINE credentials can correspond to different PINEs.
  • the first credential is stored in the core network device.
  • the first credential is stored in UDM.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first certificate may correspond to the PINE identifier of PINE.
  • the PINE identification may include a protected PINE identification, or a clear PINE identification.
  • the protected PINE identifier may include one of the following: an anonymized PINE identifier; an encrypted PINE identifier.
  • the first certificate may correspond to the PINE identifier of PINE and/or the PEGC identifier of PINE's PEGC.
  • the PINE identifier can uniquely identify PINE.
  • the PEGC logo can uniquely identify PEGC.
  • the core network device may determine the first certificate corresponding to the PINE based on the PINE identifier and/or the PEFC identifier of the PINE.
  • the PINE identifier may be carried by trigger information that triggers the core network device to perform PINE authentication.
  • the trigger information can be Nudm_UEAuthentication_Get Request, etc.
  • the core network device may determine XRES* based on at least the first credential and the calculation parameters.
  • the calculation parameter may be at least one parameter used in the calculation of XRES*.
  • the calculation method used by the core network equipment to determine XRES* can be the same as the calculation method used by PINE to determine RES*.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • Trigger information that triggers authentication of PINE can be sent to UDM.
  • the UDM may determine the first credential of the PINE based on the PINE identity and/or the PEFC identity of the PEGC.
  • the first credential can be stored in UDM, and XRES* can be determined by UDM, thereby initiating identity authentication for PINE.
  • XRES* can be used to compare with the RES* calculated by PINE to confirm whether the second credentials of PINE are the same as the first credentials in UDM, thereby determining the identity of PINE and completing the identity authentication of the first PINE.
  • UDM can include Authentication Credential Storage and Processing Function (ARPF).
  • UDM/ARPF should create a 5G HE AV for PINE based on the locally stored PINE credential, that is, the first credential. UDM/ARPF achieves this by generating AVs with the Authentication Management Field (AMF) delimiter bit set to "1". UDM/ARPF can then calculate XRES*. UDM/ARPF can create a 5G HE AV, and the 5G HE AV can include: RAND, authentication token AUTN, and XRES*.
  • AMF Authentication Management Field
  • UDM can also determine whether PEGC is a legal gateway of PINE: First, UDM can determine whether PEGC is a legal gateway in the first type of network based on the judgment information. For example, UDM can make judgments based on PEGC identification. Then UDM can determine whether PEGC is a legal gateway of PINE. For example, it can determine whether PEGC is allowed to connect PINE to the first type network. The UDM may make a determination based on the PEGC identifier, the PINE identifier of the PINE, and the PEGC subscription information. For example, when the PEGC subscription information identified by the PEGC identifier has the PINE identifier of PINE, the PEGC is determined to be the legal gateway of PINE.
  • the judgment information includes at least one of the following: the PEGC identification of the PEGC; the PINE identification of the PINE; and the subscription information of the PEGC.
  • PEGC identification may include: User Concealed Identifier (Subscriptionconcealed Identifier, SUCI) and/or User Permanent Identifier (Subscription Permanent Identifier, SUPI).
  • the calculation parameters include at least a random number RAND.
  • the calculation parameters can be random numbers used to calculate XRES*.
  • the method further includes: determining authentication parameters based on at least the second credential and the calculation parameters;
  • the authentication information transmitted during the identity authentication process of the PINE by the core network equipment of the first type network includes:
  • the RES* is sent to the PEGC through the second type network, and the RES* is used to be sent by the PEGC to the core network device via the base station through the first type network.
  • the core network device performs identity authentication of the PINE based on at least the RES* and the expected authentication parameters.
  • the core network equipment can send calculation parameters to PINE's PEGC through the second type network.
  • the calculation parameters can be sent by PEGC to PINE, and PINE determines RES* based on the second voucher, calculation parameters, etc.
  • the second certificate may be determined by the first network, for example, it may be determined by a core network device of the first network. It can be sent by the first network to PINE via PEGC.
  • the core network equipment can determine whether the PINE identity authentication is successful based on the comparison results of RES* and XRES*.
  • the RES* and ERES* determined based on the same calculation parameters are also the same, then the PINE identity authentication is successful.
  • the RES* and ERES* determined based on the same calculation parameter are also different, and the PINE identity authentication fails.
  • performing identity authentication on the PINE based on the RES* and the XRES* may also include:
  • the PINE is authenticated based on the HRES* determined from RES* and the HRES* determined from XRES*.
  • receiving the calculation parameters sent by the PEGC through the second type of network includes:
  • the sending of the authentication parameters to the PEGC through the second type network includes:
  • a PINE authentication response carrying the authentication parameters sent to the PEGC through the second type network carrying the authentication parameters sent to the PEGC through the second type network.
  • UDM can carry calculation parameters (such as RAND) in the UDM response and send it to AUSF.
  • the UDM response can be Nudm_UEAuthentication_Get Responses.
  • UDM can return 5G HE AV to AUSF in Nudm_UEAuthentication_Get Response.
  • 5G HE AV can include: RAND, AUTN and XRES*.
  • the UDM response may carry a PINE authentication indicator indicating identity authentication of the PINE.
  • AUSF may determine the UDM response for authentication to PINE based on the PINE authentication indicator.
  • UDM will include the PINE identifier and PEGI's SUPI in Nudm_UEAuthentication_Get Response after SIDF de-conceals the SUCI.
  • AUSF can store XRES*, PINE flags and SUPI. Then, AUSF can be calculated by calculating HXRES* from XRES*. AUSF can generate 5G AV based on the 5G HE AV received from UDM/ARPF and replace XRES* with HXRES*. 5G HE AV can include: RAND, AUTN, HXRES*.
  • AUSF can return 5G SE AV (RAND, AUTN, HXRES*), PINE authentication indicator, PEGC's SUPI, and PINE identification to SEAF in the AUSF response (such as Nausf_UEAuthentication_Authenticate Response).
  • SEAF can store received HXRES*.
  • SEAF can send the PINE authentication indicator, RAND, AUTN, and PINE identification to PEGC in the authentication request (such as NAS message).
  • the authentication request can be an Authentication Request.
  • the PINE authentication request also carries the service network identification service network identification.
  • PEGC may forward the SN-name, RAND, AUTN and PINE authentication indicators received in the authentication request to PINE through the secure non-3GPP second network.
  • PEGC may carry calculation parameters and/or the SN-Name in the PINE authentication request.
  • PINE After PINE receives the RAND, AUTN and SN-Name carried in the PINE authentication request, PINE can determine whether it can accept the PINE authentication request by checking the AUTN. For example, PINE can verify the freshness of received AUTN. If PINE determines that the PINE authentication request is acceptable, then PINE may calculate RES*. For example, PINE can first calculate RES, CK, and IK. PINE ME can then calculate RES* from RES.
  • PINE After PINE determines RES*, it can send RES* to the core network device.
  • PINE can return a PINE authentication response to PEGC through a secure non-3GPP Type 2 network.
  • the PINE authentication response can include: RES*, PINE logo and PINE authentication indicator.
  • the PINE authentication response can be PINE Authentication Response.
  • PEGC may send an authentication response to SEAF in a NAS message, where the authentication response may include: RES*, PINE identifier and PINE authentication indicator.
  • the authentication response can be: Authentication Response.
  • SEAF can send RES*, PINE identification, PINE authentication indicator and PEGI's SUPI to AUSF in the AUSF authentication request (Nausf_UEAuthentication_Authenticate Request).
  • the expected authentication parameters are determined based on at least the first credential, the calculation parameters and a service network identification;
  • Determining authentication parameters based on at least the second credential and the calculation parameters includes:
  • the authentication parameters are determined based on at least the second credential, the calculation parameters and a service network identification.
  • the core network device may determine XRES* based on a predetermined calculation method and at least one of the following:
  • the core network device can send the calculation parameters and/or SN-Name to PINE, and PINE determines RES* in combination with the stored second certificate.
  • PINE can determine RES* based on the above-mentioned similar method, which will not be described again here.
  • SEAF can calculate HRES* through RES*, and SEAF can compare HRES* and HXRES*. For example, SEAF may locate PINE's HXRES* based on the PINE identity and/or PEGC's SUPI. If they are consistent, SEAF will consider the authentication successful from the service network's perspective. If not, SEAF can determine that authentication was not successful. If the SEAF never receives the RES*, the SEAF shall consider the authentication to have failed and indicate to the AUSF that the PINE identity authentication failed.
  • AUSF When AUSF receives the AUSF authentication request (Nausf_UEAuthentication_Authenticate Request message) including RES* as the authentication confirmation, it can verify whether the 5G AV has expired. If the 5G AV has expired, AUSF may consider the PINE identity authentication unsuccessful. AUSF shall compare the received RES* with the stored XRES*. If RES* and XRES* are equal, the AUSF shall consider the authentication successful from the perspective of the home network. AUSF shall notify UDM of the certification results.
  • the AUSF can indicate to the SEAF whether the PINE identity authentication is successful from the perspective of the home network in the AUSF authentication response (Nausf_UEAuthentication_Authenticate Response).
  • SEAF can determine HRES* based on RES*
  • AUSF can determine HXRES* based on XRES*
  • SEAF and AUSF can use the SHA-256 hash algorithm to determine HRES* and HXRES* respectively.
  • Parameters used by the SHA-256 hashing algorithm include but are not limited to:
  • HRES* and HXRES* are identified by the 128 least significant bits output by the SHA-256 function.
  • the authentication parameters, the expected authentication parameters, the hash authentication parameters and the hash expected authentication parameters are identified by at least one of the following:
  • RES* When core network equipment stores RES*, For example, SEAD can use the PINE flag when storing XRES* and HXRES*.
  • the PINE identifier and/or PEFC identifier carried in the transmission message can be used for identification.
  • the transmission message may include at least one of the following: UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response, and the AUSF authentication request.
  • the PINE authentication request and/or the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication indicator can indicate to core network equipment (such as UDM, AUSF, SEAF), PEGC, and PINE that the received message is used for identity authentication of PINE.
  • core network equipment such as UDM, AUSF, SEAF
  • PEGC PEGC
  • PINE that the received message is used for identity authentication of PINE.
  • SUPI can indicate to the core network equipment (such as UDM, AUSF, SEAF), PEGC, and PINE the PEGC connected to the PINE for identity authentication.
  • the core network equipment and/or PINE may send corresponding information to the PEGC indicated by SUPI.
  • the PINE authentication request and/or the PINE authentication response carries a PINE identifier indicating the PINE.
  • the PINE authentication indicator can indicate the PINE for identity authentication to the core network equipment and PEGC.
  • the PINE identity is a security-protected PINE identity.
  • Security-protected PINE identifiers may include encrypted PINE identifiers, anonymous PINE identifiers, etc.
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carrying the securely protected PINE logo.
  • the PINE identity is a security-protected PINE identity.
  • the core network equipment network element (such as UDM) receives the PINE identifier as a protected PINE identifier, it needs to convert the protected PINE identifier into a plain text PINE identifier through deanonymization, decryption, etc. logo.
  • the PINE identifier in plain text state can be used.
  • at least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identity.
  • the protected PINE identifier can be used. That is, between the three communications of SEAF-PEGC-PINE, a protected PINE identifier is used, for example, at least one of the authentication request, the PINE authentication request, the PINE authentication response and the authentication response, Carrying the said secure PINE logo
  • the PINE identifier received by UDM is unprotected information (that is, the PINE identifier in clear text state).
  • unprotected information PINE identification in clear text state
  • at least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier in plain text.
  • UDM needs to determine the Kausf during the identity authentication process.
  • the UDM can determine the Kausf and no longer transmit the Kausf, thereby reducing the load on the core network equipment.
  • Authentication service function key KAUSF generates security anchor function key KSEAF
  • AUSF needs to determine Kseaf during the identity authentication process.
  • AUSF can determine Kseaf and no longer transmit Kseaf, thereby reducing the load on core network equipment.
  • the key set identifier ngKSI is the identifier of the key set used by the UE in the first type network, and is used to indicate that the first type network uses the same key set as the UE.
  • ABBA parameters are used by AMF network elements to generate KAMF.
  • Key set identifier (ngKSI, key setidentifier in 5G) can be used to create a local security context after successful authentication, and anti-bidding downbetween architectures (ABBA, anti-bidding downbetween architectures) parameters can be used to differentiate version security feature indication parameters to prevent confusion.
  • ngKSI key set identifier in 5G
  • ABBA anti-bidding downbetween architectures
  • PINE accesses the first type of network through PEGC. Therefore, SEAF can no longer determine the ngKSI and ABBA parameters and no longer transmit them, thereby reducing the load on the core network equipment.
  • PINE certification is shown in Figure 10. Here, it is assumed that the PINE identity is encrypted. UDM can call a function to decrypt the encrypted PINE ID.
  • the UDM can identify the PINE's credentials based on the encrypted PINE device identifier or PINE device identifier. It is also assumed that PINE connects to PEGC via secure non-3GPP access.
  • PINE identity authentication specifically includes
  • Step 1001 Generate 5G HE AV. It is assumed that the UDM can identify the PINE credential based on the decrypted PINE ID or PINE ID. It is also assumed that PINE connects to PEGC via secure non-3GPP access. For each Nudm_Authenticate_Get request shown in Figure 3, UDM/ARPF can create a 5G HE AV based on the locally stored PINE credentials. UDM/ARPF achieves this by generating AVs with the Authentication Management Field (AMF) delimiter bit set to "1", as defined in TS 33.102[9]. UDM/ARPF can then calculate XRES* (according to Annex A.4).
  • AMF Authentication Management Field
  • UDM/ARPF can create a 5G HE AV from RAND, AUTN and XRES*.
  • PINE identity is a protected PINE identity (such as an anonymous PINE identity, or an encrypted PINE identity)
  • step 1002 to hide and/or decrypt the protected PINE identity UDM can authenticate 5G HE AV and PINE in Nudm_UEAuthentication_Get response The indicator is returned to the AUSF along with the indication that the 5G HE AV will be used for the 5G AKA.
  • UDM will include the PINE identifier and PEGC's SUPI in the Nudm_UEAuthentication_Get response after SIDF deconceals the SUCI.
  • Step 1003 The AUSF may temporarily store the XRES* together with the received PINE identifier and the SUPI of the PEGC.
  • Step 1004 The AUSF may generate 5G AV from the 5G HE AV received from UDM/ARPF by calculating HXRES* from XRES* (according to Annex A.5 of 33.501[1]) and replacing XRES* with HXRES*.
  • Step 1005 AUSF can return 5G SE AV (RAND, AUTN, HXRES*), PINE authentication indicator, PEGC's SUPI, and PINE identification to SEAF in the Nausf_UEAuthentication_Authenticate response.
  • 5G SE AV RAND, AUTN, HXRES*
  • PINE authentication indicator PINE authentication indicator
  • PEGC's SUPI PINE identification
  • Step 1006 SEAF can send the PINE authentication indicator, RAND, AUTN, and PINE identification to PEGC in the NAS message Authentication Request. If the PEGC identifier sent by PEGC to SEAF is a protected PINE identifier, SEAF should send the protected PINE identifier to PEGC at this time.
  • Step 1007 PEGC may forward the SN-Name, RAND, AUTN and PINE authentication indicator received in the NAS message Authentication Request to PINE through the PINE Authentication Request over a secure non-3GPP connection.
  • Step 1008 Upon receiving RAND, AUTN, and SN-Name, PINE may verify the freshness of the received value by checking whether the AUTN is acceptable, as described in TS 33.102 [9]. If so, PINE calculates RES. PINE can calculate RES, CK, and IK. PINE can then calculate the authentication response RES* from RES according to Annex A.4 of 33.501.
  • Step 1009 PINE may return RES*, PINE identification and PINE authentication indicator to PEGC via secure non-3GPP access.
  • Step 1010 PEGC may send RES*, PINE identification, PEGC identification and PINE authentication indicator to SEAF in the NAS message Authentication Response.
  • Step 1011 SEAF can then calculate HRES* from RES* in accordance with Appendix A.5 of 33.501, and SEAF can compare HRES* and HXRES*. Specifically, SEAF may be able to locate HXRES* for a specific PINE based on the PINE identity and PEGC's SUPI. If they are consistent, SEAF will consider the authentication successful from the service network's perspective. If not, SEAF proceeds in accordance with subclause 6.1.3.2.2 of 33.501. If PINE is not reached and SEAF never receives a RES*, SEAF MAY treat the authentication as a failure and indicate the failure to AUSF.
  • Step 1012 SEAF can send RES*, PEGC's SUPI, PINE identification and PINE authentication indicator to AUSF in the Nausf_UEAuthentication_Authenticate Request message.
  • Step 1013 When AUSF receives the Nausf_UEAuthentication_Authenticate Request message including RES* as authentication confirmation, it can verify whether the 5G AV has expired. If the 5G AV has expired, the AUSF may consider the authentication unsuccessful from the home network perspective. AUSF can compare the received RES* with the stored XRES*. If RES* and XRES* are equal, the AUSF may consider the authentication successful from the perspective of the home network. AUSF can notify UDM of the certification results.
  • Step 1014 The AUSF may indicate to the SEAF in the Nausf_UEAuthentication_Authenticate Response whether the authentication is successful from the home network perspective.
  • this exemplary embodiment provides an authentication device 100, which can be executed by the core network equipment of the cellular mobile communication system, including:
  • the processing module 110 is configured to perform identity authentication on PINE, wherein the PINE accesses the first type of network through a private Internet of Things gateway PEGC, and wherein the PINE and the PEGC are connected through a second type of network.
  • processing module 110 is specifically configured as:
  • identity authentication is performed on the PINE.
  • the first credential is stored in the core network device.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the device 100 further includes:
  • the transceiver module 120 is configured to send the calculation parameters to the PEGC via the base station through the first type network, wherein the calculation parameters are sent by the PEGC to the PINE through the second type network;
  • the transceiver module 120 is further configured to receive authentication parameters sent by the PEGC through the first type network via the base station, wherein the authentication parameters are generated by the PINE based on at least the second credential and the calculation parameter. Determine and send to the PEGC through the second type network;
  • the processing module 110 is specifically configured to perform identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • the transceiver module 120 is specifically configured as:
  • the unified data management UDM in the core network device sends a UDM response carrying the calculation parameters to the authentication service function AUSF in the core network device;
  • the AUSF sends an AUSF response carrying the calculation parameters to the security anchor function SEAF in the core network device;
  • the SEAF sends an authentication request carrying the calculation parameters to the PEGC via the base station through the first type network.
  • the transceiver module 120 is specifically configured to be at least one of the following:
  • the SEAF receives an authentication response carrying the authentication parameters sent by the PEGC through the first type network and the base station, wherein the authentication parameters are carried by the PINE in the PINE authentication response and passed through the Sent by the second type of network to the PEGC;
  • the AUSF receives the AUSF authentication request carrying the authentication parameters sent by the SEAF.
  • the processing module 110 is specifically configured to be at least one of the following:
  • the SEAF determines a hash authentication parameter according to the authentication parameter, and performs identity authentication on the PINE based on the hash authentication parameter and a hash expectation authentication parameter, wherein the hash expectation authentication parameter is determined by the AUSF based on Expect authentication parameters to be determined and sent to SEAF;
  • the AUSF performs identity authentication on the PINE based on the authentication parameters and the expected authentication parameters.
  • the authentication parameters, the expected authentication parameters, the hash authentication parameters and the hash expected authentication parameters are identified by at least one of the following:
  • At least one of the UDM response, the AUSF response, the authentication request, the authentication response, the PINE authentication request, the PINE authentication response and the AUSF authentication request carries Have at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication indicator is used to indicate that the core network device does not perform at least one of the following:
  • At least one of the UDM response, the AUSF response, the authentication request, the PINE authentication request, the PINE authentication response, the authentication response and the AUSF authentication request carries There is the PINE logo indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the processing module 110 is further configured to, in response to the PINE identification being a security-protected PINE identification, restore the security-protected PINE identification to a plaintext PINE identification;
  • At least one of the UDM response, the AUSF response and the AUSF authentication request carries the PINE identifier in the clear text state
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries the security-protected PINE identification.
  • the processing module 110 is further configured to: determine whether the PEGC is a legal gateway for the PEGC to access the first type of network based on judgment information, wherein the judgment information includes at least one of the following: one:
  • the subscription information of the PEGC is the subscription information of the PEGC.
  • Determining expected authentication parameters based on at least the first credential and calculation parameters of the PINE including:
  • the desired authentication parameters are determined based on the first credential and the calculated parameters of the PINE.
  • the processing module 110 is specifically configured to: determine the expected authentication parameters based on at least the first credential, the calculation parameter and the service network identifier;
  • the authentication parameter is determined by the PINE based on at least the second certificate, the calculation parameter and the service network identifier.
  • the calculation parameters and/or the service network identifier are sent by the PEGC to the PINE through the second type network.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first type of network includes: the third generation cooperation plan 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • this exemplary embodiment provides an authentication device 200, which can be executed by the private IoT gateway PEGC of the cellular mobile communication system, including:
  • the transceiver module 210 is configured to transmit authentication information during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the PEGC, wherein the PINE and The PEGC is connected via a type 2 network.
  • the transceiver module 210 is specifically configured as:
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the transceiver module 210 is specifically configured as:
  • the authentication parameters are sent to the core network device via the base station through the first type network, where the authentication parameters are used for the core network device to perform the PINE based on at least the expected authentication parameters. Authentication.
  • the transceiver module 210 is specifically configured to be at least one of the following:
  • the PINE authentication request also carries the service network identifier.
  • the expected authentication parameters are determined by the core network device based on at least the first credential, the calculation parameters and the service network identifier.
  • the authentication parameters are determined by the PINE based on at least the second certificate, the calculation parameters and the service network identification.
  • At least one of the authentication request, the authentication response, the PINE authentication request and the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • At least one of the authentication request, the PINE authentication request, the PINE authentication response, and the authentication response carries a PINE identifier indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the PEGC includes user equipment UE.
  • the first type of network includes: the third generation cooperation plan 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • this exemplary embodiment provides an authentication device that can be executed by PINE, including:
  • the transceiver module 310 is configured to transmit authentication information during the identity authentication process of the PINE by the core network equipment of the first type network, wherein the PINE accesses the first type network through the private Internet of Things gateway PEGC, where, The PINE and the PEGC are connected through a second type network.
  • the transceiver module 310 is specifically configured as:
  • the calculation parameters sent by the PEGC are received through the second type of network, where the calculation parameters are sent by the core network equipment to the PEGC via the base station through the first type network, where the calculation parameters are used by The core network device determines expected authentication parameters in combination with at least the first credential, where the expected authentication parameters are used for the core network device to perform identity authentication on the PINE.
  • the first credential is determined by the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the apparatus further includes: a processing module 320 configured to determine authentication parameters based on at least the second credential and the calculation parameters;
  • the transceiver module 310 is specifically configured to: send the authentication parameters to the PEGC through the second type network, and the authentication parameters are used to be sent by the PEGC through the first type network via the base station. To the core network device, the core network device performs identity authentication of the PINE based on at least the authentication parameter and the expected authentication parameter.
  • the transceiver module 310 is specifically configured to be at least one of the following:
  • a PINE authentication response carrying the authentication parameters sent to the PEGC through the second type network carrying the authentication parameters sent to the PEGC through the second type network.
  • the PINE authentication request also carries the service network identifier.
  • the desired authentication parameters are determined based on at least the first credential, the calculation parameters and a service network identification.
  • the specific configuration of the processing module is:
  • the authentication parameters are determined based on at least the second credential, the calculation parameters and a service network identification.
  • the PINE authentication request and/or the PINE authentication response carries at least one of the following:
  • PINE authentication indicator used to indicate identity authentication of the PINE
  • the PINE authentication request and/or the PINE authentication response carries a PINE identifier indicating the PINE.
  • the PINE identity is a security-protected PINE identity.
  • the calculation parameters include at least a random number RAND.
  • the first credential is determined by the UDM in the core network device based on the PINE identifier of the PINE and/or the PEFC identifier of the PEGC.
  • the first type of network includes: the third generation cooperation plan 3GPP standard network;
  • the second type of network includes: non-3GPP standard network.
  • the processing module 110, the transceiver module 120, the transceiver module 210, the transceiver module 310, the processing module 320, etc. may be configured by one or more central processing units (CPUs, Central Processing Units), graphics processing units (GPUs, Graphics Processing Unit), baseband processor (BP, Baseband Processor), application specific integrated circuit (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), complex programmable logic device (CPLD, Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or other electronic components Implementation, used to execute the aforementioned methods.
  • CPUs Central Processing Units
  • GPUs Graphics Processing Unit
  • BP Baseband Processor
  • ASIC Application Specific Integrated Circuit
  • DSP programmable logic device
  • PLD Programmable Logic Device
  • CPLD Complex
  • FIG. 14 is a block diagram of an apparatus 3000 for authentication according to an exemplary embodiment.
  • the device 3000 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, or the like.
  • device 3000 may include one or more of the following components: processing component 3002, memory 3004, power supply component 3006, multimedia component 3008, audio component 3010, input/output (I/O) interface 3012, sensor component 3014, and Communication Component 3016.
  • Processing component 3002 generally controls the overall operations of device 3000, such as operations associated with display, phone calls, data communications, camera operations, and recording operations.
  • the processing component 3002 may include one or more processors 3020 to execute instructions to complete all or part of the steps of the above method.
  • processing component 3002 may include one or more modules that facilitate interaction between processing component 3002 and other components.
  • processing component 3002 may include a multimedia module to facilitate interaction between multimedia component 3008 and processing component 3002.
  • Memory 3004 is configured to store various types of data to support operations at device 3000. Examples of such data include instructions for any application or method operating on device 3000, contact data, phonebook data, messages, pictures, videos, etc.
  • Memory 3004 may be implemented by any type of volatile or non-volatile storage device, or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EEPROM), Programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EEPROM erasable programmable read-only memory
  • EPROM Programmable read-only memory
  • PROM programmable read-only memory
  • ROM read-only memory
  • magnetic memory flash memory, magnetic or optical disk.
  • Power supply component 3006 provides power to the various components of device 3000.
  • Power supply components 3006 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to device 3000 .
  • Multimedia component 3008 includes a screen that provides an output interface between device 3000 and the user.
  • the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from the user.
  • the touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. A touch sensor can not only sense the boundaries of a touch or swipe action, but also detect the duration and pressure associated with the touch or swipe action.
  • multimedia component 3008 includes a front-facing camera and/or a rear-facing camera.
  • the front camera and/or the rear camera may receive external multimedia data.
  • Each front-facing camera and rear-facing camera can be a fixed optical lens system or have a focal length and optical zoom capabilities.
  • Audio component 3010 is configured to output and/or input audio signals.
  • audio component 3010 includes a microphone (MIC) configured to receive external audio signals when device 3000 is in operating modes, such as call mode, recording mode, and speech recognition mode. The received audio signals may be further stored in memory 3004 or sent via communications component 3016 .
  • audio component 3010 also includes a speaker for outputting audio signals.
  • the I/O interface 3012 provides an interface between the processing component 3002 and a peripheral interface module.
  • the peripheral interface module may be a keyboard, a click wheel, a button, etc. These buttons may include, but are not limited to: Home button, Volume buttons, Start button, and Lock button.
  • Sensor component 3014 includes one or more sensors for providing various aspects of status assessment for device 3000 .
  • the sensor component 3014 can detect the open/closed state of the device 3000, the relative positioning of components, such as the display and keypad of the device 3000, the sensor component 3014 can also detect the position change of the device 3000 or a component of the device 3000, the user The presence or absence of contact with device 3000, device 3000 orientation or acceleration/deceleration, and temperature changes of device 3000.
  • Sensor assembly 3014 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact.
  • Sensor assembly 3014 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications.
  • the sensor component 3014 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
  • the communication component 3016 is configured to facilitate wired or wireless communication between the apparatus 3000 and other devices.
  • Device 3000 may access a wireless network based on a communication standard, such as Wi-Fi, 2G or 3G, or a combination thereof.
  • the communication component 3016 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel.
  • communications component 3016 also includes a near field communications (NFC) module to facilitate short-range communications.
  • NFC near field communications
  • the NFC module can be implemented based on radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology and other technologies.
  • RFID radio frequency identification
  • IrDA infrared data association
  • UWB ultra-wideband
  • Bluetooth Bluetooth
  • apparatus 3000 may be configured by one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are implemented for executing the above method.
  • ASICs application specific integrated circuits
  • DSPs digital signal processors
  • DSPDs digital signal processing devices
  • PLDs programmable logic devices
  • FPGA field programmable Gate array
  • controller microcontroller, microprocessor or other electronic components are implemented for executing the above method.
  • non-transitory computer-readable storage medium including instructions, such as a memory 3004 including instructions, which can be executed by the processor 3020 of the device 3000 to complete the above method is also provided.
  • non-transitory computer-readable storage media may be ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本公开实施例是关于认证方法、装置、通信设备和存储介质,核心网设备对私有物联网单元(PINE)进行身份认证,其中,所述PINE通过私有物联网网关(PEGC)接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。

Description

认证方法、装置、通信设备和存储介质 技术领域
本申请涉及无线通信技术领域但不限于无线通信技术领域,尤其涉及认证方法、装置、通信设备和存储介质。
背景技术
个人物联网(Personal IoT Networks,PIN)指围绕个人和家庭场景的物联网。PIN中包含三种设备(A.K.A PIN Element):具有网关能力的设备,如私有物联网网关(A.K.A PIN Element with Gateway Capability,PEGC)、具有管理能力的设备(A.K.A PIN Element with Management Capability,PEMC)和没有网关和管理功能的设备,如私有物联网单元(PIN Element,PINE)。PEGC和PEMC是可以直接接入第五代蜂窝移动通信系统(5 th Generation System,5GS)的用户设备(User Equipment,UE)。PEMC还能够通过PEGC访问5GS。而PINE无法直接访问5GS。
发明内容
有鉴于此,本公开实施例提供了一种认证方法、装置、通信设备和存储介质。
根据本公开实施例的第一方面,提供一种认证方法,其中,由第一类网络的核心网设备执行,包括:
对私有物联网单元PINE进行身份认证,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述对PINE进行身份认证,包括:
至少基于所述PINE的第一凭证和计算参数,确定期望认证参数;
基于所述期望认证参数,对所述PINE进行身份认证。
在一个实施例中,其中,所述第一凭证存储于所述核心网设备中。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述基于所述期望认证参数,对所述PINE进行所述身份认证,包括:
通过第一类网络经由基站向所述PEGC发送所述计算参数,其中,所述计算参数由所述PEGC通过第二类网络发送给所述PINE;
接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定,并通过所述第二类网络发送给所述PEGC的;
基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
在一个实施例中,所述通过第一类网络经由基站向所述PEGC发送所述计算参数,包括:
所述核心网设备中的统一数据管理(Unified Data Management,UDM)向所述核心网设备中的认证服务功能(Authentication Server Function,AUSF)发送携带有所述计算参数的UDM响应;
所述AUSF向所述核心网设备中的安全锚点功能(Security Anchor Function,SEAF)发送携带有所述计算参数的AUSF响应;
所述SEAF通过第一类网络经由所述基站向所述PEGC发送携带有所述计算参数的认证请求。
在一个实施例中,所述接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,包括以下至少之一:
所述SEAF接收所述PEGC通过所述第一类网络经由所述基站发送的携带有所述认证参数的认证响应,其中,所述认证参数是由所述PINE携带于PINE认证响应中通过所述第二类网络发送给所述PEGC的;
所述AUSF接收所述SEAF发送的携带有所述认证参数的AUSF认证请求。
在一个实施例中,所述基于所述认证参数和所述期望认证参数对所述PINE进行身份认证,包括以下至少之一:
所述SEAF根据所述认证参数确定哈希认证参数,基于所述哈希认证参数和哈希期望认证参数对所述PINE进行身份认证,其中,所述哈希期望认证参数是由所述AUSF基于期望认证参数确定并发送给SEAF的;
所述AUSF基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
在一个实施例中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
所述所述PINE的PINE标识;
所述PEGC的PEFC标识。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应和所述AUSF认证请求中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述PINE认证指示符,用于指示所述核心网设备不进行至少以下之一项:
生成鉴权服务功能密钥Kausf;
生成安全锚点功能密钥Kseaf;
向所述PEGC发送密钥集标识ngKSI;
向所述PEGC发送架构间防降级攻ABBA参数。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有指示所述PINE的所 述PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述方法还包括:响应于所述PINE标识为受安全保护的PINE标识,将所述受安全保护的PINE标识恢复为明文状态的PINE标识;
所述UDM响应、所述AUSF响应和所述AUSF认证请求中的至少之一,携带有所述明文状态的PINE标识;
所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
在一个实施例中,所述方法还包括:基于判断信息确定所述PEGC是否为所述PEGC接入所述第一类网络的合法网关,其中,所述判断信息包括以下至少之一:
所述PEGC的PEGC标识;
所述PINE的所述PINE标识;
所述PEGC的订阅信息;
所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
确定所述PEGC为所述合法网关;
基于所述PINE的所述第一凭证和所述计算参数确定所述期望认证参数。
在一个实施例中,所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
至少基于所述第一凭证、所述计算参数和服务网络标识(Service Network Name,SN-Name),确定所述期望认证参数;
所述认证参数,是由所述PINE至少基于第二凭证、所述计算参数和所述服务网络标识确定的。
在一个实施例中,所述计算参数和/或所述服务网络标识是由所述PEGC通过所述第二类网络发送给所述PINE的。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
根据本公开实施例的第二方面,提供一种认证方法,其中,由私有物联网网关PEGC执行,包括:
在第一类网络的核心网设备对PINE进行身份认证过程中传输认证信息,其中,所述PINE通过所述PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述在第一类网络的核心网设备对PINE进行身份认证过程中传输信息,包括:
接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数;其中,所述计算参数, 用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述在第一类网络的核心网设备对PINE进行身份认证过程中传输信息,包括:
通过第二类网络向所述PINE发送所述计算参数;
接收所述PINE通过所述第二类网络发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定的;
通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,其中,所述认证参数,用于供所述核心网设备至少基于所述期望认证参数进行所述PINE的身份认证。
在一个实施例中,所述接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数,包括:
接收所述核心网设备中的SEAF通过所第一类网络经由所述基站发送的携带有所述计算参数的认证请求;
所述通过第二类网络向所述PINE发送所述计算参数,包括:
通过所述第二类网络,向所述PINE发送携带有所述计算参数的PINE认证请求;
所述接收所述PINE通过所述第二类网络发送的认证参数,包括:
接收所述PINE通过所述第二类网络发送的携带有所述认证参数的PINE认证响应;
所述通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,包括:
所述通过所述第一类网络经由所述基站向所述SEAF发送携带有所述认证参数的认证响应。
在一个实施例中,PINE认证请求还携带有服务网络标识。
在一个实施例中,所述所述期望认证参数,是由所述核心网设备至少基于所述第一凭证、所述计算参数和服务网络标识确定的
所述认证参数,是由所述PINE至少基于所述第二凭证、所述计算参数和所述服务网络标识确定的。
在一个实施例中,所述认证请求、所述认证响应、所述PINE认证请求和所述PINE认证响应中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有指示所述PINE的PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述PEGC包括用户设备UE。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
根据本公开实施例的第三方面,提供一种认证方法,其中,由PINE执行,包括:
在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,包括:
通过第二类网络接收所述PEGC发送的计算参数,其中,所述计算参数,是由核心网设备通过第一类网络经由基站发送给所述PEGC的,其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述方法还包括:至少基于第二凭证和所述计算参数确定认证参数;
所述在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,包括:
通过所述第二类网络向所述PEGC发送所述认证参数,所述认证参数,用于由所述PEGC通过所述第一类网络经由所述基站发送给所述核心网设备,由所述核心网设备至少基于所述认证参数和所述期望认证参数进行所述PINE的身份认证。
在一个实施例中,所述通过第二类网络接收所述PEGC发送的所述计算参数,包括:
通过所述第二类网络,接收所述PEGC发送的携带有所述计算参数的PINE认证请求;
所述通过所述第二类网络向所述PEGC发送所述认证参数,包括:
通过所述第二类网络向所述PEGC发送的携带有所述认证参数的PINE认证响应。
在一个实施例中,PINE认证请求还携带有服务网络标识。
在一个实施例中,所述所述期望认证参数是至少基于所述第一凭证、所述计算参数和服务网络标识确定的
所述至少基于第二凭证和所述计算参数确定认证参数,包括:
至少基于所述第二凭证、所述计算参数和服务网络标识确定所述认证参数。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有指示所述PINE的PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
根据本公开实施例的第四方面,提供一种认证装置,其中,应用于第一类网络的核心网设备包括:
处理模块,配置为对PINE进行身份认证,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述处理模块,具体配置为:
至少基于所述PINE的第一凭证和计算参数,确定期望认证参数;
基于所述期望认证参数,对所述PINE进行身份认证。
在一个实施例中,其中,所述第一凭证存储于所述核心网设备中。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述装置,还包括:
收发模块,配置为通过第一类网络经由基站向所述PEGC发送所述计算参数,其中,所述计算参数由所述PEGC通过第二类网络发送给所述PINE;
所述收发模块,还配置为接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定,并通过所述第二类网络发送给所述PEGC的;
所述处理模块,具体配置为:基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
在一个实施例中,所述收发模块,具体配置为:
所述核心网设备中的统一数据管理UDM向所述核心网设备中的认证服务功能AUSF发送携带有所述计算参数的UDM响应;
所述AUSF向所述核心网设备中的安全锚点功能SEAF发送携带有所述计算参数的AUSF响应;
所述SEAF通过第一类网络经由所述基站向所述PEGC发送携带有所述计算参数的认证请求。
在一个实施例中,所述收发模块,具体配置为以下至少之一:
所述SEAF接收所述PEGC通过所述第一类网络经由所述基站发送的携带有所述认证参数的认证响应,其中,所述认证参数是由所述PINE携带于PINE认证响应中通过所述第二类网络发送给所 述PEGC的;
所述AUSF接收所述SEAF发送的携带有所述认证参数的AUSF认证请求。
在一个实施例中,所述处理模块,具体配置为以下至少之一:
所述SEAF根据所述认证参数确定哈希认证参数,基于所述哈希认证参数和哈希期望认证参数对所述PINE进行身份认证,其中,所述哈希期望认证参数是由所述AUSF基于期望认证参数确定并发送给SEAF的;
所述AUSF基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
在一个实施例中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
所述所述PINE的PINE标识;
所述PEGC的PEFC标识。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应和所述AUSF认证请求中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述PINE认证指示符,用于指示所述核心网设备不进行至少以下之一项:
生成鉴权服务功能密钥Kausf;
生成安全锚点功能密钥Kseaf;
向所述PEGC发送密钥集标识ngKSI;
向所述PEGC发送架构间防降级攻ABBA参数。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有指示所述PINE的所述PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述处理模块,还配置为响应于所述PINE标识为受安全保护的PINE标识,将所述受安全保护的PINE标识恢复为明文状态的PINE标识;
所述UDM响应、所述AUSF响应和所述AUSF认证请求中的至少之一,携带有所述明文状态的PINE标识;
所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
在一个实施例中,所述处理模块,还配置为:基于判断信息确定所述PEGC是否为所述PEGC接入所述第一类网络的合法网关,其中,所述判断信息包括以下至少之一:
所述PEGC的PEGC标识;
所述PINE的所述PINE标识;
所述PEGC的订阅信息;
所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
确定所述PEGC为所述合法网关;
基于所述PINE的所述第一凭证和所述计算参数确定所述期望认证参数。
在一个实施例中,所述处理模块,具体配置为:至少基于所述第一凭证、所述计算参数和服务网络标识,确定所述期望认证参数;
所述认证参数,是由所述PINE至少基于第二凭证、所述计算参数和所述服务网络标识确定的。
在一个实施例中,所述计算参数和/或所述服务网络标识是由所述PEGC通过所述第二类网络发送给所述PINE的。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
根据本公开实施例的第五方面,提供一种认证装置,其中,应用于私有物联网网关PEG,包括:
收发模块,配置为在第一类网络的核心网设备对PINE进行身份认证过程中传输认证信息,其中,所述PINE通过所述PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述收发模块,具体配置为:
接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数;其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述收发模块,具体配置为:
通过第二类网络向所述PINE发送所述计算参数;
接收所述PINE通过所述第二类网络发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定的;
通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,其中,所述认证参数,用于供所述核心网设备至少基于所述期望认证参数进行所述PINE的身份认证。
在一个实施例中,所述收发模块,具体配置为至少以下之一:
接收所述核心网设备中的SEAF通过所第一类网络经由所述基站发送的携带有所述计算参数的认证请求;
通过所述第二类网络,向所述PINE发送携带有所述计算参数的PINE认证请求;
接收所述PINE通过所述第二类网络发送的携带有所述认证参数的PINE认证响应;
所述通过所述第一类网络经由所述基站向所述SEAF发送携带有所述认证参数的认证响应。
在一个实施例中,PINE认证请求还携带有服务网络标识。
在一个实施例中,所述所述期望认证参数,是由所述核心网设备至少基于所述第一凭证、所述计算参数和服务网络标识确定的
所述认证参数,是由所述PINE至少基于所述第二凭证、所述计算参数和所述服务网络标识确定的。
在一个实施例中,所述认证请求、所述认证响应、所述PINE认证请求和所述PINE认证响应中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有指示所述PINE的PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述PEGC包括用户设备UE。
根据本公开实施例的第六方面,提供一种认证装置,其中,应用于PINE,包括:
收发模块,配置为在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述收发模块,具体配置为:
通过第二类网络接收所述PEGC发送的计算参数,其中,所述计算参数,是由核心网设备通过第一类网络经由基站发送给所述PEGC的,其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述装置还包括:处理模块,配置为至少基于第二凭证和所述计算参数确定认证参数;
所述收发模块,具体配置为:通过所述第二类网络向所述PEGC发送所述认证参数,所述认证参数,用于由所述PEGC通过所述第一类网络经由所述基站发送给所述核心网设备,由所述核心网设备至少基于所述认证参数和所述期望认证参数进行所述PINE的身份认证。
在一个实施例中,所述收发模块,具体配置为至少以下之一:
通过所述第二类网络,接收所述PEGC发送的携带有所述计算参数的PINE认证请求;
通过所述第二类网络向所述PEGC发送的携带有所述认证参数的PINE认证响应。
在一个实施例中,PINE认证请求还携带有服务网络标识。
在一个实施例中,所述所述期望认证参数是至少基于所述第一凭证、所述计算参数和服务网络标识确定的
所述处理模块,具体配置为:
至少基于所述第二凭证、所述计算参数和服务网络标识确定所述认证参数。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有指示所述PINE的PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
根据本公开实施例的第七方面,提供一种通信设备装置,包括处理器、存储器及存储在存储器上并能够由所述处理器运行的可执行程序,其中,所述处理器运行所述可执行程序时执行如第一方面或第二方面或第三方面所述认证方法的步骤。
根据本公开实施例的第八方面,提供一种存储介质,其上存储由可执行程序,其中,所述可执行程序被处理器执行时实现如第一方面或第二方面或第三方面所述认证方法的步骤。
本公开实施例提供的认证方法、装置、通信设备和存储介质。核心网设备对PINE进行身份认证,其中,所述PINE通过PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。如此,由核心网设备对PINE进行身份认证,可以使得PINE可以直接访问蜂窝移动通信网络,PINE在第一类网络内的通信可以由核心网设备进行管理,满足核心网设备对接入第一类网络的设备的管理需求。满足PINE的数据传输需求、提高数据传输可靠性。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开实施例。
附图说明
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本发明实施例,并与说明书 一起用于解释本发明实施例的原理。
图1是根据一示例性实施例示出的一种无线通信系统的结构示意图;
图2是根据一示例性实施例示出的一种认证方法的流程示意图;
图3是根据一示例性实施例示出的一种触发核心网设备进行认证的方法的流程示意图;
图4是根据一示例性实施例示出的一种认证方法的流程示意图;
图5是根据一示例性实施例示出的一种认证方法的流程示意图;
图6是根据一示例性实施例示出的一种认证方法的流程示意图;
图7是根据一示例性实施例示出的一种认证方法的流程示意图;
图8是根据一示例性实施例示出的一种认证方法的流程示意图;
图9是根据一示例性实施例示出的一种认证方法的流程示意图;
图10是根据一示例性实施例示出的一种认证交互示意图;
图11是根据一示例性实施例示出的一种认证装置的框图;
图12是根据一示例性实施例示出的一种认证装置的框图;
图13是根据一示例性实施例示出的一种认证装置的框图;
图14是根据一示例性实施例示出的一种用于认证的装置的框图。
具体实施方式
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本发明实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本发明实施例的一些方面相一致的装置和方法的例子。
在本公开实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本公开实施例。在本公开实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本公开实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本公开实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。
请参考图1,其示出了本公开实施例提供的一种无线通信系统的结构示意图。如图1所示,无线通信系统是基于蜂窝移动通信技术的通信系统,该无线通信系统可以包括:若干个终端11以及若干个基站12。
其中,终端11可以是指向用户提供语音和/或数据连通性的设备。终端11可以经无线接入网(Radio Access Network,RAN)与一个或多个核心网设备进行通信,终端11可以是物联网终端, 如传感器设备、移动电话(或称为“蜂窝”电话)和具有物联网终端的计算机,例如,可以是固定式、便携式、袖珍式、手持式、计算机内置的或者车载的装置。例如,站(Station,STA)、订户单元(subscriber unit)、订户站(subscriber station)、移动站(mobile station)、移动台(mobile)、远程站(remote station)、接入点、远程终端(remote terminal)、接入终端(access terminal)、用户装置(user terminal)、用户代理(user agent)、用户设备(user device)、或用户终端(user equipment,UE)。或者,终端11也可以是无人飞行器的设备。或者,终端11也可以是车载设备,比如,可以是具有无线通信功能的行车电脑,或者是外接行车电脑的无线通信设备。或者,终端11也可以是路边设备,比如,可以是具有无线通信功能的路灯、信号灯或者其它路边设备等。
基站12可以是无线通信系统中的网络侧设备。其中,该无线通信系统可以是第四代移动通信技术(the 4th generation mobile communication,4G)系统,又称长期演进(Long Term Evolution,LTE)系统;或者,该无线通信系统也可以是5G系统,又称新空口(new radio,NR)系统或5G NR系统。或者,该无线通信系统也可以是5G系统的再下一代系统。其中,5G系统中的接入网可以称为NG-RAN(New Generation-Radio Access Network,新一代无线接入网)。或者,MTC系统。
其中,基站12可以是4G系统中采用的演进型基站(eNB)。或者,基站12也可以是5G系统中采用集中分布式架构的基站(gNB)。当基站12采用集中分布式架构时,通常包括集中单元(central unit,CU)和至少两个分布单元(distributed unit,DU)。集中单元中设置有分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)层、无线链路层控制协议(Radio Link Control,RLC)层、媒体访问控制(Media Access Control,MAC)层的协议栈;分布单元中设置有物理(Physical,PHY)层协议栈,本公开实施例对基站12的具体实现方式不加以限定。
基站12和终端11之间可以通过无线空口建立无线连接。在不同的实施方式中,该无线空口是基于第四代移动通信网络技术(4G)标准的无线空口;或者,该无线空口是基于第五代移动通信网络技术(5G)标准的无线空口,比如该无线空口是新空口;或者,该无线空口也可以是基于5G的更下一代移动通信网络技术标准的无线空口。
在一些实施例中,终端11之间还可以建立E2E(End to End,端到端)连接。比如车联网通信(vehicle to everything,V2X)中的V2V(vehicle to vehicle,车对车)通信、V2I(vehicle to Infrastructure,车对路边设备)通信和V2P(vehicle to pedestrian,车对人)通信等场景。
在一些实施例中,上述无线通信系统还可以包含网络管理设备13。
若干个基站12分别与网络管理设备13相连。其中,网络管理设备13可以是无线通信系统中的核心网设备,比如,该网络管理设备13可以是演进的数据分组核心网设备(Evolved Packet Core,EPC)中的移动性管理实体(Mobility Management Entity,MME)。或者,该网络管理设备也可以是其它的核心网设备,比如服务网关(Serving GateWay,SGW)、公用数据网网关(Public Data Network GateWay,PGW)、策略与计费规则功能单元(Policy and Charging Rules Function,PCRF)或者归属签约用户服务器(Home Subscriber Server,HSS)等。对于网络管理设备13的实现形态,本公开实施例不做限定。
PINE无法直接访问蜂窝移动通信网络,如5GS网络。如何使得PINE可以直接访问蜂窝移动通信网络是亟待解决的问题。
如图2所示,本示例性实施例提供一种认证方法,可以被蜂窝移动通信系统的核心网设备执行,包括:
步骤201:对PINE进行身份认证,其中,所述PINE通过PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
这里,第一类网络可以是符合3GPP标准的蜂窝移动通信网络,如5GS网络等。第二类网络可以是非3GPP标准的网络,第二类网络包括但不限于至少以下之一:Wi-Fi网络、蓝牙网络、ZigBee等。
这里,PINE可以物联网中不能直接接入第一类网络(如5GS等蜂窝移动通信网络)的通信设备,例如,PINE可以是可穿戴设备、智能家电、智能办公设备等。PEGC可以是能够直接接入第一类网络(如蜂窝移动通信网络)的通信设备。PEGC可以同时具有第一类网络和第二类网络的接入能力。PEGC能够为不能直接接入第一类网络的通信设备(如PINE),提供接入第一类网络(如蜂窝移动通信网络)的网关服务。PEGC与不能直接接入第一类网络的通信设备可以通过第二类网络连接。
在一个实施例中,所述PEGC包括用户设备UE。
PEGC可以是同时具有第一类网络和第二类网络接入能力的UE。例如,PEGC可以是手机等终端设备。
PINE可以通过PEGC访问5GS,而5GS需要识别PINE以增强管理。例如,5GS需要针对不同PINE确定服务质量(Quality of Service,QoS)等。因此,可以由核心网设备对PINE进行身份认证。
这里,可以由核心网设备对PINE进行身份认证。PINE和核心网设备可以通过PEGC相互传输在认证过程中需要传输的认证信息。这里认证信息可以包括:PINE标识、根密钥(Root Key)等。
核心网设备对PINE进行身份认证后,可以针对PINE实现符合3GPP要求的管理。例如,可以针对PINE的数据传输采用对应的QoS、安全策略等。
如此,由核心网设备对PINE进行身份认证,可以使得PINE可以直接访问蜂窝移动通信网络,PINE在第一类网络内的通信可以由核心网设备进行管理,满足核心网设备对接入第一类网络的设备的管理需求。满足PINE的数据传输需求、提高数据传输可靠性。
在一个可能的实施方式中,蜂窝移动通信网络需要为PINE提供凭证。使用凭证,蜂窝移动通信网络可以验证和识别与PEGC连接的PINE。
在一个可能的实现方式中,可以由PINE、PRGC和/或核心网设备触发对PINE进行身份认证。触发对PINE进行身份认证方法,如图3所示,可以包括:
步骤301:PINE通过非3GPP连接(第二类网络)将其PINE标识(即PINE的设备标识符)发 送给PEGC,并且同时发送认证方法以及PINE认证指示符。PINE和PEGC之间建立的非3GPP连接(第二类网络)可以是安全连接。如何建立非3GPP的安全链路在此不做限定。
步骤302:PEGC通过NAS消息向核心网设备中的AMF/SEAF网元发送PINE认证指示符、PINE标识、认证方法、PEGC的SUCI或5G-GUTI。
步骤303:每当AMF希望启动PINE时,AMF可以通过向AUSF发送Nausf_UEAuthentication_Authenticate Request消息来调用Nausf_UEAuthentication服务。Nausf_UEAuthentication_AuthenticateRequest消息可以包含PINE认证指示符、PINE标识、认证方法、以及服务网络标识(Service Network Name,SN-Name)。
步骤304:AUSF在收到Nausf_UEAuthentication_AuthenticateRequest消息后,AUSF可以通过将服务网络标识(SN-Name)与预期的服务网络标识(SN-Name)进行比较,检查服务网络中的请求AMF是否有权使用Nausf_UEAuthentication_Authenticate Request中的服务网络标识。AUSF将临时存储接收到的服务网络标识。如果服务网络未被授权使用服务网络标识,则AUSF应在Nausf_UEAuthentication_AuthenticateResponse中以“服务网络未授权”进行响应。如果服务网络被授权使用服务网络标识,AUSF向UDM发送Nudm_UEAuthentication_GetRequest消息,Nudm_UEAuthentication_GetRequest消息可以包括:PINE认证指示符、PINE标识、PEGC的SUPI或SUCI、认证方法、服务网络标识。
步骤305:UDM在接收到Nudm_UEAuthentication_Get Request后,如果接收到SUCI,UDM将调用订阅标识符去隐藏功能(Subscription identifier de-concealing function,SIDF)将SUCI解密得到SUPI。
步骤306:UDM/ARPF根据PEGC的SUPI和设备标识符,根据PEGC的订阅验证允许PEGC执行PINE的认证过程,然后基于PINE标识和PINE发送的认证方法选择用于PINE的认证方法。
上述方法中,PINE可以在本地存储由PEGC的归属网络(home network),即第二类网络提供的凭证。并且PINE的PINE标识可以与PEGC的订阅信息相关联。PEGC可以是已经注册到5GC中的网关,PEGC与AMF之间的连接受NAS安全性保护。AMF与SEAF并置。
在一个实施例中,所述对PINE进行身份认证,包括:
至少基于所述PINE的第一凭证和计算参数,确定期望认证参数;
基于所述期望认证参数,对所述PINE进行身份认证。
本实施例中,期望认证参数可以采用XRES*表示,认证参数可以采用RES*表示,哈希期望认证参数可以采用HXRES*表示,哈希认证参数可以采用HRES*表示。
第一网络为PINE配置的PINE凭证可以包括:存储在核心网设备中的第一凭证和存储在PINE内的第二凭证。对于同一PINE,第一凭证等于第二凭证相同。PINE凭证可以作为PINE身份认证的根密钥(Root Key)。
在一个可能的实现方式中,可以是由第一网络为PINE配置的。不同PINE凭证可以对应于不同的PINE。
在一个实施例中,其中,所述第一凭证存储于所述核心网设备中。
在一个可能的实现方式中,第一凭证存储于UDM中。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个可能的实现方式中,第一凭证可以对应于PINE的PINE标识。这里,PINE标识可以包括受保护的PINE标识,或者明文的PINE标识。受保护的PINE标识可以包括以下之一:匿名化的PINE标识;加密的PINE标识。
在一个可能的实现方式中,第一凭证可以对应于PINE的PINE标识和/或PINE的PEGC的PEGC标识。其中,PINE标识可以唯一标识PINE。PEGC标识可以唯一标识PEGC。
核心网设备可以基于PINE的PINE标识和/或PEFC标识确定PINE对应的第一凭证。这里,PINE标识可以是由触发核心网设备进行PINE认证的触发信息携带。例如,触发信息可以是Nudm_UEAuthentication_Get Request等。
核心网设备可以至少基于第一凭证和计算参数,确定XRES*。
计算参数可以是计算XRES*过程中所采用的至少一个参数。这里,核心网设备确定XRES*所采用的计算方式,可以与PINE确定RES*所采用的计算方式相同。
在一个实施例中,所述计算参数至少包括随机数RAND。
计算参数可以是用于计算XRES*的随机数。
在一个实施例中,所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
至少基于所述第一凭证、所述计算参数和服务网络标识,确定所述期望认证参数;
所述RES*,是由所述PINE至少基于第二凭证、所述计算参数和所述服务网络标识确定的。
示例性的,核心网设备可以基于预定的计算方式,以及以下至少之一项确定XRES*:
- FC=0x6B。
- P0=SN-Name服务网络标识。
- L0=服务网络标识的长度。
- P1=计算参数,即RAND,
- L1=RAND的长度(如:0x00、0x10)。
- P2=XRES。
- L2=XRES的长度(如以下可以变长度:0x00 0x04和0x00 0x10)。
核心网设备可以将计算参数和/或SN-Name发送给PINE,由PINE结合存储的第二凭证确定RES*。PINE可以基于上述相似的方法确定RES*,在此不再赘述。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
触发对PINE进行身份认证的触发信息可以发送给UDM。UDM可基于PINE标识和/或所述PEGC的PEFC标识确定PINE的第一凭证。
第一凭证可以存储于UDM中,可以由UDM确定XRES*,进而启动对PINE的身份认证。
XRES*可以用于与PINE计算的RES*进行对比,进而确认PINE的第二凭证等是否与UDM中的第一凭证等相同,进而确定PINE的身份,完成第PINE的身份认证。UDM可以包括身份验证凭证存储和处理功能(ARPF)。
示例性的,对于每个图3所示的Nudm_Authenticate_Get Request,UDM/ARPF应根据本地存储的PINE凭证,即第一凭证,为PINE创建一个5G HE AV。UDM/ARPF通过生成认证管理字段(AMF)分隔位设置为“1”的AV来实现这一点。然后UDM/ARPF可以计算XRES*。UDM/ARPF可以创建一个5G HE AV,5G HE AV可以包括:RAND、鉴权令牌AUTN、XRES*。
在一个实施例中,所述方法还包括:基于判断信息确定所述PEGC是否为所述PEGC接入所述第一类网络的合法网关,其中,所述判断信息包括以下至少之一:
所述PEGC的PEGC标识;
所述PINE的所述PINE标识;
所述PEGC的订阅信息;
所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
确定所述PEGC为所述合法网关;
基于所述PINE的所述第一凭证和所述计算参数确定所述期望认证参数。
在UDM确定XRES*之前,UDM还可以确定PEGC是否为PINE的合法网关:首先UDM可以基于判断信息判断PEGC是否是第一类网络中的合法网关。例如,UDM可以基于PEGC标识进行判断。然后UDM可以判断PEGC是否为PINE的合法网关,例如,可以判断PEGC是否被允许将PINE接入到第一类网络中。UDM可以基于PEGC的标识、PINE的所述PINE标识和PEGC的订阅信息进行判断。例如,当PEGC的标识所标识的PEGC的订阅信息中具有PINE的PINE标识,则确定PEGC为PINE的合法网关。
PEGC标识可以包括:用户隐藏标识(Subscriptionconcealed identifier,SUCI)和/或用户永久标识(Subscription Permanent Identifier,SUPI)。
在一个实施例中,所述基于所述期望认证参数,对所述PINE进行所述身份认证,如图4所示,可以包括:
步骤401:通过第一类网络经由基站向所述PEGC发送所述计算参数,其中,所述计算参数由所述PEGC通过第二类网络发送给所述PINE;
步骤402:接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定,并通过所述第二类网络发送给所述PEGC的;
步骤403:基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
核心网设备在确定XRES*后,可以通过第二类网络向PINE的PEGC发送计算参数。这里计算参数可以由PEGC发送给PINE,由PINE基于第二凭证和计算参数等确定RES*。第二凭证可以是 第一网络确定的,例如可以是第一网络的核心网设备确定的。可以由第一网络通过PEGC发送给PINE。
核心网设备可以基于RES*和XRES*的对比结果确定PINE身份认证是否成功。
如果第一凭证与第二凭证相同,那么基于同一计算参数确定的RES*和ERES*也相同,则PINE身份认证成功。
如果第一凭证与第二凭证不同同,那么基于同一计算参数确定的RES*和ERES*也不同同,则PINE身份认证失败。
在一个可能的实现方式中,基于所述RES*和所述期望认证参数对所述PINE进行身份认证,还可以包括:
基于根据RES*确定的HRES*和根据期望认证参数确定的HRES*对所述PINE进行身份认证。
在一个实施例中,步骤401,如图5所示,可以包括:
步骤501:所述核心网设备中的UDM向所述核心网设备中的AUSF发送携带有所述计算参数的UDM响应;
步骤502:所述AUSF向所述核心网设备中的SEAF发送携带有所述计算参数的AUSF响应;
步骤503:所述SEAF通过第一类网络经由所述基站向所述PEGC发送携带有所述计算参数的认证请求。
UDM可以将计算参数(如RAND)携带在UDM响应中发送给AUSF。UDM响应可以是Nudm_UEAuthentication_Get Respons。例如,UDM可以在Nudm_UEAuthentication_Get Response中将5G HE AV返回给AUSF。5G HE AV可以包括:RAND、AUTN和XRES*。UDM响应中可以携带指示对所述PINE进行身份认证的PINE认证指示符。AUSF可以基于PINE认证指示符确定UDM响应用于对PINE的身份认证
如果PINE标识和PEGI的SUCI包含在Nudm_UEAuthentication_Get Request中,UDM将在SIDF对SUCI去隐蔽后,将PINE标识和PEGI的SUPI包含在Nudm_UEAuthentication_Get Response中。
AUSF可以存储XRES*、PINE标识和SUPI。然后,AUSF可以通过从XRES*计算HXRES*。AUSF可以根据从UDM/ARPF接收的5G HE AV生成5G AV,并将XRES*替换为HXRES*。5G HE AV可以包括:RAND、AUTN、HXRES*。
AUSF可以在AUSF响应(如Nausf_UEAuthentication_Authenticate Response)中向SEAF返回5G SE AV(RAND,AUTN,HXRES*)、PINE认证指示符、PEGC的SUPI、PINE标识。SEAF可以存储接收到的HXRES*。
SEAF可以在认证请求(如NAS消息)中向PEGC发送PINE认证指示符、RAND、AUTN、PINE标识。认证请求可以是Authentication Request。
在一个实施例中,所述计算参数和/或所述服务网络标识是由所述PEGC通过所述第二类网络发送给所述PINE的。
PEGC可以通过安全的非3GPP的第二网络将认证请求中收到的SN-name、RAND、AUTN和 PINE认证指示符转发给PINE。PEGC可以在PINE认证请求中携带计算参数和/或所述SN-Name。
PINE在接收到在收到PINE认证请求中携带的RAND、AUTN和SN-Name,PINE可以通过检查AUTN确定是否可以接受PINE认证请求。例如,PINE可以验证接收的AUTN新鲜度。如果PINE确定PINE认证请求可以接受,那么,PINE可以计算RES*。例如,PINE可以先计算RES、CK、IK。然后PINE ME可以从RES计算得到RES*。
在一个实施例中,步骤402,如图6所示,可以包括:
步骤601:所述SEAF接收所述PEGC通过所述第一类网络经由所述基站发送的携带有所述认证参数的认证响应,其中,所述认证参数是由所述PINE携带于PINE认证响应中通过所述第二类网络发送给所述PEGC的;
步骤602:所述AUSF接收所述SEAF发送的携带有所述认证参数的AUSF认证请求。
PINE确定RES*后,可以将RES*发送给核心网设备。
PINE可以通过安全的非3GPP第二类网络向PEGC返回PINE认证响应,PINE认证响应可以包括:RES*、PINE标识和PINE认证指示符。PINE认证响应可以是PINE Authentication Response。
PEGC可以通在NAS消息中向SEAF发送认证响应,其中,认证响应可以包括:RES*、PINE标识和PINE认证指示符。认证响应可以是:Authentication Response。
SEAF可以在AUSF认证请求(Nausf_UEAuthentication_Authenticate Request)中向AUSF发送RES*、PINE标识、PINE认证指示符和PEGI的SUPI。
在一个实施例中,所述基于所述认证参数和所述期望认证参数对所述PINE进行身份认证,包括以下至少之一:
所述SEAF根据所述认证参数确定哈希认证参数,基于所述哈希认证参数和哈希期望认证参数对所述PINE进行身份认证,其中,所述哈希期望认证参数是由所述AUSF基于期望认证参数确定并发送给SEAF的;
所述AUSF基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
SEAF可以通过RES*计算HRES*,SEAF可以比较比较HRES*和HXRES*。例如,SEAF可以根据PINE标识和/或PEGC的SUPI定位PINE的HXRES*。如果它们一致,SEAF将从服务网络的角度认为认证成功。如果不是,SEAF可以确定认证未成功。如果SEAF从未收到RES*,则SEAF应将认证视为失败,并向AUSF指示PINE身份认证失败。
AUSF接收到包括RES*的AUSF认证请求(Nausf_UEAuthentication_Authenticate Request消息)作为身份认证确认时,它可以验证5G AV是否已过期。如果5G AV已过期,则AUSF可以会认为PINE身份认证不成功。AUSF应将接收到的RES*与存储的XRES*进行比较。如果RES*和XRES*相等,则AUSF应从归属网络的角度认为认证成功。AUSF应将认证结果通知UDM。
在一个可能的实现方式中,AUSF可以在AUSF认证响应(Nausf_UEAuthentication_Authenticate Response)中向SEAF指示从归属网络角度PINE身份认证是否成功。
在一个可能的实现方式中,可以由SEAF根据RES*确定HRES*,以及由AUSF根据XRES*确 定HXRES*。SEAF和AUSF可以采用SHA-256散列算法分别确定HRES*和HXRES*。SHA-256散列算法使用的参数包括但不限于:
-P0=计算参数(如RAND);
-P1=RES*或XRES*,
输入S应等于P0和P1的串联:P0||P1。HRES*和HXRES*由SHA-256函数输出的128个最低有效位标识。
在一个实施例中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
所述所述PINE的PINE标识;
所述PEGC的PEFC标识。
在一个可能的实现方式中,RES*、XRES*、HRES*和HXRES*可以具有单独用于分别指示对应PINE的PINE标识,和/或指示对应PEGC的PEGC标识。核心网设备在存储RES*、XRES*、HRES*和/或述HXRES*时,可以采用PINE标识和/或PEFC标识进行标识。例如,SEAD在存储XRES*和HXRES*可以采用PINE标识。
在一个可能的实现方式中,在RES*、XRES*、HRES*和/或HXRES*传输过程中,可以采用传输消息所携带的PINE标识和/或PEFC标识进行标识。传输消息可以包括至少以下之一:UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应、所述AUSF认证请求。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应和所述AUSF认证请求中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
这里,PINE认证指示符可以向核心网设备(如UDM、AUSF、SEAF)、PEGC、PINE指示接收到的消息用于对PINE进行身份认证。
SUPI可以向核心网设备(如UDM、AUSF、SEAF)、PEGC、PINE指示进行身份认证的PINE所连接的PEGC。核心网设备和/或PINE可以将对应信息发送给SUPI指示的PEGC。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有指示所述PINE的所述PINE标识。
这里,PINE认证指示符可以向核心网设备中、PEGC指示进行身份认证的PINE。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
受安全保护的PINE标识可以包括加密的PINE标识、匿名的PINE标识等。
在一个可能的实现方式中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有受安全保 护的所述PINE标识。
在一个实施例中,所述方法还包括:响应于所述PINE标识为受安全保护的PINE标识,将所述受安全保护的PINE标识恢复为明文状态的PINE标识;
所述UDM响应、所述AUSF响应和所述AUSF认证请求中的至少之一,携带有所述明文状态的PINE标识;
所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
当核心网设备网元(如UDM)收到的PINE标识为受保护的PINE标识,其需要将受保护的PINE标识通过去匿名化、解密等手段将受保护的PINE标识转变为明文状态的PINE标识。
核心网设备在核心网设备内部进行传输时,可以使用明文状态的PINE标识。例如,在所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
当PINE标识在核心网设备外部进行传输时,可以采用受保护的PINE标识。即在在SEAF-PEGC-PINE这三者通信之间,使用受保护的PINE标识例如,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识
在一个可能的实现方式中,若UDM收到的PINE标识为未受保护信息(即明文状态的PINE标识)。在SEAF-PEGC-PINE这三者通信之间,使用未受保护的信息(明文状态的PINE标识)。例如,在所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有明文状态的PINE标识。
在一个实施例中,所述PINE认证指示符,用于指示所述核心网设备不进行至少以下之一项:
生成鉴权服务功能密钥Kausf;
生成安全锚点功能密钥Kseaf;
向所述PEGC发送密钥集标识ngKSI;
向所述PEGC发送架构间防降级攻ABBA参数。
相关技术中,UDM需要在身份认证过程中确定Kausf,这里,在PINE身份认证过程中,UDM可以不确定Kausf,也不再传输Kausf,从而减轻核心网设备负载。鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF
相关技术中,AUSF需要在身份认证过程中确定Kseaf,这里,在PINE身份认证过程中,AUSF可以不确定Kseaf,也不再传输Kseaf,从而减轻核心网设备负载。密钥集标识ngKSI为第一类网络中UE所使用的密钥集的标识,用于指示第一类网络与该UE使用同样的密钥集。ABBA参数用于AMF网元生成KAMF。密钥集标识(ngKSI,key setidentifier in 5G)可以是用于认证成功后创建本地安全上下文,架构间反投标下降(ABBA,anti-bidding downbetweenarchitectures)参数防止混淆的区分版本安全特性指示参数。
由于PINE通过PEGC接入第一类网络。因此,SEAF可以不再确定ngKSI和ABBA参数,也 不再传输从而减轻核心网设备负载。
如图7所示,本示例性实施例提供一种认证方法,可以被蜂窝移动通信系统的私有物联网网关PEGC执行,包括:
步骤701:在第一类网络的核心网设备对PINE进行身份认证过程中传输认证信息,其中,所述PINE通过所述PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
这里,第一类网络可以是符合3GPP标准的蜂窝移动通信网络,如5GS网络等。第二类网络可以是非3GPP标准的网络,第二类网络包括但不限于至少以下之一:Wi-Fi网络、蓝牙网络、ZigBee等。
这里,PINE可以物联网中不能直接接入第一类网络(如5GS等蜂窝移动通信网络)的通信设备,例如,PINE可以是可穿戴设备、智能家电、智能办公设备等。PEGC可以是能够直接接入第一类网络(如蜂窝移动通信网络)的通信设备。PEGC可以同时具有第一类网络和第二类网络的接入能力。PEGC能够为不能直接接入第一类网络的通信设备(如PINE),提供接入第一类网络(如蜂窝移动通信网络)的网关服务。PEGC与不能直接接入第一类网络的通信设备可以通过第二类网络连接。
在一个实施例中,所述PEGC包括用户设备UE。
PEGC可以是同时具有第一类网络和第二类网络接入能力的UE。例如,PEGC可以是手机等终端设备。
PINE可以通过PEGC访问5GS,而5GS需要识别PINE以增强管理。例如,5GS需要针对不同PINE确定服务质量等。因此,可以由核心网设备对PINE进行身份认证。
这里,可以由核心网设备对PINE进行身份认证。PINE和核心网设备可以通过PEGC相互传输在认证过程中需要传输的认证信息。这里认证信息可以包括:PINE标识、根密钥(Root Key)等。
核心网设备对PINE进行身份认证后,可以针对PINE实现符合3GPP要求的管理。例如,可以针对PINE的数据传输采用对应的QoS、安全策略等。
如此,由核心网设备对PINE进行身份认证,可以使得PINE可以直接访问蜂窝移动通信网络,PINE在第一类网络内的通信可以由核心网设备进行管理,满足核心网设备对接入第一类网络的设备的管理需求。满足PINE的数据传输需求、提高数据传输可靠性。
在一个实施例中,所述在第一类网络的核心网设备对PINE进行身份认证过程中传输信息,包括:
接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数;其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
本实施例中,期望认证参数可以采用XRES*表示,认证参数可以采用RES*表示,哈希期望认 证参数可以采用HXRES*表示,哈希认证参数可以采用HRES*表示。
第一网络为PINE配置的PINE凭证可以包括:存储在核心网设备的第一凭证和存储在PINE内的第二凭证。对于同一PINE,第一凭证等于第二凭证相同。PINE凭证可以作为PINE身份认证的根密钥(Root Key)。
在一个可能的实现方式中,可以是由第一网络为PINE配置的。不同PINE凭证可以对应于不同的PINE。
在一个实施例中,其中,所述第一凭证存储于所述核心网设备中。
在一个可能的实现方式中,第一凭证存储于UDM中。在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个可能的实现方式中,第一凭证可以对应于PINE的PINE标识。这里,PINE标识可以包括受保护的PINE标识,或者明文的PINE标识。受保护的PINE标识可以包括以下之一:匿名化的PINE标识;加密的PINE标识。
在一个可能的实现方式中,第一凭证可以对应于PINE的PINE标识和/或PINE的PEGC的PEGC标识。其中,PINE标识可以唯一标识PINE。PEGC标识可以唯一标识PEGC。
核心网设备可以基于PINE的PINE标识和/或PEFC标识确定PINE对应的第一凭证。这里,PINE标识可以是由触发核心网设备进行PINE认证的触发信息携带。例如,触发信息可以是Nudm_UEAuthentication_Get Request等。
核心网设备可以至少基于第一凭证和计算参数,确定XRES*。
计算参数可以是计算XRES*过程中所采用的至少一个参数。这里,核心网设备确定XRES*所采用的计算方式,可以与PINE确定RES*所采用的计算方式相同。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
触发对PINE进行身份认证的触发信息可以发送给UDM。UDM可基于PINE标识和/或所述PEGC的PEFC标识确定PINE的第一凭证。
第一凭证可以存储于UDM中,可以由UDM确定XRES*,进而启动对PINE的身份认证。
XRES*可以用于与PINE计算的RES*进行对比,进而确认PINE的第二凭证等是否与UDM中的第一凭证等相同,进而确定PINE的身份,完成第PINE的身份认证。UDM可以包括身份验证凭证存储和处理功能(ARPF)。
示例性的,对于每个图3所示的Nudm_Authenticate_Get Request,UDM/ARPF应根据本地存储的PINE凭证,即第一凭证,为PINE创建一个5G HE AV。UDM/ARPF通过生成认证管理字段(AMF)分隔位设置为“1”的AV来实现这一点。然后UDM/ARPF可以计算XRES*。UDM/ARPF可以创建一个5G HE AV,5G HE AV可以包括:RAND、鉴权令牌AUTN、XRES*。
在UDM确定XRES*之前,UDM还可以确定PEGC是否为PINE的合法网关:首先UDM可以基于判断信息判断PEGC是否是第一类网络中的合法网关。例如,UDM可以基于PEGC标识进行判 断。然后UDM可以判断PEGC是否为PINE的合法网关,例如,可以判断PEGC是否被允许将PINE接入到第一类网络中。UDM可以基于PEGC的标识、PINE的所述PINE标识和PEGC的订阅信息进行判断。例如,当PEGC的标识所标识的PEGC的订阅信息中具有PINE的PINE标识,则确定PEGC为PINE的合法网关。
判断信息包括以下至少之一:所述PEGC的PEGC标识;所述PINE的所述PINE标识;所述PEGC的订阅信息。PEGC标识可以包括:用户隐藏标识(Subscriptionconcealed identifier,SUCI)和/或用户永久标识(Subscription Permanent Identifier,SUPI)。
在一个实施例中,所述计算参数至少包括随机数RAND。
计算参数可以是用于计算XRES*的随机数。
在一个实施例中,如图8所示,所述在第一类网络的核心网设备对PINE进行身份认证过程中传输信息,包括:
步骤801:通过第二类网络向所述PINE发送所述计算参数;
步骤802:接收所述PINE通过所述第二类网络发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定的;
步骤803:通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,其中,所述认证参数,用于供所述核心网设备至少基于所述期望认证参数进行所述PINE的身份认证。
核心网设备在确定XRES*后,可以通过第二类网络向PINE的PEGC发送计算参数。这里计算参数可以由PEGC发送给PINE,由PINE基于第二凭证和计算参数等确定RES*。第二凭证可以是第一网络确定的,例如可以是第一网络的核心网设备确定的。可以由第一网络通过PEGC发送给PINE。
核心网设备可以基于RES*和XRES*的对比结果确定PINE身份认证是否成功。
如果第一凭证与第二凭证相同,那么基于同一计算参数确定的RES*和ERES*也相同,则PINE身份认证成功。
如果第一凭证与第二凭证不同同,那么基于同一计算参数确定的RES*和ERES*也不同同,则PINE身份认证失败。
在一个可能的实现方式中,基于所述RES*和所述XRES*对所述PINE进行身份认证,还可以包括:
基于根据RES*确定的HRES*和根据XRES*确定的HRES*对所述PINE进行身份认证。
在一个实施例中,所述接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数,包括:
接收所述核心网设备中的SEAF通过所第一类网络经由所述基站发送的携带有所述计算参数的认证请求;
所述通过第二类网络向所述PINE发送所述计算参数,包括:
通过所述第二类网络,向所述PINE发送携带有所述计算参数的PINE认证请求;
所述接收所述PINE通过所述第二类网络发送的认证参数,包括:
接收所述PINE通过所述第二类网络发送的携带有所述认证参数的PINE认证响应;
所述通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,包括:
所述通过所述第一类网络经由所述基站向所述SEAF发送携带有所述认证参数的认证响应。
UDM可以将计算参数(如RAND)携带在UDM响应中发送给AUSF。UDM响应可以是Nudm_UEAuthentication_Get Respons。例如,UDM可以在Nudm_UEAuthentication_Get Response中将5G HE AV返回给AUSF。5G HE AV可以包括:RAND、AUTN和XRES*。UDM响应中可以携带指示对所述PINE进行身份认证的PINE认证指示符。AUSF可以基于PINE认证指示符确定UDM响应用于对PINE的身份认证
如果PINE标识和PEGI的SUCI包含在Nudm_UEAuthentication_Get Request中,UDM将在SIDF对SUCI去隐蔽后,将PINE标识和PEGI的SUPI包含在Nudm_UEAuthentication_Get Response中。
AUSF可以存储XRES*、PINE标识和SUPI。然后,AUSF可以通过从XRES*计算HXRES*。AUSF可以根据从UDM/ARPF接收的5G HE AV生成5G AV,并将XRES*替换为HXRES*。5G HE AV可以包括:RAND、AUTN、HXRES*。
AUSF可以在AUSF响应(如Nausf_UEAuthentication_Authenticate Response)中向SEAF返回5G SE AV(RAND,AUTN,HXRES*)、PINE认证指示符、PEGC的SUPI、PINE标识。SEAF可以存储接收到的HXRES*。
SEAF可以在认证请求(如NAS消息)中向PEGC发送PINE认证指示符、RAND、AUTN、PINE标识。认证请求可以是Authentication Request。
在一个实施例中,PINE认证请求还携带有服务网络标识服务网络标识。
PEGC可以通过安全的非3GPP的第二网络将认证请求中收到的SN-name、RAND、AUTN和PINE认证指示符转发给PINE。PEGC可以在PINE认证请求中携带计算参数和/或所述SN-Name。
PINE在接收到在收到PINE认证请求中携带的RAND、AUTN和SN-Name,PINE可以通过检查AUTN确定是否可以接受PINE认证请求。例如,PINE可以验证接收的AUTN新鲜度。如果PINE确定PINE认证请求可以接受,那么,PINE可以计算RES*。例如,PINE可以先计算RES、CK、IK。然后PINE ME可以从RES计算得到RES*。
PINE确定RES*后,可以将RES*发送给核心网设备。
PINE可以通过安全的非3GPP第二类网络向PEGC返回PINE认证响应,PINE认证响应可以包括:RES*、PINE标识和PINE认证指示符。PINE认证响应可以是PINE Authentication Response。
PEGC可以通在NAS消息中向SEAF发送认证响应,其中,认证响应可以包括:RES*、PINE标识和PINE认证指示符。认证响应可以是:Authentication Response。
SEAF可以在AUSF认证请求(Nausf_UEAuthentication_Authenticate Request)中向AUSF发送RES*、PINE标识、PINE认证指示符和PEGI的SUPI。
在一个实施例中,所述所述期望认证参数,是由所述核心网设备至少基于所述第一凭证、所述 计算参数和服务网络标识确定的;
所述认证参数,是由所述PINE至少基于所述第二凭证、所述计算参数和所述服务网络标识确定的。
示例性的,核心网设备可以基于预定的计算方式,以及以下至少之一项确定XRES*:
- FC=0x6B。
- P0=SN-Name服务网络标识。
- L0=服务网络标识的长度。
- P1=计算参数,即RAND,
- L1=RAND的长度(如:0x00、0x10)。
- P2=XRES。
- L2=XRES的长度(如以下可以变长度:0x00 0x04和0x00 0x10)。
核心网设备可以将计算参数和/或SN-Name发送给PINE,由PINE结合存储的第二凭证确定RES*。PINE可以基于上述相似的方法确定RES*,在此不再赘述。
SEAF可以通过RES*计算HRES*,SEAF可以比较比较HRES*和HXRES*。例如,SEAF可以根据PINE标识和/或PEGC的SUPI定位PINE的HXRES*。如果它们一致,SEAF将从服务网络的角度认为认证成功。如果不是,SEAF可以确定认证未成功。如果SEAF从未收到RES*,则SEAF应将认证视为失败,并向AUSF指示PINE身份认证失败。
AUSF接收到包括RES*的AUSF认证请求(Nausf_UEAuthentication_Authenticate Request消息)作为身份认证确认时,它可以验证5G AV是否已过期。如果5G AV已过期,则AUSF可以会认为PINE身份认证不成功。AUSF应将接收到的RES*与存储的XRES*进行比较。如果RES*和XRES*相等,则AUSF应从归属网络的角度认为认证成功。AUSF应将认证结果通知UDM。
在一个可能的实现方式中,AUSF可以在AUSF认证响应(Nausf_UEAuthentication_Authenticate Response)中向SEAF指示从归属网络角度PINE身份认证是否成功。
在一个可能的实现方式中,可以由SEAF根据RES*确定HRES*,以及由AUSF根据XRES*确定HXRES*。SEAF和AUSF可以采用SHA-256散列算法分别确定HRES*和HXRES*。SHA-256散列算法使用的参数包括但不限于:
-P0=计算参数(如RAND);
-P1=RES*或XRES*,
输入S应等于P0和P1的串联:P0||P1。HRES*和HXRES*由SHA-256函数输出的128个最低有效位标识。
在一个实施例中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
所述所述PINE的PINE标识;
所述PEGC的PEFC标识。
在一个可能的实现方式中,RES*、XRES*、HRES*和HXRES*可以具有单独用于分别指示对应PINE的PINE标识,和/或指示对应PEGC的PEGC标识。核心网设备在存储RES*、XRES*、HRES*和/或述HXRES*时,可以采用PINE标识和/或PEFC标识进行标识。例如,SEAD在存储XRES*和HXRES*可以采用PINE标识。
在一个可能的实现方式中,在RES*、XRES*、HRES*和/或HXRES*传输过程中,可以采用传输消息所携带的PINE标识和/或PEFC标识进行标识。传输消息可以包括至少以下之一:UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应、所述AUSF认证请求。
在一个实施例中,所述认证请求、所述认证响应、所述PINE认证请求和所述PINE认证响应中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
这里,PINE认证指示符可以向核心网设备中(如UDM、AUSF、SEAF)、PEGC、PINE指示接收到的消息用于对PINE进行身份认证。
SUPI可以向核心网设备(如UDM、AUSF、SEAF)、PEGC、PINE指示进行身份认证的PINE所连接的PEGC。核心网设备和/或PINE可以将对应信息发送给SUPI指示的PEGC。
在一个实施例中,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有指示所述PINE的PINE标识。
这里,PINE认证指示符可以向核心网设备中、PEGC指示进行身份认证的PINE。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
受安全保护的PINE标识可以包括加密的PINE标识、匿名的PINE标识等。
在一个可能的实现方式中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有受安全保护的所述PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
当核心网设备网元(如UDM)收到的PINE标识为受保护的PINE标识,其需要将受保护的PINE标识通过去匿名化、解密等手段将受保护的PINE标识转变为明文状态的PINE标识。
核心网设备在核心网设备内部进行传输时,可以使用明文状态的PINE标识。例如,在所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
当PINE标识在核心网设备外部进行传输时,可以采用受保护的PINE标识。即在在SEAF-PEGC-PINE这三者通信之间,使用受保护的PINE标识例如,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识
在一个可能的实现方式中,若UDM收到的PINE标识为未受保护信息(即明文状态的PINE标 识)。在SEAF-PEGC-PINE这三者通信之间,使用未受保护的信息(明文状态的PINE标识)。例如,在所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有明文状态的PINE标识。
相关技术中,UDM需要在身份认证过程中确定Kausf,这里,在PINE身份认证过程中,UDM可以不确定Kausf,也不再传输Kausf,从而减轻核心网设备负载。鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF
相关技术中,AUSF需要在身份认证过程中确定Kseaf,这里,在PINE身份认证过程中,AUSF可以不确定Kseaf,也不再传输Kseaf,从而减轻核心网设备负载。密钥集标识ngKSI为第一类网络中UE所使用的密钥集的标识,用于指示第一类网络与该UE使用同样的密钥集。ABBA参数用于AMF网元生成KAMF。密钥集标识(ngKSI,key setidentifier in 5G)可以是用于认证成功后创建本地安全上下文,架构间反投标下降(ABBA,anti-bidding downbetweenarchitectures)参数防止混淆的区分版本安全特性指示参数。
由于PINE通过PEGC接入第一类网络。因此,SEAF可以不再确定ngKSI和ABBA参数,也不再传输从而减轻核心网设备负载。
如图9所示,本示例性实施例提供一种认证方法,可以被PINE执行,包括:
步骤901:在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
这里,第一类网络可以是符合3GPP标准的蜂窝移动通信网络,如5GS网络等。第二类网络可以是非3GPP标准的网络,第二类网络包括但不限于至少以下之一:Wi-Fi网络、蓝牙网络、ZigBee等。
这里,PINE可以物联网中不能直接接入第一类网络(如5GS等蜂窝移动通信网络)的通信设备,例如,PINE可以是可穿戴设备、智能家电、智能办公设备等。PEGC可以是能够直接接入第一类网络(如蜂窝移动通信网络)的通信设备。PEGC可以同时具有第一类网络和第二类网络的接入能力。PEGC能够为不能直接接入第一类网络的通信设备(如PINE),提供接入第一类网络(如蜂窝移动通信网络)的网关服务。PEGC与不能直接接入第一类网络的通信设备可以通过第二类网络连接。
在一个实施例中,所述PEGC包括用户设备UE。
PEGC可以是同时具有第一类网络和第二类网络接入能力的UE。例如,PEGC可以是手机等终端设备。
PINE可以通过PEGC访问5GS,而5GS需要识别PINE以增强管理。例如,5GS需要针对不同PINE确定服务质量等。因此,可以由核心网设备对PINE进行身份认证。
这里,可以由核心网设备对PINE进行身份认证。PINE和核心网设备可以通过PEGC相互传输在认证过程中需要传输的认证信息。这里认证信息可以包括:PINE标识、根密钥(Root Key)等。
核心网设备对PINE进行身份认证后,可以针对PINE实现符合3GPP要求的管理。例如,可以针对PINE的数据传输采用对应的QoS、安全策略等。
如此,由核心网设备对PINE进行身份认证,可以使得PINE可以直接访问蜂窝移动通信网络,PINE在第一类网络内的通信可以由核心网设备进行管理,满足核心网设备对接入第一类网络的设备的管理需求。满足PINE的数据传输需求、提高数据传输可靠性。
在一个实施例中,所述在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,包括:
通过第二类网络接收所述PEGC发送的计算参数,其中,所述计算参数,是由核心网设备通过第一类网络经由基站发送给所述PEGC的,其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
本实施例中,期望认证参数可以采用XRES*表示,认证参数可以采用RES*表示,哈希期望认证参数可以采用HXRES*表示,哈希认证参数可以采用HRES*表示。
第一网络为PINE配置的PINE凭证可以包括:存储在核心网设备的第一凭证和存储在PINE内的第二凭证。对于同一PINE,第一凭证等于第二凭证相同。PINE凭证可以作为PINE身份认证的根密钥(Root Key)。
在一个可能的实现方式中,可以是由第一网络为PINE配置的。不同PINE凭证可以对应于不同的PINE。
在一个实施例中,其中,所述第一凭证存储于所述核心网设备中。
在一个可能的实现方式中,第一凭证存储于UDM中。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个可能的实现方式中,第一凭证可以对应于PINE的PINE标识。这里,PINE标识可以包括受保护的PINE标识,或者明文的PINE标识。受保护的PINE标识可以包括以下之一:匿名化的PINE标识;加密的PINE标识。
在一个可能的实现方式中,第一凭证可以对应于PINE的PINE标识和/或PINE的PEGC的PEGC标识。其中,PINE标识可以唯一标识PINE。PEGC标识可以唯一标识PEGC。
核心网设备可以基于PINE的PINE标识和/或PEFC标识确定PINE对应的第一凭证。这里,PINE标识可以是由触发核心网设备进行PINE认证的触发信息携带。例如,触发信息可以是Nudm_UEAuthentication_Get Request等。
核心网设备可以至少基于第一凭证和计算参数,确定XRES*。
计算参数可以是计算XRES*过程中所采用的至少一个参数。这里,核心网设备确定XRES*所采 用的计算方式,可以与PINE确定RES*所采用的计算方式相同。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
触发对PINE进行身份认证的触发信息可以发送给UDM。UDM可基于PINE标识和/或所述PEGC的PEFC标识确定PINE的第一凭证。
第一凭证可以存储于UDM中,可以由UDM确定XRES*,进而启动对PINE的身份认证。
XRES*可以用于与PINE计算的RES*进行对比,进而确认PINE的第二凭证等是否与UDM中的第一凭证等相同,进而确定PINE的身份,完成第PINE的身份认证。UDM可以包括身份验证凭证存储和处理功能(ARPF)。
示例性的,对于每个图3所示的Nudm_Authenticate_Get Request,UDM/ARPF应根据本地存储的PINE凭证,即第一凭证,为PINE创建一个5G HE AV。UDM/ARPF通过生成认证管理字段(AMF)分隔位设置为“1”的AV来实现这一点。然后UDM/ARPF可以计算XRES*。UDM/ARPF可以创建一个5G HE AV,5G HE AV可以包括:RAND、鉴权令牌AUTN、XRES*。
在UDM确定XRES*之前,UDM还可以确定PEGC是否为PINE的合法网关:首先UDM可以基于判断信息判断PEGC是否是第一类网络中的合法网关。例如,UDM可以基于PEGC标识进行判断。然后UDM可以判断PEGC是否为PINE的合法网关,例如,可以判断PEGC是否被允许将PINE接入到第一类网络中。UDM可以基于PEGC的标识、PINE的所述PINE标识和PEGC的订阅信息进行判断。例如,当PEGC的标识所标识的PEGC的订阅信息中具有PINE的PINE标识,则确定PEGC为PINE的合法网关。
判断信息包括以下至少之一:所述PEGC的PEGC标识;所述PINE的所述PINE标识;所述PEGC的订阅信息。PEGC标识可以包括:用户隐藏标识(Subscriptionconcealed identifier,SUCI)和/或用户永久标识(Subscription Permanent Identifier,SUPI)。
在一个实施例中,所述计算参数至少包括随机数RAND。
计算参数可以是用于计算XRES*的随机数。
在一个实施例中,所述方法还包括:至少基于第二凭证和所述计算参数确定认证参数;
所述在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,包括:
通过所述第二类网络向所述PEGC发送所述RES*,所述RES*,用于由所述PEGC通过所述第一类网络经由所述基站发送给所述核心网设备,由所述核心网设备至少基于所述RES*和所述期望认证参数进行所述PINE的身份认证。
核心网设备在确定XRES*后,可以通过第二类网络向PINE的PEGC发送计算参数。这里计算参数可以由PEGC发送给PINE,由PINE基于第二凭证和计算参数等确定RES*。第二凭证可以是第一网络确定的,例如可以是第一网络的核心网设备确定的。可以由第一网络通过PEGC发送给PINE。
核心网设备可以基于RES*和XRES*的对比结果确定PINE身份认证是否成功。
如果第一凭证与第二凭证相同,那么基于同一计算参数确定的RES*和ERES*也相同,则PINE身份认证成功。
如果第一凭证与第二凭证不同同,那么基于同一计算参数确定的RES*和ERES*也不同同,则PINE身份认证失败。
在一个可能的实现方式中,基于所述RES*和所述XRES*对所述PINE进行身份认证,还可以包括:
基于根据RES*确定的HRES*和根据XRES*确定的HRES*对所述PINE进行身份认证。
在一个实施例中,所述通过第二类网络接收所述PEGC发送的所述计算参数,包括:
通过所述第二类网络,接收所述PEGC发送的携带有所述计算参数的PINE认证请求;
所述通过所述第二类网络向所述PEGC发送所述认证参数,包括:
通过所述第二类网络向所述PEGC发送的携带有所述认证参数的PINE认证响应。
UDM可以将计算参数(如RAND)携带在UDM响应中发送给AUSF。UDM响应可以是Nudm_UEAuthentication_Get Respons。例如,UDM可以在Nudm_UEAuthentication_Get Response中将5G HE AV返回给AUSF。5G HE AV可以包括:RAND、AUTN和XRES*。UDM响应中可以携带指示对所述PINE进行身份认证的PINE认证指示符。AUSF可以基于PINE认证指示符确定UDM响应用于对PINE的身份认证
如果PINE标识和PEGI的SUCI包含在Nudm_UEAuthentication_Get Request中,UDM将在SIDF对SUCI去隐蔽后,将PINE标识和PEGI的SUPI包含在Nudm_UEAuthentication_Get Response中。
AUSF可以存储XRES*、PINE标识和SUPI。然后,AUSF可以通过从XRES*计算HXRES*。AUSF可以根据从UDM/ARPF接收的5G HE AV生成5G AV,并将XRES*替换为HXRES*。5G HE AV可以包括:RAND、AUTN、HXRES*。
AUSF可以在AUSF响应(如Nausf_UEAuthentication_Authenticate Response)中向SEAF返回5G SE AV(RAND,AUTN,HXRES*)、PINE认证指示符、PEGC的SUPI、PINE标识。SEAF可以存储接收到的HXRES*。
SEAF可以在认证请求(如NAS消息)中向PEGC发送PINE认证指示符、RAND、AUTN、PINE标识。认证请求可以是Authentication Request。
在一个实施例中,PINE认证请求还携带有服务网络标识服务网络标识。
PEGC可以通过安全的非3GPP的第二网络将认证请求中收到的SN-name、RAND、AUTN和PINE认证指示符转发给PINE。PEGC可以在PINE认证请求中携带计算参数和/或所述SN-Name。
PINE在接收到在收到PINE认证请求中携带的RAND、AUTN和SN-Name,PINE可以通过检查AUTN确定是否可以接受PINE认证请求。例如,PINE可以验证接收的AUTN新鲜度。如果PINE确定PINE认证请求可以接受,那么,PINE可以计算RES*。例如,PINE可以先计算RES、CK、IK。然后PINE ME可以从RES计算得到RES*。
PINE确定RES*后,可以将RES*发送给核心网设备。
PINE可以通过安全的非3GPP第二类网络向PEGC返回PINE认证响应,PINE认证响应可以包括:RES*、PINE标识和PINE认证指示符。PINE认证响应可以是PINE Authentication Response。
PEGC可以通在NAS消息中向SEAF发送认证响应,其中,认证响应可以包括:RES*、PINE标识和PINE认证指示符。认证响应可以是:Authentication Response。
SEAF可以在AUSF认证请求(Nausf_UEAuthentication_Authenticate Request)中向AUSF发送RES*、PINE标识、PINE认证指示符和PEGI的SUPI。
在一个实施例中,所述所述期望认证参数是至少基于所述第一凭证、所述计算参数和服务网络标识确定的;
所述至少基于第二凭证和所述计算参数确定认证参数,包括:
至少基于所述第二凭证、所述计算参数和服务网络标识确定所述认证参数。
示例性的,核心网设备可以基于预定的计算方式,以及以下至少之一项确定XRES*:
- FC=0x6B。
- P0=SN-Name服务网络标识。
- L0=服务网络标识的长度。
- P1=计算参数,即RAND,
- L1=RAND的长度(如:0x00、0x10)。
- P2=XRES。
- L2=XRES的长度(如以下可以变长度:0x00 0x04和0x00 0x10)。
核心网设备可以将计算参数和/或SN-Name发送给PINE,由PINE结合存储的第二凭证确定RES*。PINE可以基于上述相似的方法确定RES*,在此不再赘述。
SEAF可以通过RES*计算HRES*,SEAF可以比较比较HRES*和HXRES*。例如,SEAF可以根据PINE标识和/或PEGC的SUPI定位PINE的HXRES*。如果它们一致,SEAF将从服务网络的角度认为认证成功。如果不是,SEAF可以确定认证未成功。如果SEAF从未收到RES*,则SEAF应将认证视为失败,并向AUSF指示PINE身份认证失败。
AUSF接收到包括RES*的AUSF认证请求(Nausf_UEAuthentication_Authenticate Request消息)作为身份认证确认时,它可以验证5G AV是否已过期。如果5G AV已过期,则AUSF可以会认为PINE身份认证不成功。AUSF应将接收到的RES*与存储的XRES*进行比较。如果RES*和XRES*相等,则AUSF应从归属网络的角度认为认证成功。AUSF应将认证结果通知UDM。
在一个可能的实现方式中,AUSF可以在AUSF认证响应(Nausf_UEAuthentication_Authenticate Response)中向SEAF指示从归属网络角度PINE身份认证是否成功。
在一个可能的实现方式中,可以由SEAF根据RES*确定HRES*,以及由AUSF根据XRES*确定HXRES*。SEAF和AUSF可以采用SHA-256散列算法分别确定HRES*和HXRES*。SHA-256散列算法使用的参数包括但不限于:
-P0=计算参数(如RAND);
-P1=RES*或XRES*,
输入S应等于P0和P1的串联:P0||P1。HRES*和HXRES*由SHA-256函数输出的128个最低有效位标识。
在一个实施例中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
所述所述PINE的PINE标识;
所述PEGC的PEFC标识。
在一个可能的实现方式中,RES*、XRES*、HRES*和HXRES*可以具有单独用于分别指示对应PINE的PINE标识,和/或指示对应PEGC的PEGC标识。核心网设备在存储RES*、XRES*、HRES*和/或述HXRES*时,可以采用PINE标识和/或PEFC标识进行标识。例如,SEAD在存储XRES*和HXRES*可以采用PINE标识。
在一个可能的实现方式中,在RES*、XRES*、HRES*和/或HXRES*传输过程中,可以采用传输消息所携带的PINE标识和/或PEFC标识进行标识。传输消息可以包括至少以下之一:UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应、所述AUSF认证请求。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
这里,PINE认证指示符可以向核心网设备中(如UDM、AUSF、SEAF)、PEGC、PINE指示接收到的消息用于对PINE进行身份认证。
SUPI可以向核心网设备(如UDM、AUSF、SEAF)、PEGC、PINE指示进行身份认证的PINE所连接的PEGC。核心网设备和/或PINE可以将对应信息发送给SUPI指示的PEGC。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有指示所述PINE的PINE标识。
这里,PINE认证指示符可以向核心网设备中、PEGC指示进行身份认证的PINE。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
受安全保护的PINE标识可以包括加密的PINE标识、匿名的PINE标识等。
在一个可能的实现方式中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有受安全保护的所述PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
当核心网设备网元(如UDM)收到的PINE标识为受保护的PINE标识,其需要将受保护的PINE标识通过去匿名化、解密等手段将受保护的PINE标识转变为明文状态的PINE标识。
核心网设备在核心网设备内部进行传输时,可以使用明文状态的PINE标识。例如,在所述认 证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
当PINE标识在核心网设备外部进行传输时,可以采用受保护的PINE标识。即在在SEAF-PEGC-PINE这三者通信之间,使用受保护的PINE标识例如,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识
在一个可能的实现方式中,若UDM收到的PINE标识为未受保护信息(即明文状态的PINE标识)。在SEAF-PEGC-PINE这三者通信之间,使用未受保护的信息(明文状态的PINE标识)。例如,在所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有明文状态的PINE标识。
相关技术中,UDM需要在身份认证过程中确定Kausf,这里,在PINE身份认证过程中,UDM可以不确定Kausf,也不再传输Kausf,从而减轻核心网设备负载。鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF
相关技术中,AUSF需要在身份认证过程中确定Kseaf,这里,在PINE身份认证过程中,AUSF可以不确定Kseaf,也不再传输Kseaf,从而减轻核心网设备负载。密钥集标识ngKSI为第一类网络中UE所使用的密钥集的标识,用于指示第一类网络与该UE使用同样的密钥集。ABBA参数用于AMF网元生成KAMF。密钥集标识(ngKSI,key setidentifier in 5G)可以是用于认证成功后创建本地安全上下文,架构间反投标下降(ABBA,anti-bidding downbetweenarchitectures)参数防止混淆的区分版本安全特性指示参数。
由于PINE通过PEGC接入第一类网络。因此,SEAF可以不再确定ngKSI和ABBA参数,也不再传输从而减轻核心网设备负载。
以下结合上述任意实施例提供一个具体示例:
PINE认证如图10所示。这里,假设PINE标识是加密的。UDM可以调用一个函数来解密加密的PINE标识。
假设UDM可以根据加密的PINE设备标识符或PINE设备标识符识别PINE的凭证。还假设PINE通过安全的非3GPP访问连接到PEGC。
PINE身份认证具体包括
步骤1001:生成5G HE AV。假设UDM可以根据解密的PINE标识或PINE标识识别PINE凭证。还假设PINE通过安全的非3GPP访问连接到PEGC。对于每个图3所示的Nudm_Authenticate_Get request,UDM/ARPF可以根据本地存储的PINE凭证创建一个5G HE AV。UDM/ARPF通过生成认证管理字段(AMF)分隔位设置为“1”的AV来实现这一点,如TS 33.102[9]中所定义。然后UDM/ARPF可以计算XRES*(根据附件A.4)。最后,UDM/ARPF可以从RAND、AUTN和XRES*创建一个5G HE AV。如果PINE标识为受保护的PINE标识(如匿名PINE标识,或加密的PINE标识),对受保护的PINE标识去隐藏和/或解密步骤1002:UDM可以在Nudm_UEAuthentication_Get response中将 5G HE AV和PINE认证指示符连同5G HE AV将用于5G AKA的指示一起返回给AUSF。
如果PINE标识和PEGC的SUCI包含在Nudm_UEAuthentication_Get request中,UDM将在SIDF对SUCI去隐蔽后将PINE标识和PEGC的SUPI包含在Nudm_UEAuthentication_Get response中。
步骤1003:AUSF可以将XRES*与接收到的PINE标识和PEGC的SUPI一起临时存储。
步骤1004:AUSF可以通过从XRES*计算HXRES*(根据33.501[1]的附件A.5)从UDM/ARPF接收的5G HE AV生成5G AV,并将XRES*替换为HXRES*。
步骤1005:AUSF可以在Nausf_UEAuthentication_Authenticate response中向SEAF返回5G SE AV(RAND,AUTN,HXRES*)、PINE认证指示符、PEGC的SUPI、PINE标识。
步骤1006:SEAF可以在NAS消息Authentication Request中向PEGC发送PINE认证指示符、RAND、AUTN、PINE标识。若PEGC发送给SEAF的PEGC标识为受保护的PINE标识,此时SEAF应向PEGC发送受保护的PINE标识。
步骤1007:PEGC可以通过安全的非3GPP连接将NAS消息Authentication Request中收到的SN-Name、RAND、AUTN和PINE认证指示符通过PINE Authentication Request转发给PINE。
步骤1008:在收到RAND、AUTN和SN-Name时,PINE可以通过检查AUTN是否可以接受,如TS 33.102[9]中所述来验证接收值的新鲜度。如果是,PINE计算RES。PINE可以计算RES、CK、IK。然后PINE可以根据33.501的附件A.4从RES计算认证响应RES*。
步骤1009:PINE可以通过安全的非3GPP访问向PEGC返回RES*、PINE标识和PINE认证指示符。
步骤1010:PEGC可以在NAS消息Authentication Response中向SEAF发送RES*、PINE标识、PEGC标识和PINE认证指示符。
步骤1011:然后SEAF可以根据33.501的附录A.5从RES*计算HRES*,并且SEAF可以比较HRES*和HXRES*。具体来说,SEAF可以能够根据PINE标识和PEGC的SUPI定位特定PINE的HXRES*。如果它们一致,SEAF将从服务网络的角度认为认证成功。如果不是,SEAF按照33.501的6.1.3.2.2子条款进行。如果未达到PINE,并且SEAF从未收到RES*,则SEAF可以将认证视为失败,并向AUSF指示失败。
步骤1012:SEAF可以在Nausf_UEAuthentication_Authenticate Request消息中向AUSF发送RES*、PEGC的SUPI、PINE标识和PINE认证指示符。
步骤1013:当AUSF接收到包括RES*的Nausf_UEAuthentication_Authenticate Request消息作为认证确认时,它可以验证5G AV是否已过期。如果5G AV已过期,则从归属网络的角度来看,AUSF可能会认为身份验证不成功。AUSF可以将接收到的RES*与存储的XRES*进行比较。如果RES*和XRES*相等,则AUSF可以从归属网络的角度认为认证成功。AUSF可以将认证结果通知UDM。
步骤1014:AUSF可以在Nausf_UEAuthentication_Authenticate Response中向SEAF指示从归属网络角度验证是否成功。
如图11所示,本示例性实施例提供一种认证装置100,可以被蜂窝移动通信系统的核心网设备 执行,包括:
处理模块110,配置为对PINE进行身份认证,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述处理模块110,具体配置为:
至少基于所述PINE的第一凭证和计算参数,确定期望认证参数;
基于所述期望认证参数,对所述PINE进行身份认证。
在一个实施例中,其中,所述第一凭证存储于所述核心网设备中。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述装置100,还包括:
收发模块120,配置为通过第一类网络经由基站向所述PEGC发送所述计算参数,其中,所述计算参数由所述PEGC通过第二类网络发送给所述PINE;
所述收发模块120,还配置为接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定,并通过所述第二类网络发送给所述PEGC的;
所述处理模块110,具体配置为:基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
在一个实施例中,所述收发模块120,具体配置为:
所述核心网设备中的统一数据管理UDM向所述核心网设备中的认证服务功能AUSF发送携带有所述计算参数的UDM响应;
所述AUSF向所述核心网设备中的安全锚点功能SEAF发送携带有所述计算参数的AUSF响应;
所述SEAF通过第一类网络经由所述基站向所述PEGC发送携带有所述计算参数的认证请求。
在一个实施例中,所述收发模块120,具体配置为以下至少之一:
所述SEAF接收所述PEGC通过所述第一类网络经由所述基站发送的携带有所述认证参数的认证响应,其中,所述认证参数是由所述PINE携带于PINE认证响应中通过所述第二类网络发送给所述PEGC的;
所述AUSF接收所述SEAF发送的携带有所述认证参数的AUSF认证请求。
在一个实施例中,所述处理模块110,具体配置为以下至少之一:
所述SEAF根据所述认证参数确定哈希认证参数,基于所述哈希认证参数和哈希期望认证参数对所述PINE进行身份认证,其中,所述哈希期望认证参数是由所述AUSF基于期望认证参数确定并发送给SEAF的;
所述AUSF基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
在一个实施例中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
所述所述PINE的PINE标识;
所述PEGC的PEFC标识。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应和所述AUSF认证请求中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述PINE认证指示符,用于指示所述核心网设备不进行至少以下之一项:
生成鉴权服务功能密钥Kausf;
生成安全锚点功能密钥Kseaf;
向所述PEGC发送密钥集标识ngKSI;
向所述PEGC发送架构间防降级攻ABBA参数。
在一个实施例中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有指示所述PINE的所述PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述处理模块110,还配置为响应于所述PINE标识为受安全保护的PINE标识,将所述受安全保护的PINE标识恢复为明文状态的PINE标识;
所述UDM响应、所述AUSF响应和所述AUSF认证请求中的至少之一,携带有所述明文状态的PINE标识;
所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
在一个实施例中,所述处理模块110,还配置为:基于判断信息确定所述PEGC是否为所述PEGC接入所述第一类网络的合法网关,其中,所述判断信息包括以下至少之一:
所述PEGC的PEGC标识;
所述PINE的所述PINE标识;
所述PEGC的订阅信息;
所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
确定所述PEGC为所述合法网关;
基于所述PINE的所述第一凭证和所述计算参数确定所述期望认证参数。
在一个实施例中,所述处理模块110,具体配置为:至少基于所述第一凭证、所述计算参数和服务网络标识,确定所述期望认证参数;
所述认证参数,是由所述PINE至少基于第二凭证、所述计算参数和所述服务网络标识确定的。
在一个实施例中,所述计算参数和/或所述服务网络标识是由所述PEGC通过所述第二类网络发送给所述PINE的。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,
所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
如图12所示,本示例性实施例提供一种认证装置200,可以被蜂窝移动通信系统的私有物联网网关PEGC执行,包括:
收发模块210,配置为在第一类网络的核心网设备对PINE进行身份认证过程中传输认证信息,其中,所述PINE通过所述PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述收发模块210,具体配置为:
接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数;其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述收发模块210,具体配置为:
通过第二类网络向所述PINE发送所述计算参数;
接收所述PINE通过所述第二类网络发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定的;
通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,其中,所述认证参数,用于供所述核心网设备至少基于所述期望认证参数进行所述PINE的身份认证。
在一个实施例中,所述收发模块210,具体配置为至少以下之一:
接收所述核心网设备中的SEAF通过所第一类网络经由所述基站发送的携带有所述计算参数的认证请求;
通过所述第二类网络,向所述PINE发送携带有所述计算参数的PINE认证请求;
接收所述PINE通过所述第二类网络发送的携带有所述认证参数的PINE认证响应;
所述通过所述第一类网络经由所述基站向所述SEAF发送携带有所述认证参数的认证响应。
在一个实施例中,PINE认证请求还携带有服务网络标识。
在一个实施例中,所述所述期望认证参数,是由所述核心网设备至少基于所述第一凭证、所述计算参数和服务网络标识确定的
所述认证参数,是由所述PINE至少基于所述第二凭证、所述计算参数和所述服务网络标识确定的。
在一个实施例中,所述认证请求、所述认证响应、所述PINE认证请求和所述PINE认证响应中的至少之一,携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有指示所述PINE的PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述PEGC包括用户设备UE。
在一个实施例中,
所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
如图13所示,本示例性实施例提供一种认证装置,可以被PINE执行,包括:
收发模块310,配置为在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
在一个实施例中,所述收发模块310,具体配置为:
通过第二类网络接收所述PEGC发送的计算参数,其中,所述计算参数,是由核心网设备通过第一类网络经由基站发送给所述PEGC的,其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
在一个实施例中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,所述装置还包括:处理模块320,配置为至少基于第二凭证和所述计算参数确定认证参数;
所述收发模块310,具体配置为:通过所述第二类网络向所述PEGC发送所述认证参数,所述认证参数,用于由所述PEGC通过所述第一类网络经由所述基站发送给所述核心网设备,由所述核心网设备至少基于所述认证参数和所述期望认证参数进行所述PINE的身份认证。
在一个实施例中,所述收发模块310,具体配置为至少以下之一:
通过所述第二类网络,接收所述PEGC发送的携带有所述计算参数的PINE认证请求;
通过所述第二类网络向所述PEGC发送的携带有所述认证参数的PINE认证响应。
在一个实施例中,PINE认证请求还携带有服务网络标识。
在一个实施例中,所述所述期望认证参数是至少基于所述第一凭证、所述计算参数和服务网络标识确定的
所述处理模块,具体配置为:
至少基于所述第二凭证、所述计算参数和服务网络标识确定所述认证参数。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有至少以下之一项:
PINE认证指示符,用于指示对所述PINE进行身份认证;
用户永久标识符SUPI,用于指示所述PEGC。
在一个实施例中,所述PINE认证请求和/或所述PINE认证响应中携带有指示所述PINE的PINE标识。
在一个实施例中,所述PINE标识为受安全保护的PINE标识。
在一个实施例中,所述计算参数至少包括随机数RAND。
在一个实施例中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
在一个实施例中,
所述第一类网络,包括:第三代合作计划3GPP标准网络;
所述第二类网络,包括:非3GPP标准网络。
在示例性实施例中,处理模块110、收发模块120、收发模块210、收发模块310和处理模块320等可以被一个或多个中央处理器(CPU,Central Processing Unit)、图形处理器(GPU,Graphics Processing Unit)、基带处理器(BP,Baseband Processor)、应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或其他电子元件实现,用于执行前述方法。
图14是根据一示例性实施例示出的一种用于认证的装置3000的框图。例如,装置3000可以是移动电话、计算机、数字广播终端、消息收发设备、游戏控制台、平板设备、医疗设备、健身设备、个人数字助理等。
参照图14,装置3000可以包括以下一个或多个组件:处理组件3002、存储器3004、电源组件3006、多媒体组件3008、音频组件3010、输入/输出(I/O)接口3012、传感器组件3014、以及通信组件3016。
处理组件3002通常控制装置3000的整体操作,诸如与显示、电话呼叫、数据通信、相机操作和记录操作相关联的操作。处理组件3002可以包括一个或多个处理器3020来执行指令,以完成上述的方法的全部或部分步骤。此外,处理组件3002可以包括一个或多个模块,便于处理组件3002和其他组件之间的交互。例如,处理组件3002可以包括多媒体模块,以方便多媒体组件3008和处理组件3002之间的交互。
存储器3004被配置为存储各种类型的数据以支持在装置3000的操作。这些数据的示例包括用于在装置3000上操作的任何应用程序或方法的指令、联系人数据、电话簿数据、消息、图片、视频等。存储器3004可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM)、电可擦除可编程只读存储器(EEPROM)、可擦除可编程只读存储器(EPROM)、可编程只读存储器(PROM)、只读存储器(ROM)、磁存储器、快闪存储器、磁盘或光盘。
电源组件3006为装置3000的各种组件提供电力。电源组件3006可以包括电源管理系统、一个或多个电源、及其他与为装置3000生成、管理和分配电力相关联的组件。
多媒体组件3008包括在装置3000和用户之间的提供一个输出接口的屏幕。在一些实施例中,屏幕可以包括液晶显示器(LCD)和触摸面板(TP)。如果屏幕包括触摸面板,屏幕可以被实现为触摸屏,以接收来自用户的输入信号。触摸面板包括一个或多个触摸传感器以感测触摸、滑动和触摸面板上的手势。触摸传感器可以不仅感测触摸或滑动动作的边界,而且还检测与触摸或滑动操作相关的持续时间和压力。在一些实施例中,多媒体组件3008包括一个前置摄像头和/或后置摄像头。当装置3000处于操作模式,如拍摄模式或视频模式时,前置摄像头和/或后置摄像头可以接收外部的多媒体数据。每个前置摄像头和后置摄像头可以是一个固定的光学透镜系统或具有焦距和光学变焦能力。
音频组件3010被配置为输出和/或输入音频信号。例如,音频组件3010包括一个麦克风(MIC),当装置3000处于操作模式,如呼叫模式、记录模式和语音识别模式时,麦克风被配置为接收外部音频信号。所接收的音频信号可以被进一步存储在存储器3004或经由通信组件3016发送。在一些实施例中,音频组件3010还包括一个扬声器,用于输出音频信号。
I/O接口3012为处理组件3002和外围接口模块之间提供接口,上述外围接口模块可以是键盘、点击轮、按钮等。这些按钮可包括但不限于:主页按钮、音量按钮、启动按钮和锁定按钮。
传感器组件3014包括一个或多个传感器,用于为装置3000提供各个方面的状态评估。例如,传感器组件3014可以检测到装置3000的打开/关闭状态、组件的相对定位,例如组件为装置3000的显示器和小键盘,传感器组件3014还可以检测装置3000或装置3000一个组件的位置改变、用户与装置3000接触的存在或不存在、装置3000方位或加速/减速和装置3000的温度变化。传感器组件3014可以包括接近传感器,被配置用来在没有任何的物理接触时检测附近物体的存在。传感器组件3014还可以包括光传感器,如CMOS或CCD图像传感器,用于在成像应用中使用。在一些实施例中,该传感器组件3014还可以包括加速度传感器、陀螺仪传感器、磁传感器、压力传感器或温度传感器。
通信组件3016被配置为便于装置3000和其他设备之间有线或无线方式的通信。装置3000可以接入基于通信标准的无线网络,如Wi-Fi、2G或3G,或它们的组合。在一个示例性实施例中,通信组件3016经由广播信道接收来自外部广播管理系统的广播信号或广播相关信息。在一个示例性实施例中,通信组件3016还包括近场通信(NFC)模块,以促进短程通信。例如,在NFC模块可基于射频识别(RFID)技术、红外数据协会(IrDA)技术、超宽带(UWB)技术、蓝牙(BT)技术和 其他技术来实现。
在示例性实施例中,装置3000可以被一个或多个应用专用集成电路(ASIC)、数字信号处理器(DSP)、数字信号处理设备(DSPD)、可编程逻辑器件(PLD)、现场可编程门阵列(FPGA)、控制器、微控制器、微处理器或其他电子元件实现,用于执行上述方法。
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,例如包括指令的存储器3004,上述指令可由装置3000的处理器3020执行以完成上述方法。例如,非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本发明实施例的其它实施方案。本申请旨在涵盖本发明实施例的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本发明实施例的一般性原理并包括本公开实施例未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本发明实施例的真正范围和精神由下面的权利要求指出。
应当理解的是,本发明实施例并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本发明实施例的范围仅由所附的权利要求来限制。

Claims (40)

  1. 一种认证方法,其中,由第一类网络的核心网设备执行,包括:
    对私有物联网单元PINE进行身份认证,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
  2. 根据权利要求1所述的方法,其中,所述对私有物联网单元PINE进行身份认证,包括:
    至少基于所述PINE的第一凭证和计算参数,确定期望认证参数;
    基于所述期望认证参数,对所述PINE进行身份认证。
  3. 根据权利要求2所述的方法,其中,所述第一凭证存储于所述核心网设备中。
  4. 根据权利要求3所述的方法,其中,所述第一凭证,是所述核心网设备根据PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
  5. 根据权利要求2所述的方法,其中,所述基于所述期望认证参数,对所述PINE进行所述身份认证,包括:
    通过第一类网络经由基站向所述PEGC发送所述计算参数,其中,所述计算参数由所述PEGC通过第二类网络发送给所述PINE;
    接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定,并通过所述第二类网络发送给所述PEGC的;
    基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
  6. 根据权利要求5所述的方法,其中,所述通过第一类网络经由基站向所述PEGC发送所述计算参数,包括:
    所述核心网设备中的统一数据管理UDM向所述核心网设备中的认证服务功能AUSF发送携带有所述计算参数的UDM响应;
    所述AUSF向所述核心网设备中的安全锚点功能SEAF发送携带有所述计算参数的AUSF响应;
    所述SEAF通过第一类网络经由所述基站向所述PEGC发送携带有所述计算参数的认证请求。
  7. 根据权利要求6所述的方法,其中,所述接收所述PEGC通过所述第一类网络经由所述基站发送的认证参数,包括以下至少之一:
    所述SEAF接收所述PEGC通过所述第一类网络经由所述基站发送的携带有所述认证参数的认证响应,其中,所述认证参数是由所述PINE携带于PINE认证响应中通过所述第二类网络发送给所述PEGC的;
    所述AUSF接收所述SEAF发送的携带有所述认证参数的AUSF认证请求。
  8. 根据权利要求7所述的方法,其中,所述基于所述认证参数和所述期望认证参数对所述PINE进行身份认证,包括以下至少之一:
    所述SEAF根据所述认证参数确定哈希认证参数,基于所述哈希认证参数和哈希期望认证参数对所述PINE进行身份认证,其中,所述哈希期望认证参数是由所述AUSF基于期望认证参数确定 并发送给SEAF的;
    所述AUSF基于所述认证参数和所述期望认证参数对所述PINE进行身份认证。
  9. 根据权利要求8所述的方法,其中,所述认证参数、所述期望认证参数、所述哈希认证参数和所述哈希期望认证参数是采用以下至少之一标识的:
    所述所述PINE的PINE标识;
    所述PEGC的PEFC标识。
  10. 根据权利要求7所述的方法,其中,所述UDM响应、所述AUSF响应、所述认证请求、所述认证响应、所述PINE认证请求、所述PINE认证响应和所述AUSF认证请求中的至少之一,携带有至少以下之一项:
    PINE认证指示符,用于指示对所述PINE进行身份认证;
    用户永久标识符SUPI,用于指示所述PEGC。
  11. 根据权利要求7所述的方法,其中,所述UDM响应、所述AUSF响应、所述认证请求、所述PINE认证请求、所述PINE认证响应、所述认证响应和所述AUSF认证请求中的至少之一,携带有指示所述PINE的所述PINE标识。
  12. 根据权利要求11所述的方法,其中,所述方法还包括:响应于所述PINE标识为受安全保护的PINE标识,将所述受安全保护的PINE标识恢复为明文状态的PINE标识;
    所述UDM响应、所述AUSF响应和所述AUSF认证请求中的至少之一,携带有所述明文状态的PINE标识;
    所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有所述受安全保护的PINE标识。
  13. 根据权利要求2所述的方法,其中,所述方法还包括:基于判断信息确定所述PEGC是否为所述PEGC接入所述第一类网络的合法网关,其中,所述判断信息包括以下至少之一:
    所述PEGC的PEGC标识;
    所述PINE的所述PINE标识;
    所述PEGC的订阅信息;
    所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
    确定所述PEGC为所述合法网关;
    基于所述PINE的所述第一凭证和所述计算参数确定所述期望认证参数。
  14. 根据权利要求2所述的方法,其中,所述至少基于所述PINE的第一凭证和计算参数,确定期望认证参数,包括:
    基于所述第一凭证、所述计算参数和服务网络标识,确定所述期望认证参数;
    所述认证参数,是由所述PINE至少基于第二凭证、所述计算参数和所述服务网络标识确定的。
  15. 根据权利要求14所述的方法,其中,所述计算参数和/或所述服务网络标识是由所述PEGC通过所述第二类网络发送给所述PINE的。
  16. 根据权利要求2至15任一项所述的方法,其中,所述第一凭证,是所述核心网设备中的UDM根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
  17. 根据权利要求1至15任一项所述的方法,其中,
    所述第一类网络,包括:第三代合作计划3GPP标准网络;
    所述第二类网络,包括:非3GPP标准网络。
  18. 一种认证方法,其中,由私有物联网网关PEGC执行,包括:
    在第一类网络的核心网设备对私有物联网单元PINE进行身份认证过程中传输认证信息,其中,所述PINE通过所述PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
  19. 根据权利要求18所述的方法,其中,所述在第一类网络的核心网设备对PINE进行身份认证过程中传输信息,包括:
    接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数;其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
  20. 根据权利要求19所述的方法,其中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
  21. 根据权利要求19所述的方法,其中,所述在第一类网络的核心网设备对PINE进行身份认证过程中传输信息,包括:
    通过第二类网络向所述PINE发送所述计算参数;
    接收所述PINE通过所述第二类网络发送的认证参数,其中,所述认证参数是由所述PINE至少基于第二凭证和所述计算参数确定的;
    通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,其中,所述认证参数,用于供所述核心网设备至少基于所述期望认证参数进行所述PINE的身份认证。
  22. 根据权利要求21所述的方法,其中,所述接收核心网设备通过第一类网络经由基站向所述PEGC发送的计算参数,包括:
    接收所述核心网设备中的SEAF通过所第一类网络经由所述基站发送的携带有所述计算参数的认证请求;
    所述通过第二类网络向所述PINE发送所述计算参数,包括:
    通过所述第二类网络,向所述PINE发送携带有所述计算参数的PINE认证请求;
    所述接收所述PINE通过所述第二类网络发送的认证参数,包括:
    接收所述PINE通过所述第二类网络发送的携带有所述认证参数的PINE认证响应;
    所述通过所述第一类网络经由所述基站向所述核心网设备发送所述认证参数,包括:
    所述通过所述第一类网络经由所述基站向所述SEAF发送携带有所述认证参数的认证响应。
  23. 根据权利要求22所述的方法,其中,PINE认证请求还携带有服务网络标识。
  24. 根据权利要求21所述的方法,其中,
    所述所述期望认证参数,是由所述核心网设备至少基于所述第一凭证、所述计算参数和服务网络标识确定的
    所述认证参数,是由所述PINE至少基于所述第二凭证、所述计算参数和所述服务网络标识确定的。
  25. 根据权利要求21所述的方法,其中,所述认证请求、所述认证响应、所述PINE认证请求和所述PINE认证响应中的至少之一,携带有至少以下之一项:
    PINE认证指示符,用于指示对所述PINE进行身份认证;
    用户永久标识符SUPI,用于指示所述PEGC。
  26. 根据权利要求21所述的方法,其中,所述认证请求、所述PINE认证请求、所述PINE认证响应和所述认证响应中的至少之一,携带有指示所述PINE的PINE标识。
  27. 一种认证方法,其中,由私有物联网单元PINE执行,包括:
    在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
  28. 根据权利要求27所述的方法,其中,所述在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,包括:
    通过第二类网络接收所述PEGC发送的计算参数,其中,所述计算参数,是由核心网设备通过第一类网络经由基站发送给所述PEGC的,其中,所述计算参数,用于由所述核心网设备至少结合第一凭证确定期望认证参数,其中,所述期望认证参数用于供所述核心网设备对所述PINE进行身份认证。
  29. 根据权利要求28所述的方法,其中,其中,所述第一凭证,是所述核心网设备根据所述PINE的PINE标识和/或所述PEGC的PEFC标识确定的。
  30. 根据权利要求28所述的方法,其中,所述方法还包括:至少基于第二凭证和所述计算参数确定认证参数;
    所述在第一类网络的核心网设备对所述PINE进行身份认证过程中传输认证信息,包括:
    通过所述第二类网络向所述PEGC发送所述认证参数,所述认证参数,用于由所述PEGC通过所述第一类网络经由所述基站发送给所述核心网设备,由所述核心网设备至少基于所述认证参数和所述期望认证参数进行所述PINE的身份认证。
  31. 根据权利要求30所述的方法,其中,
    所述通过第二类网络接收所述PEGC发送的所述计算参数,包括:
    通过所述第二类网络,接收所述PEGC发送的携带有所述计算参数的PINE认证请求;
    所述通过所述第二类网络向所述PEGC发送所述认证参数,包括:
    通过所述第二类网络向所述PEGC发送的携带有所述认证参数的PINE认证响应。
  32. 根据权利要求30所述的方法,其中,PINE认证请求还携带有服务网络标识。
  33. 根据权利要求30所述的方法,其中,
    所述所述期望认证参数是至少基于所述第一凭证、所述计算参数和服务网络标识确定的
    所述至少基于第二凭证和所述计算参数确定认证参数,包括:
    至少基于所述第二凭证、所述计算参数和服务网络标识确定所述认证参数。
  34. 根据权利要求30所述的方法,其中,所述PINE认证请求和/或所述PINE认证响应中携带有至少以下之一项:
    PINE认证指示符,用于指示对所述PINE进行身份认证;
    用户永久标识符SUPI,用于指示所述PEGC。
  35. 根据权利要求30所述的方法,其中,所述PINE认证请求和/或所述PINE认证响应中携带有指示所述PINE的PINE标识。
  36. 一种认证装置,其中,包括:
    处理模块,配置为对私有物联网单元PINE进行身份认证,其中,所述PINE通过私有物联网网关PEGC接入第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
  37. 一种认证装置,其中,包括:
    收发模块,配置为在第一类网络的核心网设备对私有物联网单元PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
  38. 一种认证装置,其中,包括:
    收发模块,配置为在第一类网络的核心网设备对私有物联网单元PINE进行身份认证过程中传输认证信息,其中,所述PINE通过私有物联网网关PEGC接入所述第一类网络,其中,所述PINE与所述PEGC通过第二类网络连接。
  39. 一种通信设备装置,包括处理器、存储器及存储在存储器上并能够由所述处理器运行的可执行程序,其中,所述处理器运行所述可执行程序时执行如权利要求1至17、或18至26、或27至35任一项所述认证方法的步骤。
  40. 一种存储介质,其上存储由可执行程序,其中,所述可执行程序被处理器执行时实现如权利要求1至17、或18至26、或27至35任一项所述认证方法的步骤。
PCT/CN2022/096480 2022-05-31 2022-05-31 认证方法、装置、通信设备和存储介质 WO2023230924A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2022/096480 WO2023230924A1 (zh) 2022-05-31 2022-05-31 认证方法、装置、通信设备和存储介质
CN202280001898.7A CN117597961A (zh) 2022-05-31 2022-05-31 认证方法、装置、通信设备和存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/096480 WO2023230924A1 (zh) 2022-05-31 2022-05-31 认证方法、装置、通信设备和存储介质

Publications (1)

Publication Number Publication Date
WO2023230924A1 true WO2023230924A1 (zh) 2023-12-07

Family

ID=89026717

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/096480 WO2023230924A1 (zh) 2022-05-31 2022-05-31 认证方法、装置、通信设备和存储介质

Country Status (2)

Country Link
CN (1) CN117597961A (zh)
WO (1) WO2023230924A1 (zh)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469765A (zh) * 2014-07-28 2015-03-25 北京佰才邦技术有限公司 用于移动通信系统中的终端认证方法和装置
US20210368341A1 (en) * 2020-08-10 2021-11-25 Ching-Yu LIAO Secure access for 5g iot devices and services

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469765A (zh) * 2014-07-28 2015-03-25 北京佰才邦技术有限公司 用于移动通信系统中的终端认证方法和装置
US20210368341A1 (en) * 2020-08-10 2021-11-25 Ching-Yu LIAO Secure access for 5g iot devices and services

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
NOKIA, NOKIA SHANGHAI BELL: "23.700-88: Solution for KI#3; PIN Management by 5GS", 3GPP DRAFT; S2-2202460, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting ;20220406 - 20220412, 29 March 2022 (2022-03-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052133297 *
VIVO: "New Solution: Communication of PIN", 3GPP DRAFT; S2-2202480, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20220406 - 20220412, 29 March 2022 (2022-03-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052133317 *

Also Published As

Publication number Publication date
CN117597961A (zh) 2024-02-23

Similar Documents

Publication Publication Date Title
WO2023230924A1 (zh) 认证方法、装置、通信设备和存储介质
WO2023240659A1 (zh) 认证方法、装置、通信设备和存储介质
WO2023231018A1 (zh) 个人物联网pin基元凭证配置方法、装置、通信设备及存储介质
WO2023240661A1 (zh) 认证与授权方法、装置、通信设备及存储介质
WO2023240657A1 (zh) 认证与授权方法、装置、通信设备及存储介质
WO2023226051A1 (zh) 为个人物联网设备选择认证机制的方法及装置、ue、网络功能及存储介质
WO2023142090A1 (zh) 信息传输方法、装置、通信设备和存储介质
WO2023245354A1 (zh) 安全保护方法、装置、通信设备及存储介质
WO2024000115A1 (zh) Ims会话方法、装置、通信设备及存储介质
WO2024031523A1 (zh) 信息处理方法及装置、通信设备及存储介质
WO2024031399A1 (zh) Ue加入pin的方法及装置、通信设备及存储介质
WO2024031640A1 (zh) 一种信息传输方法、装置、通信设备及存储介质
WO2024021142A1 (zh) 应用程序接口api认证方法、装置、通信设备及存储介质
WO2023240574A1 (zh) 信息处理方法及装置、通信设备及存储介质
WO2023142089A1 (zh) 信息传输方法、装置、通信设备和存储介质
WO2024092735A1 (zh) 通信控制方法、系统及装置、通信设备及存储介质
WO2023070560A1 (zh) 信息传输方法、装置、通信设备和存储介质
WO2024092801A1 (zh) 认证方法、装置、通信设备及存储介质
WO2023000139A1 (zh) 传输凭证的方法、装置、通信设备及存储介质
WO2023184548A1 (zh) 信息处理方法及装置、通信设备及存储介质
WO2024000123A1 (zh) 密钥生成方法及装置、通信设备及存储介质
WO2022222005A1 (zh) 通信设备检测方法、装置、通信设备和存储介质
WO2023216259A1 (zh) 卫星覆盖信息确定方法、装置、通信设备和存储介质
WO2024000121A1 (zh) Ims会话方法、装置、通信设备及存储介质
WO2024036495A1 (zh) 信息处理方法及装置、通信设备及存储介质

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280001898.7

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22944260

Country of ref document: EP

Kind code of ref document: A1