CN109104726A - The authentication method and related device, system and medium of network slice - Google Patents

The authentication method and related device, system and medium of network slice Download PDF

Info

Publication number
CN109104726A
CN109104726A CN201710469951.7A CN201710469951A CN109104726A CN 109104726 A CN109104726 A CN 109104726A CN 201710469951 A CN201710469951 A CN 201710469951A CN 109104726 A CN109104726 A CN 109104726A
Authority
CN
China
Prior art keywords
network
user
user terminal
network slice
identification information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201710469951.7A
Other languages
Chinese (zh)
Inventor
余万涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
Shanghai Zhongxing Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Zhongxing Software Co Ltd filed Critical Shanghai Zhongxing Software Co Ltd
Priority to CN201710469951.7A priority Critical patent/CN109104726A/en
Priority to PCT/CN2018/101337 priority patent/WO2018233726A1/en
Publication of CN109104726A publication Critical patent/CN109104726A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The invention discloses the authentication methods and related device, system and medium of a kind of network slice, to solve the authentication question that UE access network is sliced in mobile communication network.The described method includes: obtaining network corresponding with the user network of user terminal slice identification information from network authentication entity is sliced Ciphering Key;Ciphering Key is sliced according to the network to be authenticated with the user terminal.The authentication method and related device, system and medium that network is sliced in the present invention, in the case where introducing network slice in mobile communication system, after UE adheres to mobile communications network, in further access network slice, when receiving the business based on network slice offer, the Dynamical Deployment feature of network slice is effectively met, so that attaching process meets the certification demand of UE access network slice.

Description

The authentication method and related device, system and medium of network slice
Technical field
The present invention relates to field of mobile communication, the authentication method being sliced more particularly to a kind of network and related device are System and medium.
Background technique
5G (the 5th third-generation mobile communication technology) network architecture will introduce new IT technology, as network function virtualization (NFV, Network Function Virtualization).In 3/4G network, the protection of functional network element is largely dependent upon To the security isolation of physical equipment.And in 5G network, due to the deployment of NFV technology, so that partial function network element is with virtual functions The form of network element is deployed in the infrastructure of cloud.Virtual core net based on the building of network service demand is known as network and cuts Piece, a network slice constitute a virtual core net, are that one group of specific user terminal (UE) provides mobile network's access service. One typical network slice includes the core net function of one group of virtualization, is such as sliced control plane unit, is mainly responsible for slice Mobility, session management and the relevant function of authentication, slice user plane unit are mainly that user provides the user of slice Resource, dicing strategy control unit are responsible for the function of subscriber policy, and slice Charging Detail Record unit is responsible for the billing function of user.Network The function of slice is determined with carrier policy according to demand by operator, for example, certain networks slice is in addition to including control plane function It can also include dedicated forwarding surface that energy is outer;And certain network slices may only include some basic control plane functions, other Core net correlation function and other networks slice it is shared.Network slice is potentially based on demand and is created, modifies or deletes.One UE may also receive the service from heterogeneous networks slice simultaneously.
In existing 3G/4G mobile communication system, by AKA, (Authentication and Key Agreement is moved The certifiede-mail protocol agreement of dynamic communication network) it authenticates, the business directly provided using core net after UE access network.
In 5G system, due to introducing network slice concept, so that needing further to access network after UE attachment network Slice, to receive the business provided based on network slice.Due to the Dynamical Deployment feature of network slice, the AKA of attaching process recognizes Card is not able to satisfy the certification demand of UE access network slice.How to meet the certification demand of UE access network slice is to need to solve The problem of.
Summary of the invention
In order to overcome drawbacks described above, the technical problem to be solved in the present invention is to provide a kind of network slice authentication method and Related device, system and medium, to solve the authentication question that UE access network is sliced in mobile communication network.
In order to solve the above technical problems, the authentication method of one of present invention network slice, comprising:
Network corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to be sliced Ciphering Key;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
In order to solve the above technical problems, the authentication method of one of present invention network slice, comprising:
Obtain the attach request information of user terminal;
Net corresponding with the user network of user terminal slice identification information is generated according to the attach request information Network is sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced functional entity Ciphering Key and the user end certification are sliced according to the network.
In order to solve the above technical problems, one of present invention network is sliced functional entity device, including first memory And first processor;The first memory is stored with the authentication calculations machine program of the network slice for the device;The meter Calculation machine program is executed by the first processor, to perform the steps of
Network corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to be sliced Ciphering Key;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
In order to solve the above technical problems, one of present invention network authentication entity device, including second memory and Two processors, the second memory are stored with the authentication calculations machine program of the network slice for the device;The computer Program is executed by the second processor, to perform the steps of
Obtain the attach request information of user terminal;
Net corresponding with the user network of user terminal slice identification information is generated according to the attach request information Network is sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced functional entity Ciphering Key and the user end certification are sliced according to the network.
In order to solve the above technical problems, the Verification System of one of present invention network slice, including any one as above The network is sliced network authentication entity device described in functional entity device, any one as above and mobile communications network is real Body;
The attach request information is transmitted to by the network entity in the attach request information for receiving user terminal The network authentication entity device;When receiving Mobile Authentication vector, according to the Mobile Authentication vector with it is described User terminal is authenticated.
In order to solve the above technical problems, one of present invention computer readable storage medium, is stored with and cuts for network The first computer program of certification of the network slice of piece functional entity device, and/or be stored with for network authentication entity device Network slice certification second computer program;
When first computer program is executed by least one processor, function as above is sliced for network to realize The step of any one of entity apparatus the method;
When the second computer program is executed by least one processor, network authentication entity is as above used for realize The step of any one of device the method.
The present invention has the beneficial effect that:
The authentication method and related device, system and medium that network is sliced in the present invention, introduce in mobile communication system In the case where network slice, after UE adheres to mobile communications network, in further access network slice, network is based on to receive When the business provided is provided, the Dynamical Deployment feature of network slice is effectively met, so that attaching process meets UE access network The certification demand of slice.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the authentication method of network slice in the embodiment of the present invention;
Fig. 2 is that optionally UE is attached to the interaction figure that network and network are sliced to one kind in the embodiment of the present invention;
Fig. 3 is the interaction figure that another optionally UE is attached to network and network slice in the embodiment of the present invention;
Fig. 4 is the interaction figure that UE is sliced according to selection attachment network in the embodiment of the present invention;
Fig. 5 is the interaction figure that UE is registered to network slice in the embodiment of the present invention;
Fig. 6 is a kind of flow chart of the authentication method of network slice in the embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of network slice functional entity device in the embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of network authentication entity device in the embodiment of the present invention.
Specific embodiment
In order to solve problems in the prior art, the present invention provides a kind of network slice authentication method and related device, System and medium, below in conjunction with attached drawing and embodiment, the present invention will be described in further detail.It should be appreciated that this place Specific examples are only used to explain the present invention for description, does not limit the present invention.
Embodiment one
As shown in Figure 1, the embodiment of the present invention provides a kind of authentication method of network slice, which comprises
S101 is obtained from network authentication entity and is sliced identification information SID with the user network of user terminal UE (Slice Identification) corresponding network is sliced Ciphering Key;
S102 is sliced Ciphering Key according to the network and is authenticated with the user terminal.
Wherein network authentication entity can be home signature user server (Home Subscriber Server, HSS).
Method is sliced functional entity for network in the embodiment of the present invention.
The embodiment of the present invention is sliced identity with the user network of user terminal UE by obtaining from network authentication entity The corresponding network of information is sliced Ciphering Key;Then Ciphering Key is sliced according to the network to be recognized with the user terminal Card, thus in mobile communication system (such as 5G), on the basis of introducing network slice, when UE adheres to mobile communications network Afterwards, in further access network slice, when being sliced the business provided based on network to receive, the dynamic state part of network slice is met Feature is affixed one's name to, so that attaching process meets the certification demand of UE access network slice.
On the basis of the above embodiments, it is further proposed that the variant embodiment of above-described embodiment, needs to illustrate herein It is, in order to make description briefly, the difference with above-described embodiment only to be described in each variant embodiment.
In the embodiment of the present invention, network slice Ciphering Key includes at least following parameter: random number, it is expected it is corresponding, Network is sliced key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The network slice Ciphering Key is by the network authentication entity according to mobile communications network entity (such as base station) First attach request information of the user terminal of forwarding generates or is believed according to the second attach request that user terminal is sent Breath generates.
It should be noted that in the embodiment of the present invention before attach request information using only for being conducive to this hair Bright explanation itself does not have specific meaning.
Optionally, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition Network slice Ciphering Key before, can also include:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that the network authentication entity generates The network is sliced Ciphering Key.
Wherein, the user that the first attach request information carries the user terminal contracts identification information and described The user network of user terminal is sliced identification information;The second attach request information carries the user of the user terminal Network is sliced identification information.
Illustrate this variant embodiment.
By taking the first attach request information as an example, as shown in Fig. 2, UE network be sliced register after the completion of, can be again attached Network slice is attached to during network simultaneously, specifically, UE is re-attached to network, and is further attached to network and cuts The process of piece includes:
Step 201, UE send the first attach request information to mobile communications network entity.First attach request information includes User's signing identification information, user network are sliced identification information;
Step 202, mobile communications network entity are further to the first attach request information of HSS forwarding UE;
Step 203, HSS are sliced identification information according to the user of UE signing identification information IMSI and user network Generate corresponding Ciphering Key.
For example, generating the Mobile Authentication vector (1) for corresponding to user's signing identification information IMSI, which can To be made of existing AKA Ciphering Key parameter, including RAND (random number that rand () function generates), XRES (Expected Response, it is contemplated that response), KASME and AUTN (Authentication Token, authentication token).
Generate correspond to network slice User Identity SID network be sliced Ciphering Key (2), the vector by RAND, XRES (Expected Response, it is contemplated that response), network are sliced key Kslice and AUTN (Authentication Token, authentication token) composition.
Furtherly, it when adhering in information comprising 2 network slice User Identity information SID1 and SID2, generates Ciphering Key includes that the AKA Ciphering Key (i.e. Mobile Authentication vector) of corresponding IMSI and 2 respectively correspond SID1 and SID2 Network be sliced Ciphering Key.
When adhering in information comprising multiple networks slice User Identity information, the Ciphering Key of generation includes IMSI Corresponding existing AKA Ciphering Key and corresponding multiple networks are sliced User Identity different authentication vector.
The corresponding Ciphering Key of IMSI (1) is sent to mobile communications network entity by step 204, HSS, and SID is corresponding Ciphering Key (2) is sent to network slice functional entity;
After step 205, mobile communications network entity receive Ciphering Key, carried out based on the corresponding Ciphering Key of IMSI and UE AKA certification;
Step 206, network slice functional entity are based on the corresponding Ciphering Key of user network slice identity received AKA certification is carried out with UE.
Also by taking the first attach request information as an example, as shown in figure 3, UE can also assisted again according to the configuration of user The preconfigured network slice of user is attached to during network simultaneously, specifically, configuration of the UE according to user, again auxiliary During helping network while being attached to the process of user's preconfigured network slice and may include:
The network slice information that step 301, user need to access in UE configuration;
Step 302, UE send the first attach request information to mobile communications network entity.First attach request information includes User's signing identification information, preconfigured user network are sliced identification information;
Step 303, mobile communications network entity are further to the attach request information of HSS forwarding UE;
Step 304, HSS are sliced identification information according to the user of UE signing identification information IMSI and user network Generate corresponding Ciphering Key.
Wherein, generation correspondence user contract identification information IMSI Ciphering Key can be authenticated from existing AKA to Measure parameter composition, including RAND, XRES (Expected Response, it is contemplated that response), KASME and AUTN (Authentication Token, authentication token).
The Ciphering Key of the corresponding network slice User Identity SID of generation is by RAND, XRES (Expected Response, it is contemplated that response), network be sliced key Kslice and AUTN (Authentication Token, authentication token) group At.
It furtherly, include that 2 pre-configured networks are sliced User Identity information SID1 and SID2 when adhering in information When, generate the AKA Ciphering Key that Ciphering Key includes corresponding IMSI and the Ciphering Key that 2 respectively correspond SID1 and SID2.When When adhering in information comprising multiple pre-configured networks slice User Identity information, the Ciphering Key of generation includes IMSI corresponding Existing AKA Ciphering Key and corresponding multiple networks be sliced User Identity different authentication vectors.
The corresponding Ciphering Key of IMSI (1) is sent to mobile communications network entity by step 305, HSS, and SID is corresponding Ciphering Key (2) is sent to network slice functional entity;
After step 306, mobile communications network entity receive Ciphering Key, carried out based on the corresponding Ciphering Key of IMSI and UE AKA certification;
Step 307, network slice functional entity are based on the corresponding Ciphering Key of user network slice identity received AKA certification is carried out with UE.
By taking the second attach request information as an example, as shown in figure 4, UE can also adhere to mobile communications network (at this Network can be referred to as in invention) after, it is attached to network slice according to the user's choice, specifically, UE is attached to network slice Flow chart include:
Step 401, UE send the second attach request information to the network of selection slice functional entity.Second attach request letter Breath includes that user network is sliced identification information;
Step 402, network slice functional entity are further to the attach request information of HSS forwarding UE;
Step 403, HSS are sliced identification information according to the user network of UE and generate corresponding Ciphering Key.
Wherein, the Ciphering Key of the corresponding network slice User Identity SID of generation is by RAND, XRES (Expected Response, it is contemplated that response), network be sliced key Kslice and AUTN (Authentication Token, authentication token) group At.
Furtherly, it when adhering in information comprising 2 network slice User Identity information SID1 and SID2, generates Ciphering Key 2 respectively correspond the Ciphering Key of SID1 and SID2.User identity is sliced comprising multiple networks when adhering in information When identification information, the Ciphering Key of generation includes that corresponding multiple networks are sliced User Identity different authentication vector.
The network generated according to certification request information slice Ciphering Key is sent to user network slice by step 404, HSS The corresponding network of identity SID is sliced functional entity.
After step 405, network slice functional entity receive network slice Ciphering Key, based on the network slice certification received Vector and UE carry out AKA certification.
Optionally, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition Network slice Ciphering Key before, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
Wherein, the registration information carries the user's signing identification information and network slice of the user terminal Identification information.
For example, as shown in figure 5, the process that UE provided in this embodiment is registered to network slice may include:
After step 501, UE attachment mobile communications network (such as 5G network), it is sliced to network and sends registration request.Registration Solicited message includes the user signing identification information IMSI of UE, and network is sliced identification information;
Step 102, network slice functional entity generate the network of UE for user's signing identification information IMSI of UE It is sliced User Identity information SID (Slice Identification), User Identity information SID is sliced by network It can derive that network is sliced identification information;
The network slice User Identity information SID of the UE of generation is sent to by step 103, network slice functional entity UE, so that UE carries the identification information when sending attach request information.
In the various embodiments of the invention, terminal device UE is registered in network slice first, and after the completion of registration, UE can While re-attaching network, to be further attached to network slice.UE can also be attached directly to net according to user configuration Network slice;Or while being re-attached to network, corresponding network is attached to according to user configuration and is sliced;Certain UE can be with It after adhering to network, is selected according to user, is attached to corresponding network slice.So that terminal device UE can adhere at any time Network to Dynamical Deployment is sliced, thus the authentication question of very good solution terminal device UE access network slice.
Embodiment two
As shown in fig. 6, the embodiment of the present invention provides a kind of authentication method of network slice, which is characterized in that the method Include:
S601 obtains the attach request information of user terminal;
S602 is generated corresponding with the user network of user terminal slice identification information according to the attach request information Network be sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced function by S603 Energy entity is sliced Ciphering Key and the user end certification according to the network.
Method is used for network authentication entity, such as HSS in the embodiment of the present invention.
The attach request information that the embodiment of the present invention passes through acquisition user terminal;According to the attach request information generate with The corresponding network of user network slice identification information of user terminal is sliced Ciphering Key;And the network is sliced and is authenticated Vector is sent to network slice functional entity, so that the network slice functional entity be made to be sliced Ciphering Key according to the network On the basis of introducing network slice, work as UE thus in mobile communication system (such as 5G) with the user end certification After adhering to mobile communications network, met when receiving the business based on network slice offer in further access network slice The Dynamical Deployment feature of network slice, so that attaching process meets the certification demand of UE access network slice.
Optionally, the method also includes:
It is also generated according to the attach request information corresponding with the user of user terminal signing identification information Mobile Authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity, so that the mobile communications network entity It is authenticated according to the Mobile Authentication vector with the user terminal.
Wherein, the network slice Ciphering Key includes at least following parameter: random number, expected corresponding, network are sliced close Key and authentication token;
The attach request information includes the first attach request information and the second attach request information;
Specifically, it is described obtain user terminal attach request information, may include:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
Wherein, the user that the first attach request information carries the user terminal contracts identification information and described The user network of user terminal is sliced identification information;The second attach request information carries the user of the user terminal Network is sliced identification information.
Specifically, the user network slice identification information of the user terminal is included in the user terminal and matches in advance The user network slice identification information set, and including network slice functional entity according to the note of the user terminal The user network that volume solicited message generates is sliced identification information.
The user network slice identification information of the user terminal is one or more.
Illustrate the present invention embodiment.
For example, UE is after the completion of network is sliced and registers, UE can be attached to net simultaneously during re-attaching network Network slice, the specific verification process that adheres to include:
Step 701, UE sends the first attach request information to mobile communications network entity.First attach request information includes User's signing identification information, user network are sliced identification information;
Step 702, mobile communications network entity is further to the attach request information of HSS forwarding UE;
Step 703, HSS is sliced identification information according to the user of UE signing identification information IMSI and user network Generate corresponding Ciphering Key.The Ciphering Key of the correspondence user signing identification information IMSI of generation is authenticated by existing AKA Vector parameter composition, including RAND, XRES (Expected Response, it is contemplated that response), KASME and AUTN (Authentication Token, authentication token).Generation corresponding network slice User Identity SID Ciphering Key by RAND, XRES (Expected Response, it is contemplated that response), network are sliced key Kslice and AUTN (Authentication Token, authentication token) composition.When adhering in information comprising 2 network slice User Identity information SID1 and SID2, Generate the AKA Ciphering Key that Ciphering Key includes corresponding IMSI and the Ciphering Key that 2 respectively correspond SID1 and SID2.Work as attachment When in information comprising multiple networks slice User Identity information, the Ciphering Key of generation includes the corresponding existing AKA of IMSI Ciphering Key and corresponding multiple networks are sliced User Identity different authentication vector.
Step 704, the corresponding Ciphering Key of IMSI is sent to mobile communications network entity by HSS, by the corresponding certification of SID Vector is sent to network slice functional entity.
Step 705, it after mobile communications network entity receives Ciphering Key, is carried out based on the corresponding Ciphering Key of IMSI and UE AKA certification.
Step 706, network slice functional entity is based on the corresponding Ciphering Key of user network slice identity received AKA certification is carried out with UE.
For another example, UE can also be according to the configuration of user, and it is preparatory during assisting network to be again attached to user simultaneously The network of configuration is sliced, and detailed process includes:
Step 801, the network slice information that user needs to access in UE configuration.
Step 802, UE sends the first attach request information to mobile communications network entity.First attach request information includes User's signing identification information, preconfigured user network are sliced identification information;
Step 803, mobile communications network entity is further to the attach request information of HSS forwarding UE;
Step 804, HSS is sliced identification information according to the user of UE signing identification information IMSI and user network Generate corresponding Ciphering Key.The Ciphering Key of the correspondence user signing identification information IMSI of generation is authenticated by existing AKA Vector parameter composition, including RAND, XRES (Expected Response, it is contemplated that response), KASME and AUTN (Authentication Token, authentication token).Generation corresponding network slice User Identity SID Ciphering Key by RAND, XRES (Expected Response, it is contemplated that response), network are sliced key Kslice and AUTN (Authentication Token, authentication token) composition.When in attachment information comprising 2 pre-configured networks slice User Identity information SID1 and When SID2, generate the AKA Ciphering Key that Ciphering Key includes corresponding IMSI and the certification that 2 respectively correspond SID1 and SID2 to Amount.When adhering in information comprising multiple pre-configured networks slice User Identity information, the Ciphering Key of generation includes The corresponding existing AKA Ciphering Key of IMSI and corresponding multiple networks are sliced User Identity different authentication vector.
Step 805, the corresponding Ciphering Key of IMSI is sent to mobile communications network entity by HSS, by the corresponding certification of SID Vector is sent to network slice functional entity.
Step 806, it after mobile communications network entity receives Ciphering Key, is carried out based on the corresponding Ciphering Key of IMSI and UE AKA certification.
Step 807, network slice functional entity is based on the corresponding Ciphering Key of user network slice identity received AKA certification is carried out with UE.
For another example, UE can also be attached to according to the user's choice network slice, detailed process packet after having adhered to network It includes:
Step 901, UE sends attach request information to the network of selection slice functional entity.Attach request information includes using Family network is sliced identification information;
Step 902, network slice functional entity is further to the attach request information of HSS forwarding UE;
Step 903, HSS is sliced identification information according to the user network of UE and generates corresponding Ciphering Key.It generates Corresponding network be sliced User Identity SID Ciphering Key by RAND, XRES (Expected Response, it is contemplated that response), Network is sliced key Kslice and AUTN (Authentication Token, authentication token) composition.It include 2 in information when adhering to When a network slice User Identity information SID1 and SID2, generates Ciphering Key 2 and respectively correspond recognizing for SID1 and SID2 Syndrome vector.When adhering in information comprising multiple networks slice User Identity information, the Ciphering Key of generation includes corresponding to Multiple networks are sliced User Identity different authentication vector.
Step 904, the Ciphering Key generated according to certification request information is sent to user network slice identity by HSS The corresponding network of SID is sliced functional entity.
Step 905, after network slice functional entity receives Ciphering Key, identity is sliced based on the user network received Corresponding Ciphering Key and UE carry out AKA certification.
Embodiment three
As shown in fig. 7, the embodiment of the present invention provides a kind of network slice functional entity device, described device is deposited including first Reservoir 70 and first processor 72;The first memory 70 is stored with the authentication calculations machine of the network slice for described device Program;The computer program is executed by the first processor 72, to perform the steps of
Network corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to be sliced Ciphering Key;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
Optionally, the network slice Ciphering Key includes at least following parameter: random number, expected corresponding, network slice Key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The network slice Ciphering Key is as the network authentication entity according to the forwarding of mobile communications network entity First attach request information of user terminal is generated or is generated according to the second attach request information that user terminal is sent.
Specifically, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition Network slice Ciphering Key before, further includes:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that the network authentication entity generates The network is sliced Ciphering Key.
Specifically, the first attach request information carries user's signing identification information and the institute of the user terminal State the user network slice identification information of user terminal;The second attach request information carries the use of the user terminal Family network is sliced identification information.
Optionally, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition Network slice Ciphering Key before, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
Wherein, the registration information carries the user's signing identification information and network slice of the user terminal Identification information.
Certain embodiment of the present invention can also be realized in the form of software module.Specifically:
The embodiment of the invention provides a kind of network slice functional entity devices (network slice can be referred to as in the present invention Functional entity), the network slice functional entity device includes:
Receiving module, the network for receiving the transmission of network authentication function entity are sliced Ciphering Key.The network slice Ciphering Key includes RAND, XRES (Expected Response, it is contemplated that response), network slice key Kslice and AUTN (Authentication Token, authentication token) parameter.
Authentication module, for being authenticated with UE;
Certain receiving module can be also used for:
Receive the login request message that the UE is sent;The registration information includes user's signing identity of UE Information IMSI, network are sliced identification information;
Further, network slice functional entity device can also include:
Generation module, for generating user network slice identification information;
Sending module is sliced identification information for sending user network to UE.
The embodiment of the present invention in specific implementation can be refering to embodiment one, and this will not be repeated here.
Example IV
As shown in figure 8, the embodiment of the present invention provides a kind of network authentication entity device, described device includes second memory 80 and second processor 82, the second memory 80 is stored with the authentication calculations machine program of the network slice for the device; The computer program is executed by the second processor 82, to perform the steps of
Obtain the attach request information of user terminal;
Net corresponding with the user network of user terminal slice identification information is generated according to the attach request information Network is sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced functional entity Ciphering Key and the user end certification are sliced according to the network.
Optionally, the computer program is executed by the second processor, is also performed the steps of
It is also generated according to the attach request information corresponding with the user of user terminal signing identification information Mobile Authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity, so that the mobile communications network entity It is authenticated according to the Mobile Authentication vector with the user terminal.
Wherein, the network slice Ciphering Key includes at least following parameter: random number, expected corresponding, network are sliced close Key and authentication token;
The attach request information includes the first attach request information and the second attach request information;
Specifically, the attach request information for obtaining user terminal, comprising:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
Wherein, the user that the first attach request information carries the user terminal contracts identification information and described The user network of user terminal is sliced identification information;The second attach request information carries the user of the user terminal Network is sliced identification information.
Wherein, the user network slice identification information of the user terminal is included in the user terminal and is pre-configured with User network be sliced identification information, and including network slice functional entity according to the registration of the user terminal The user network that solicited message generates is sliced identification information.
The user network slice identification information of the user terminal is one or more.
Certain embodiment of the present invention can also be realized in the form of software module.Specifically:
The embodiment of the invention provides a kind of network authentication function entity apparatus (net can be referred to as in the embodiment of the present invention Network authentication function entity), the network authentication function entity includes:
Receiving module, for receiving the attach request information of mobile communications network entity transmission.The attach request information Identification information or only user network slice identity letter are sliced including user's signing identification information, user network Breath.
Generation module, for based on user's signing identification information, user network slice identification information generation pair The Ciphering Key information answered;
Sending module, for sending Ciphering Key to mobile communications network entity and network slice functional entity.
The embodiment of the present invention in specific implementation can be refering to embodiment one, and this will not be repeated here.
Embodiment five
The embodiment of the present invention provides a kind of Verification System of network slice, and the system comprises any one in such as embodiment 3 Network slice functional entity device, the network authentication entity device as described in any one of embodiment 4 and movement described in Communicating network entities;
The attach request information is transmitted to by the network entity in the attach request information for receiving user terminal The network authentication entity device;When receiving Mobile Authentication vector, according to the Mobile Authentication vector with it is described User terminal is authenticated.
Embodiment six
The embodiment of the present invention provides a kind of computer readable storage medium, which is characterized in that the media storage is used for Network is sliced the first computer program of certification of the network slice of functional entity device, and/or is stored with for network authentication reality The certification second computer program of the network slice of body device;
When first computer program is executed by least one processor, to realize such as any one of embodiment one The step of the method;
When the second computer program is executed by least one processor, to realize such as any one of embodiment 2 The step of the method.
Computer readable storage medium can be RAM memory, flash memory, ROM memory, EPROM in the embodiment of the present invention Memory, eeprom memory, register, hard disk, mobile hard disk, CD-ROM or any other form known in the art Storage medium.A kind of storage medium lotus root can be connected to processor, thus enable a processor to from the read information, And information can be written to the storage medium;Or the storage medium can be the component part of processor.Processor and storage are situated between Matter can be located in specific integrated circuit.
Although those skilled in the art can not depart from the present invention generally This application describes particular example of the invention Variant of the invention is designed on the basis of thought.Those skilled in the art are not taking off under the inspiration that the technology of the present invention is conceived On the basis of the content of present invention, various improvement can also be made to the present invention, this still falls within the scope and spirit of the invention.

Claims (26)

1. a kind of authentication method of network slice, which is characterized in that the described method includes:
Network slice corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to authenticate Vector;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
2. the method as described in claim 1, which is characterized in that the network slice Ciphering Key includes at least following parameter: Random number, expected corresponding, network slice key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The user that the network slice Ciphering Key is forwarded by the network authentication entity according to mobile communications network entity First attach request information of terminal is generated or is generated according to the second attach request information that user terminal is sent.
3. method according to claim 2, which is characterized in that the user obtained from network authentication entity with user terminal Network is sliced before the corresponding network slice Ciphering Key of identification information, further includes:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that described in network authentication entity generation Network is sliced Ciphering Key.
4. method according to claim 2, which is characterized in that the first attach request information carries the user terminal The user network of user's signing identification information and the user terminal is sliced identification information;Second attach request Information carries the user network slice identification information of the user terminal.
5. the method as described in any one of claim 1-4, which is characterized in that described to obtain and use from network authentication entity Before the corresponding network slice Ciphering Key of user network slice identification information of family terminal, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
6. method as claimed in claim 5, which is characterized in that the registration information carries the user of the user terminal Identification information of contracting and network are sliced identification information.
7. a kind of authentication method of network slice, which is characterized in that the described method includes:
Obtain the attach request information of user terminal;
Network corresponding with the user network of user terminal slice identification information is generated according to the attach request information to cut Piece Ciphering Key;
By the network slice Ciphering Key be sent to network slice functional entity so that the network be sliced functional entity according to The network slice Ciphering Key and the user end certification.
8. the method for claim 7, which is characterized in that the method also includes:
Movement corresponding with the user of user terminal signing identification information is also generated according to the attach request information Communication authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity so that the mobile communications network entity according to The Mobile Authentication vector is authenticated with the user terminal.
9. method according to claim 8, which is characterized in that the network slice Ciphering Key includes at least following parameter: Random number, expected corresponding, network slice key and authentication token;
The attach request information includes the first attach request information and the second attach request information;The acquisition user terminal Attach request information, comprising:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
10. method as claimed in claim 9, which is characterized in that the first attach request information carries the user terminal The contract user network of identification information and the user terminal of user be sliced identification information;Second attachment is asked Information is asked to carry the user network slice identification information of the user terminal.
11. method as claimed in claim 10, which is characterized in that the user network slice identity letter of the user terminal Breath is included in the preconfigured user network slice identification information of the user terminal, and is sliced function including the network Energy entity is sliced identification information according to the user network that the registration information of the user terminal generates.
12. method as claimed in claim 10, which is characterized in that the user network slice identity letter of the user terminal Breath is one or more.
13. a kind of network is sliced functional entity device, which is characterized in that described device includes first memory and the first processing Device;The first memory is stored with the authentication calculations machine program of the network slice for the device;The computer program quilt The first processor executes, to perform the steps of
Network slice corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to authenticate Vector;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
14. device as claimed in claim 13, which is characterized in that the network slice Ciphering Key includes at least following ginseng Number: random number, expected corresponding, network slice key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The user that the network slice Ciphering Key is forwarded by the network authentication entity according to mobile communications network entity First attach request information of terminal is generated or is generated according to the second attach request information that user terminal is sent.
15. device as claimed in claim 14, which is characterized in that the use obtained from network authentication entity with user terminal Family network is sliced before the corresponding network slice Ciphering Key of identification information, further includes:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that described in network authentication entity generation Network is sliced Ciphering Key.
16. device as claimed in claim 14, which is characterized in that the first attach request information carries the user terminal The contract user network of identification information and the user terminal of user be sliced identification information;Second attachment is asked Information is asked to carry the user network slice identification information of the user terminal.
17. the device as described in any one of claim 13-16, which is characterized in that described to be obtained from network authentication entity Before network slice Ciphering Key corresponding with the user network of user terminal slice identification information, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
18. device as claimed in claim 17, which is characterized in that the registration information carries the use of the user terminal Family signing identification information and network are sliced identification information.
19. a kind of network authentication entity device, which is characterized in that described device includes second memory and second processor, institute State the authentication calculations machine program for the network slice that second memory is stored with for the device;The computer program is by described Two processors execute, to perform the steps of
Obtain the attach request information of user terminal;
Network corresponding with the user network of user terminal slice identification information is generated according to the attach request information to cut Piece Ciphering Key;
By the network slice Ciphering Key be sent to network slice functional entity so that the network be sliced functional entity according to The network slice Ciphering Key and the user end certification.
20. device as claimed in claim 19, which is characterized in that the computer program is executed by the second processor, Also perform the steps of
Movement corresponding with the user of user terminal signing identification information is also generated according to the attach request information Communication authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity so that the mobile communications network entity according to The Mobile Authentication vector is authenticated with the user terminal.
21. device as claimed in claim 20, which is characterized in that the network slice Ciphering Key includes at least following ginseng Number: random number, expected corresponding, network slice key and authentication token;
The attach request information includes the first attach request information and the second attach request information;The acquisition user terminal Attach request information, comprising:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
22. device as claimed in claim 21, which is characterized in that the first attach request information carries the user terminal The contract user network of identification information and the user terminal of user be sliced identification information;Second attachment is asked Information is asked to carry the user network slice identification information of the user terminal.
23. device as claimed in claim 22, which is characterized in that the user network slice identity letter of the user terminal Breath is included in the preconfigured user network slice identification information of the user terminal, and is sliced function including the network Energy entity is sliced identification information according to the user network that the registration information of the user terminal generates.
24. device as claimed in claim 22, which is characterized in that the user network slice identity letter of the user terminal Breath is one or more.
25. a kind of Verification System of network slice, the system comprises the networks as described in any one of claim 13-18 It is sliced functional entity device, network authentication entity device and mobile radio communication as described in any one of claim 19-24 Network entity;
The attach request information is transmitted to described by the network entity in the attach request information for receiving user terminal Network authentication entity device;When receiving Mobile Authentication vector, according to the Mobile Authentication vector and the user Terminal is authenticated.
26. a kind of computer readable storage medium, which is characterized in that the media storage has for network slice functional entity dress Set network slice the first computer program of certification, and/or be stored with for network authentication entity device network slice Authenticate second computer program;
When first computer program is executed by least one processor, to realize such as any one of claim 1-6 The step of the method;
When the second computer program is executed by least one processor, to realize such as any one of claim 7-12 The step of the method.
CN201710469951.7A 2017-06-20 2017-06-20 The authentication method and related device, system and medium of network slice Withdrawn CN109104726A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710469951.7A CN109104726A (en) 2017-06-20 2017-06-20 The authentication method and related device, system and medium of network slice
PCT/CN2018/101337 WO2018233726A1 (en) 2017-06-20 2018-08-20 Network slice authentication method, corresponding apparatus and system, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710469951.7A CN109104726A (en) 2017-06-20 2017-06-20 The authentication method and related device, system and medium of network slice

Publications (1)

Publication Number Publication Date
CN109104726A true CN109104726A (en) 2018-12-28

Family

ID=64735511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710469951.7A Withdrawn CN109104726A (en) 2017-06-20 2017-06-20 The authentication method and related device, system and medium of network slice

Country Status (2)

Country Link
CN (1) CN109104726A (en)
WO (1) WO2018233726A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110768836A (en) * 2019-10-28 2020-02-07 中国联合网络通信集团有限公司 Network slice management method and device
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
WO2021004444A1 (en) * 2019-07-09 2021-01-14 华为技术有限公司 Communication method and network element
WO2021026927A1 (en) * 2019-08-15 2021-02-18 华为技术有限公司 Communication method and related devices
WO2021082558A1 (en) * 2019-10-31 2021-05-06 华为技术有限公司 Access control method for network slice, apparatus, and storage medium
CN113596831A (en) * 2020-04-14 2021-11-02 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication
CN113784351A (en) * 2020-06-10 2021-12-10 华为技术有限公司 Slicing service verification method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951590A (en) * 2010-09-03 2011-01-19 中兴通讯股份有限公司 Authentication method, device and system
CN106210042A (en) * 2016-07-11 2016-12-07 清华大学 A kind of user based on end to end network section services request selection method
CN106375987A (en) * 2015-07-22 2017-02-01 中兴通讯股份有限公司 Method and system for selecting network slice
CN106550410A (en) * 2015-09-17 2017-03-29 华为技术有限公司 A kind of communication control method and controller, user equipment, function example
CN106572517A (en) * 2015-10-09 2017-04-19 ***通信集团公司 Network slice processing method, access network selecting method and apparatus
CN106713406A (en) * 2015-11-18 2017-05-24 ***通信集团公司 Method and system for accessing to slice network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951590A (en) * 2010-09-03 2011-01-19 中兴通讯股份有限公司 Authentication method, device and system
CN106375987A (en) * 2015-07-22 2017-02-01 中兴通讯股份有限公司 Method and system for selecting network slice
CN106550410A (en) * 2015-09-17 2017-03-29 华为技术有限公司 A kind of communication control method and controller, user equipment, function example
CN106572517A (en) * 2015-10-09 2017-04-19 ***通信集团公司 Network slice processing method, access network selecting method and apparatus
CN106713406A (en) * 2015-11-18 2017-05-24 ***通信集团公司 Method and system for accessing to slice network
CN106210042A (en) * 2016-07-11 2016-12-07 清华大学 A kind of user based on end to end network section services request selection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TECHNICAL SPECIFICATION GROUP SERVICES AND SYSTEM ASPECTS: ""Study on the security aspects of the next generation system"", 《3GPP TR 33.899 V0.4.1 RELEASE 14》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
CN112291784B (en) * 2019-07-09 2022-04-05 华为技术有限公司 Communication method and network element
WO2021004444A1 (en) * 2019-07-09 2021-01-14 华为技术有限公司 Communication method and network element
CN112291784A (en) * 2019-07-09 2021-01-29 华为技术有限公司 Communication method and network element
WO2021026927A1 (en) * 2019-08-15 2021-02-18 华为技术有限公司 Communication method and related devices
CN110768836B (en) * 2019-10-28 2022-02-08 中国联合网络通信集团有限公司 Network slice management method and device
CN110768836A (en) * 2019-10-28 2020-02-07 中国联合网络通信集团有限公司 Network slice management method and device
WO2021082558A1 (en) * 2019-10-31 2021-05-06 华为技术有限公司 Access control method for network slice, apparatus, and storage medium
CN113596831A (en) * 2020-04-14 2021-11-02 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication
CN113596831B (en) * 2020-04-14 2022-12-30 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication
CN113784351A (en) * 2020-06-10 2021-12-10 华为技术有限公司 Slicing service verification method and device
WO2021249325A1 (en) * 2020-06-10 2021-12-16 华为技术有限公司 Slice service verification method and apparatus
CN113784351B (en) * 2020-06-10 2024-03-01 华为技术有限公司 Slice service verification method, entity and equipment

Also Published As

Publication number Publication date
WO2018233726A1 (en) 2018-12-27

Similar Documents

Publication Publication Date Title
CN109104726A (en) The authentication method and related device, system and medium of network slice
CN101039311B (en) Identification web page service network system and its authentication method
CN110800331B (en) Network verification method, related equipment and system
US11570617B2 (en) Communication method and communications apparatus
CN105635165B (en) A kind of method and apparatus of safe online registration and the configuration of wireless device
JP5392879B2 (en) Method and apparatus for authenticating a communication device
JP5613324B2 (en) Secure registration of a group of clients using a single registration procedure
EP1713289A1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
CN106921963A (en) A kind of smart machine accesses the method and device of WLAN
CN104104516A (en) Portal authentication method and device
CN105376059B (en) The method and system of application signature is carried out based on electron key
CN103581154B (en) Authentication method and device in system of Internet of Things
WO2006097041A1 (en) A general authentication former and a method for implementing the authentication
CN108347728B (en) Information processing method and device
CN108616532A (en) Ballot processing method, apparatus and terminal device
CN108566275A (en) Identity identifying method, device and block chain node
WO2012094879A1 (en) Key sharing method and system for machine type communication (mtc) server
CN110417563A (en) A kind of methods, devices and systems of network slice access
CN104869121B (en) A kind of authentication method and device based on 802.1x
WO2016179966A1 (en) Method for realizing network access, terminal and computer storage medium
CN109314693A (en) The method and apparatus of authentication secret requesting party
CN102195988B (en) Realize method that enterprise network aaa server and public network aaa server unify and device
CN103051594A (en) Method, network side equipment and system of establishing end-to-end security of marked net
CN104349294B (en) Authentication and accounting method, system based on MiFi terminals and MiFi terminals
CN109819440A (en) The method and apparatus of authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
TA01 Transfer of patent application right

Effective date of registration: 20191204

Address after: 518057 Nanshan District science and technology, Guangdong Province, South Road, No. 55, No.

Applicant after: ZTE Communications Co., Ltd.

Address before: 201203 No. 889 Bibo Road, Shanghai Pudong New Area Free Trade Pilot Area

Applicant before: Shanghai Zhongxing Software Co., Ltd.

TA01 Transfer of patent application right
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20181228

WW01 Invention patent application withdrawn after publication