CN109104726A - The authentication method and related device, system and medium of network slice - Google Patents
The authentication method and related device, system and medium of network slice Download PDFInfo
- Publication number
- CN109104726A CN109104726A CN201710469951.7A CN201710469951A CN109104726A CN 109104726 A CN109104726 A CN 109104726A CN 201710469951 A CN201710469951 A CN 201710469951A CN 109104726 A CN109104726 A CN 109104726A
- Authority
- CN
- China
- Prior art keywords
- network
- user
- user terminal
- network slice
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The invention discloses the authentication methods and related device, system and medium of a kind of network slice, to solve the authentication question that UE access network is sliced in mobile communication network.The described method includes: obtaining network corresponding with the user network of user terminal slice identification information from network authentication entity is sliced Ciphering Key;Ciphering Key is sliced according to the network to be authenticated with the user terminal.The authentication method and related device, system and medium that network is sliced in the present invention, in the case where introducing network slice in mobile communication system, after UE adheres to mobile communications network, in further access network slice, when receiving the business based on network slice offer, the Dynamical Deployment feature of network slice is effectively met, so that attaching process meets the certification demand of UE access network slice.
Description
Technical field
The present invention relates to field of mobile communication, the authentication method being sliced more particularly to a kind of network and related device are
System and medium.
Background technique
5G (the 5th third-generation mobile communication technology) network architecture will introduce new IT technology, as network function virtualization (NFV,
Network Function Virtualization).In 3/4G network, the protection of functional network element is largely dependent upon
To the security isolation of physical equipment.And in 5G network, due to the deployment of NFV technology, so that partial function network element is with virtual functions
The form of network element is deployed in the infrastructure of cloud.Virtual core net based on the building of network service demand is known as network and cuts
Piece, a network slice constitute a virtual core net, are that one group of specific user terminal (UE) provides mobile network's access service.
One typical network slice includes the core net function of one group of virtualization, is such as sliced control plane unit, is mainly responsible for slice
Mobility, session management and the relevant function of authentication, slice user plane unit are mainly that user provides the user of slice
Resource, dicing strategy control unit are responsible for the function of subscriber policy, and slice Charging Detail Record unit is responsible for the billing function of user.Network
The function of slice is determined with carrier policy according to demand by operator, for example, certain networks slice is in addition to including control plane function
It can also include dedicated forwarding surface that energy is outer;And certain network slices may only include some basic control plane functions, other
Core net correlation function and other networks slice it is shared.Network slice is potentially based on demand and is created, modifies or deletes.One
UE may also receive the service from heterogeneous networks slice simultaneously.
In existing 3G/4G mobile communication system, by AKA, (Authentication and Key Agreement is moved
The certifiede-mail protocol agreement of dynamic communication network) it authenticates, the business directly provided using core net after UE access network.
In 5G system, due to introducing network slice concept, so that needing further to access network after UE attachment network
Slice, to receive the business provided based on network slice.Due to the Dynamical Deployment feature of network slice, the AKA of attaching process recognizes
Card is not able to satisfy the certification demand of UE access network slice.How to meet the certification demand of UE access network slice is to need to solve
The problem of.
Summary of the invention
In order to overcome drawbacks described above, the technical problem to be solved in the present invention is to provide a kind of network slice authentication method and
Related device, system and medium, to solve the authentication question that UE access network is sliced in mobile communication network.
In order to solve the above technical problems, the authentication method of one of present invention network slice, comprising:
Network corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to be sliced
Ciphering Key;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
In order to solve the above technical problems, the authentication method of one of present invention network slice, comprising:
Obtain the attach request information of user terminal;
Net corresponding with the user network of user terminal slice identification information is generated according to the attach request information
Network is sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced functional entity
Ciphering Key and the user end certification are sliced according to the network.
In order to solve the above technical problems, one of present invention network is sliced functional entity device, including first memory
And first processor;The first memory is stored with the authentication calculations machine program of the network slice for the device;The meter
Calculation machine program is executed by the first processor, to perform the steps of
Network corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to be sliced
Ciphering Key;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
In order to solve the above technical problems, one of present invention network authentication entity device, including second memory and
Two processors, the second memory are stored with the authentication calculations machine program of the network slice for the device;The computer
Program is executed by the second processor, to perform the steps of
Obtain the attach request information of user terminal;
Net corresponding with the user network of user terminal slice identification information is generated according to the attach request information
Network is sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced functional entity
Ciphering Key and the user end certification are sliced according to the network.
In order to solve the above technical problems, the Verification System of one of present invention network slice, including any one as above
The network is sliced network authentication entity device described in functional entity device, any one as above and mobile communications network is real
Body;
The attach request information is transmitted to by the network entity in the attach request information for receiving user terminal
The network authentication entity device;When receiving Mobile Authentication vector, according to the Mobile Authentication vector with it is described
User terminal is authenticated.
In order to solve the above technical problems, one of present invention computer readable storage medium, is stored with and cuts for network
The first computer program of certification of the network slice of piece functional entity device, and/or be stored with for network authentication entity device
Network slice certification second computer program;
When first computer program is executed by least one processor, function as above is sliced for network to realize
The step of any one of entity apparatus the method;
When the second computer program is executed by least one processor, network authentication entity is as above used for realize
The step of any one of device the method.
The present invention has the beneficial effect that:
The authentication method and related device, system and medium that network is sliced in the present invention, introduce in mobile communication system
In the case where network slice, after UE adheres to mobile communications network, in further access network slice, network is based on to receive
When the business provided is provided, the Dynamical Deployment feature of network slice is effectively met, so that attaching process meets UE access network
The certification demand of slice.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the authentication method of network slice in the embodiment of the present invention;
Fig. 2 is that optionally UE is attached to the interaction figure that network and network are sliced to one kind in the embodiment of the present invention;
Fig. 3 is the interaction figure that another optionally UE is attached to network and network slice in the embodiment of the present invention;
Fig. 4 is the interaction figure that UE is sliced according to selection attachment network in the embodiment of the present invention;
Fig. 5 is the interaction figure that UE is registered to network slice in the embodiment of the present invention;
Fig. 6 is a kind of flow chart of the authentication method of network slice in the embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of network slice functional entity device in the embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of network authentication entity device in the embodiment of the present invention.
Specific embodiment
In order to solve problems in the prior art, the present invention provides a kind of network slice authentication method and related device,
System and medium, below in conjunction with attached drawing and embodiment, the present invention will be described in further detail.It should be appreciated that this place
Specific examples are only used to explain the present invention for description, does not limit the present invention.
Embodiment one
As shown in Figure 1, the embodiment of the present invention provides a kind of authentication method of network slice, which comprises
S101 is obtained from network authentication entity and is sliced identification information SID with the user network of user terminal UE
(Slice Identification) corresponding network is sliced Ciphering Key;
S102 is sliced Ciphering Key according to the network and is authenticated with the user terminal.
Wherein network authentication entity can be home signature user server (Home Subscriber Server, HSS).
Method is sliced functional entity for network in the embodiment of the present invention.
The embodiment of the present invention is sliced identity with the user network of user terminal UE by obtaining from network authentication entity
The corresponding network of information is sliced Ciphering Key;Then Ciphering Key is sliced according to the network to be recognized with the user terminal
Card, thus in mobile communication system (such as 5G), on the basis of introducing network slice, when UE adheres to mobile communications network
Afterwards, in further access network slice, when being sliced the business provided based on network to receive, the dynamic state part of network slice is met
Feature is affixed one's name to, so that attaching process meets the certification demand of UE access network slice.
On the basis of the above embodiments, it is further proposed that the variant embodiment of above-described embodiment, needs to illustrate herein
It is, in order to make description briefly, the difference with above-described embodiment only to be described in each variant embodiment.
In the embodiment of the present invention, network slice Ciphering Key includes at least following parameter: random number, it is expected it is corresponding,
Network is sliced key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The network slice Ciphering Key is by the network authentication entity according to mobile communications network entity (such as base station)
First attach request information of the user terminal of forwarding generates or is believed according to the second attach request that user terminal is sent
Breath generates.
It should be noted that in the embodiment of the present invention before attach request information using only for being conducive to this hair
Bright explanation itself does not have specific meaning.
Optionally, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition
Network slice Ciphering Key before, can also include:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that the network authentication entity generates
The network is sliced Ciphering Key.
Wherein, the user that the first attach request information carries the user terminal contracts identification information and described
The user network of user terminal is sliced identification information;The second attach request information carries the user of the user terminal
Network is sliced identification information.
Illustrate this variant embodiment.
By taking the first attach request information as an example, as shown in Fig. 2, UE network be sliced register after the completion of, can be again attached
Network slice is attached to during network simultaneously, specifically, UE is re-attached to network, and is further attached to network and cuts
The process of piece includes:
Step 201, UE send the first attach request information to mobile communications network entity.First attach request information includes
User's signing identification information, user network are sliced identification information;
Step 202, mobile communications network entity are further to the first attach request information of HSS forwarding UE;
Step 203, HSS are sliced identification information according to the user of UE signing identification information IMSI and user network
Generate corresponding Ciphering Key.
For example, generating the Mobile Authentication vector (1) for corresponding to user's signing identification information IMSI, which can
To be made of existing AKA Ciphering Key parameter, including RAND (random number that rand () function generates), XRES (Expected
Response, it is contemplated that response), KASME and AUTN (Authentication Token, authentication token).
Generate correspond to network slice User Identity SID network be sliced Ciphering Key (2), the vector by RAND,
XRES (Expected Response, it is contemplated that response), network are sliced key Kslice and AUTN (Authentication
Token, authentication token) composition.
Furtherly, it when adhering in information comprising 2 network slice User Identity information SID1 and SID2, generates
Ciphering Key includes that the AKA Ciphering Key (i.e. Mobile Authentication vector) of corresponding IMSI and 2 respectively correspond SID1 and SID2
Network be sliced Ciphering Key.
When adhering in information comprising multiple networks slice User Identity information, the Ciphering Key of generation includes IMSI
Corresponding existing AKA Ciphering Key and corresponding multiple networks are sliced User Identity different authentication vector.
The corresponding Ciphering Key of IMSI (1) is sent to mobile communications network entity by step 204, HSS, and SID is corresponding
Ciphering Key (2) is sent to network slice functional entity;
After step 205, mobile communications network entity receive Ciphering Key, carried out based on the corresponding Ciphering Key of IMSI and UE
AKA certification;
Step 206, network slice functional entity are based on the corresponding Ciphering Key of user network slice identity received
AKA certification is carried out with UE.
Also by taking the first attach request information as an example, as shown in figure 3, UE can also assisted again according to the configuration of user
The preconfigured network slice of user is attached to during network simultaneously, specifically, configuration of the UE according to user, again auxiliary
During helping network while being attached to the process of user's preconfigured network slice and may include:
The network slice information that step 301, user need to access in UE configuration;
Step 302, UE send the first attach request information to mobile communications network entity.First attach request information includes
User's signing identification information, preconfigured user network are sliced identification information;
Step 303, mobile communications network entity are further to the attach request information of HSS forwarding UE;
Step 304, HSS are sliced identification information according to the user of UE signing identification information IMSI and user network
Generate corresponding Ciphering Key.
Wherein, generation correspondence user contract identification information IMSI Ciphering Key can be authenticated from existing AKA to
Measure parameter composition, including RAND, XRES (Expected Response, it is contemplated that response), KASME and AUTN
(Authentication Token, authentication token).
The Ciphering Key of the corresponding network slice User Identity SID of generation is by RAND, XRES (Expected
Response, it is contemplated that response), network be sliced key Kslice and AUTN (Authentication Token, authentication token) group
At.
It furtherly, include that 2 pre-configured networks are sliced User Identity information SID1 and SID2 when adhering in information
When, generate the AKA Ciphering Key that Ciphering Key includes corresponding IMSI and the Ciphering Key that 2 respectively correspond SID1 and SID2.When
When adhering in information comprising multiple pre-configured networks slice User Identity information, the Ciphering Key of generation includes IMSI corresponding
Existing AKA Ciphering Key and corresponding multiple networks be sliced User Identity different authentication vectors.
The corresponding Ciphering Key of IMSI (1) is sent to mobile communications network entity by step 305, HSS, and SID is corresponding
Ciphering Key (2) is sent to network slice functional entity;
After step 306, mobile communications network entity receive Ciphering Key, carried out based on the corresponding Ciphering Key of IMSI and UE
AKA certification;
Step 307, network slice functional entity are based on the corresponding Ciphering Key of user network slice identity received
AKA certification is carried out with UE.
By taking the second attach request information as an example, as shown in figure 4, UE can also adhere to mobile communications network (at this
Network can be referred to as in invention) after, it is attached to network slice according to the user's choice, specifically, UE is attached to network slice
Flow chart include:
Step 401, UE send the second attach request information to the network of selection slice functional entity.Second attach request letter
Breath includes that user network is sliced identification information;
Step 402, network slice functional entity are further to the attach request information of HSS forwarding UE;
Step 403, HSS are sliced identification information according to the user network of UE and generate corresponding Ciphering Key.
Wherein, the Ciphering Key of the corresponding network slice User Identity SID of generation is by RAND, XRES (Expected
Response, it is contemplated that response), network be sliced key Kslice and AUTN (Authentication Token, authentication token) group
At.
Furtherly, it when adhering in information comprising 2 network slice User Identity information SID1 and SID2, generates
Ciphering Key 2 respectively correspond the Ciphering Key of SID1 and SID2.User identity is sliced comprising multiple networks when adhering in information
When identification information, the Ciphering Key of generation includes that corresponding multiple networks are sliced User Identity different authentication vector.
The network generated according to certification request information slice Ciphering Key is sent to user network slice by step 404, HSS
The corresponding network of identity SID is sliced functional entity.
After step 405, network slice functional entity receive network slice Ciphering Key, based on the network slice certification received
Vector and UE carry out AKA certification.
Optionally, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition
Network slice Ciphering Key before, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
Wherein, the registration information carries the user's signing identification information and network slice of the user terminal
Identification information.
For example, as shown in figure 5, the process that UE provided in this embodiment is registered to network slice may include:
After step 501, UE attachment mobile communications network (such as 5G network), it is sliced to network and sends registration request.Registration
Solicited message includes the user signing identification information IMSI of UE, and network is sliced identification information;
Step 102, network slice functional entity generate the network of UE for user's signing identification information IMSI of UE
It is sliced User Identity information SID (Slice Identification), User Identity information SID is sliced by network
It can derive that network is sliced identification information;
The network slice User Identity information SID of the UE of generation is sent to by step 103, network slice functional entity
UE, so that UE carries the identification information when sending attach request information.
In the various embodiments of the invention, terminal device UE is registered in network slice first, and after the completion of registration, UE can
While re-attaching network, to be further attached to network slice.UE can also be attached directly to net according to user configuration
Network slice;Or while being re-attached to network, corresponding network is attached to according to user configuration and is sliced;Certain UE can be with
It after adhering to network, is selected according to user, is attached to corresponding network slice.So that terminal device UE can adhere at any time
Network to Dynamical Deployment is sliced, thus the authentication question of very good solution terminal device UE access network slice.
Embodiment two
As shown in fig. 6, the embodiment of the present invention provides a kind of authentication method of network slice, which is characterized in that the method
Include:
S601 obtains the attach request information of user terminal;
S602 is generated corresponding with the user network of user terminal slice identification information according to the attach request information
Network be sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced function by S603
Energy entity is sliced Ciphering Key and the user end certification according to the network.
Method is used for network authentication entity, such as HSS in the embodiment of the present invention.
The attach request information that the embodiment of the present invention passes through acquisition user terminal;According to the attach request information generate with
The corresponding network of user network slice identification information of user terminal is sliced Ciphering Key;And the network is sliced and is authenticated
Vector is sent to network slice functional entity, so that the network slice functional entity be made to be sliced Ciphering Key according to the network
On the basis of introducing network slice, work as UE thus in mobile communication system (such as 5G) with the user end certification
After adhering to mobile communications network, met when receiving the business based on network slice offer in further access network slice
The Dynamical Deployment feature of network slice, so that attaching process meets the certification demand of UE access network slice.
Optionally, the method also includes:
It is also generated according to the attach request information corresponding with the user of user terminal signing identification information
Mobile Authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity, so that the mobile communications network entity
It is authenticated according to the Mobile Authentication vector with the user terminal.
Wherein, the network slice Ciphering Key includes at least following parameter: random number, expected corresponding, network are sliced close
Key and authentication token;
The attach request information includes the first attach request information and the second attach request information;
Specifically, it is described obtain user terminal attach request information, may include:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
Wherein, the user that the first attach request information carries the user terminal contracts identification information and described
The user network of user terminal is sliced identification information;The second attach request information carries the user of the user terminal
Network is sliced identification information.
Specifically, the user network slice identification information of the user terminal is included in the user terminal and matches in advance
The user network slice identification information set, and including network slice functional entity according to the note of the user terminal
The user network that volume solicited message generates is sliced identification information.
The user network slice identification information of the user terminal is one or more.
Illustrate the present invention embodiment.
For example, UE is after the completion of network is sliced and registers, UE can be attached to net simultaneously during re-attaching network
Network slice, the specific verification process that adheres to include:
Step 701, UE sends the first attach request information to mobile communications network entity.First attach request information includes
User's signing identification information, user network are sliced identification information;
Step 702, mobile communications network entity is further to the attach request information of HSS forwarding UE;
Step 703, HSS is sliced identification information according to the user of UE signing identification information IMSI and user network
Generate corresponding Ciphering Key.The Ciphering Key of the correspondence user signing identification information IMSI of generation is authenticated by existing AKA
Vector parameter composition, including RAND, XRES (Expected Response, it is contemplated that response), KASME and AUTN
(Authentication Token, authentication token).Generation corresponding network slice User Identity SID Ciphering Key by
RAND, XRES (Expected Response, it is contemplated that response), network are sliced key Kslice and AUTN (Authentication
Token, authentication token) composition.When adhering in information comprising 2 network slice User Identity information SID1 and SID2,
Generate the AKA Ciphering Key that Ciphering Key includes corresponding IMSI and the Ciphering Key that 2 respectively correspond SID1 and SID2.Work as attachment
When in information comprising multiple networks slice User Identity information, the Ciphering Key of generation includes the corresponding existing AKA of IMSI
Ciphering Key and corresponding multiple networks are sliced User Identity different authentication vector.
Step 704, the corresponding Ciphering Key of IMSI is sent to mobile communications network entity by HSS, by the corresponding certification of SID
Vector is sent to network slice functional entity.
Step 705, it after mobile communications network entity receives Ciphering Key, is carried out based on the corresponding Ciphering Key of IMSI and UE
AKA certification.
Step 706, network slice functional entity is based on the corresponding Ciphering Key of user network slice identity received
AKA certification is carried out with UE.
For another example, UE can also be according to the configuration of user, and it is preparatory during assisting network to be again attached to user simultaneously
The network of configuration is sliced, and detailed process includes:
Step 801, the network slice information that user needs to access in UE configuration.
Step 802, UE sends the first attach request information to mobile communications network entity.First attach request information includes
User's signing identification information, preconfigured user network are sliced identification information;
Step 803, mobile communications network entity is further to the attach request information of HSS forwarding UE;
Step 804, HSS is sliced identification information according to the user of UE signing identification information IMSI and user network
Generate corresponding Ciphering Key.The Ciphering Key of the correspondence user signing identification information IMSI of generation is authenticated by existing AKA
Vector parameter composition, including RAND, XRES (Expected Response, it is contemplated that response), KASME and AUTN
(Authentication Token, authentication token).Generation corresponding network slice User Identity SID Ciphering Key by
RAND, XRES (Expected Response, it is contemplated that response), network are sliced key Kslice and AUTN (Authentication
Token, authentication token) composition.When in attachment information comprising 2 pre-configured networks slice User Identity information SID1 and
When SID2, generate the AKA Ciphering Key that Ciphering Key includes corresponding IMSI and the certification that 2 respectively correspond SID1 and SID2 to
Amount.When adhering in information comprising multiple pre-configured networks slice User Identity information, the Ciphering Key of generation includes
The corresponding existing AKA Ciphering Key of IMSI and corresponding multiple networks are sliced User Identity different authentication vector.
Step 805, the corresponding Ciphering Key of IMSI is sent to mobile communications network entity by HSS, by the corresponding certification of SID
Vector is sent to network slice functional entity.
Step 806, it after mobile communications network entity receives Ciphering Key, is carried out based on the corresponding Ciphering Key of IMSI and UE
AKA certification.
Step 807, network slice functional entity is based on the corresponding Ciphering Key of user network slice identity received
AKA certification is carried out with UE.
For another example, UE can also be attached to according to the user's choice network slice, detailed process packet after having adhered to network
It includes:
Step 901, UE sends attach request information to the network of selection slice functional entity.Attach request information includes using
Family network is sliced identification information;
Step 902, network slice functional entity is further to the attach request information of HSS forwarding UE;
Step 903, HSS is sliced identification information according to the user network of UE and generates corresponding Ciphering Key.It generates
Corresponding network be sliced User Identity SID Ciphering Key by RAND, XRES (Expected Response, it is contemplated that response),
Network is sliced key Kslice and AUTN (Authentication Token, authentication token) composition.It include 2 in information when adhering to
When a network slice User Identity information SID1 and SID2, generates Ciphering Key 2 and respectively correspond recognizing for SID1 and SID2
Syndrome vector.When adhering in information comprising multiple networks slice User Identity information, the Ciphering Key of generation includes corresponding to
Multiple networks are sliced User Identity different authentication vector.
Step 904, the Ciphering Key generated according to certification request information is sent to user network slice identity by HSS
The corresponding network of SID is sliced functional entity.
Step 905, after network slice functional entity receives Ciphering Key, identity is sliced based on the user network received
Corresponding Ciphering Key and UE carry out AKA certification.
Embodiment three
As shown in fig. 7, the embodiment of the present invention provides a kind of network slice functional entity device, described device is deposited including first
Reservoir 70 and first processor 72;The first memory 70 is stored with the authentication calculations machine of the network slice for described device
Program;The computer program is executed by the first processor 72, to perform the steps of
Network corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to be sliced
Ciphering Key;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
Optionally, the network slice Ciphering Key includes at least following parameter: random number, expected corresponding, network slice
Key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The network slice Ciphering Key is as the network authentication entity according to the forwarding of mobile communications network entity
First attach request information of user terminal is generated or is generated according to the second attach request information that user terminal is sent.
Specifically, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition
Network slice Ciphering Key before, further includes:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that the network authentication entity generates
The network is sliced Ciphering Key.
Specifically, the first attach request information carries user's signing identification information and the institute of the user terminal
State the user network slice identification information of user terminal;The second attach request information carries the use of the user terminal
Family network is sliced identification information.
Optionally, described corresponding with the user network of user terminal slice identification information from network authentication entity acquisition
Network slice Ciphering Key before, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
Wherein, the registration information carries the user's signing identification information and network slice of the user terminal
Identification information.
Certain embodiment of the present invention can also be realized in the form of software module.Specifically:
The embodiment of the invention provides a kind of network slice functional entity devices (network slice can be referred to as in the present invention
Functional entity), the network slice functional entity device includes:
Receiving module, the network for receiving the transmission of network authentication function entity are sliced Ciphering Key.The network slice
Ciphering Key includes RAND, XRES (Expected Response, it is contemplated that response), network slice key Kslice and AUTN
(Authentication Token, authentication token) parameter.
Authentication module, for being authenticated with UE;
Certain receiving module can be also used for:
Receive the login request message that the UE is sent;The registration information includes user's signing identity of UE
Information IMSI, network are sliced identification information;
Further, network slice functional entity device can also include:
Generation module, for generating user network slice identification information;
Sending module is sliced identification information for sending user network to UE.
The embodiment of the present invention in specific implementation can be refering to embodiment one, and this will not be repeated here.
Example IV
As shown in figure 8, the embodiment of the present invention provides a kind of network authentication entity device, described device includes second memory
80 and second processor 82, the second memory 80 is stored with the authentication calculations machine program of the network slice for the device;
The computer program is executed by the second processor 82, to perform the steps of
Obtain the attach request information of user terminal;
Net corresponding with the user network of user terminal slice identification information is generated according to the attach request information
Network is sliced Ciphering Key;
Network slice Ciphering Key is sent to network slice functional entity, so that the network is sliced functional entity
Ciphering Key and the user end certification are sliced according to the network.
Optionally, the computer program is executed by the second processor, is also performed the steps of
It is also generated according to the attach request information corresponding with the user of user terminal signing identification information
Mobile Authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity, so that the mobile communications network entity
It is authenticated according to the Mobile Authentication vector with the user terminal.
Wherein, the network slice Ciphering Key includes at least following parameter: random number, expected corresponding, network are sliced close
Key and authentication token;
The attach request information includes the first attach request information and the second attach request information;
Specifically, the attach request information for obtaining user terminal, comprising:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
Wherein, the user that the first attach request information carries the user terminal contracts identification information and described
The user network of user terminal is sliced identification information;The second attach request information carries the user of the user terminal
Network is sliced identification information.
Wherein, the user network slice identification information of the user terminal is included in the user terminal and is pre-configured with
User network be sliced identification information, and including network slice functional entity according to the registration of the user terminal
The user network that solicited message generates is sliced identification information.
The user network slice identification information of the user terminal is one or more.
Certain embodiment of the present invention can also be realized in the form of software module.Specifically:
The embodiment of the invention provides a kind of network authentication function entity apparatus (net can be referred to as in the embodiment of the present invention
Network authentication function entity), the network authentication function entity includes:
Receiving module, for receiving the attach request information of mobile communications network entity transmission.The attach request information
Identification information or only user network slice identity letter are sliced including user's signing identification information, user network
Breath.
Generation module, for based on user's signing identification information, user network slice identification information generation pair
The Ciphering Key information answered;
Sending module, for sending Ciphering Key to mobile communications network entity and network slice functional entity.
The embodiment of the present invention in specific implementation can be refering to embodiment one, and this will not be repeated here.
Embodiment five
The embodiment of the present invention provides a kind of Verification System of network slice, and the system comprises any one in such as embodiment 3
Network slice functional entity device, the network authentication entity device as described in any one of embodiment 4 and movement described in
Communicating network entities;
The attach request information is transmitted to by the network entity in the attach request information for receiving user terminal
The network authentication entity device;When receiving Mobile Authentication vector, according to the Mobile Authentication vector with it is described
User terminal is authenticated.
Embodiment six
The embodiment of the present invention provides a kind of computer readable storage medium, which is characterized in that the media storage is used for
Network is sliced the first computer program of certification of the network slice of functional entity device, and/or is stored with for network authentication reality
The certification second computer program of the network slice of body device;
When first computer program is executed by least one processor, to realize such as any one of embodiment one
The step of the method;
When the second computer program is executed by least one processor, to realize such as any one of embodiment 2
The step of the method.
Computer readable storage medium can be RAM memory, flash memory, ROM memory, EPROM in the embodiment of the present invention
Memory, eeprom memory, register, hard disk, mobile hard disk, CD-ROM or any other form known in the art
Storage medium.A kind of storage medium lotus root can be connected to processor, thus enable a processor to from the read information,
And information can be written to the storage medium;Or the storage medium can be the component part of processor.Processor and storage are situated between
Matter can be located in specific integrated circuit.
Although those skilled in the art can not depart from the present invention generally This application describes particular example of the invention
Variant of the invention is designed on the basis of thought.Those skilled in the art are not taking off under the inspiration that the technology of the present invention is conceived
On the basis of the content of present invention, various improvement can also be made to the present invention, this still falls within the scope and spirit of the invention.
Claims (26)
1. a kind of authentication method of network slice, which is characterized in that the described method includes:
Network slice corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to authenticate
Vector;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
2. the method as described in claim 1, which is characterized in that the network slice Ciphering Key includes at least following parameter:
Random number, expected corresponding, network slice key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The user that the network slice Ciphering Key is forwarded by the network authentication entity according to mobile communications network entity
First attach request information of terminal is generated or is generated according to the second attach request information that user terminal is sent.
3. method according to claim 2, which is characterized in that the user obtained from network authentication entity with user terminal
Network is sliced before the corresponding network slice Ciphering Key of identification information, further includes:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that described in network authentication entity generation
Network is sliced Ciphering Key.
4. method according to claim 2, which is characterized in that the first attach request information carries the user terminal
The user network of user's signing identification information and the user terminal is sliced identification information;Second attach request
Information carries the user network slice identification information of the user terminal.
5. the method as described in any one of claim 1-4, which is characterized in that described to obtain and use from network authentication entity
Before the corresponding network slice Ciphering Key of user network slice identification information of family terminal, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
6. method as claimed in claim 5, which is characterized in that the registration information carries the user of the user terminal
Identification information of contracting and network are sliced identification information.
7. a kind of authentication method of network slice, which is characterized in that the described method includes:
Obtain the attach request information of user terminal;
Network corresponding with the user network of user terminal slice identification information is generated according to the attach request information to cut
Piece Ciphering Key;
By the network slice Ciphering Key be sent to network slice functional entity so that the network be sliced functional entity according to
The network slice Ciphering Key and the user end certification.
8. the method for claim 7, which is characterized in that the method also includes:
Movement corresponding with the user of user terminal signing identification information is also generated according to the attach request information
Communication authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity so that the mobile communications network entity according to
The Mobile Authentication vector is authenticated with the user terminal.
9. method according to claim 8, which is characterized in that the network slice Ciphering Key includes at least following parameter:
Random number, expected corresponding, network slice key and authentication token;
The attach request information includes the first attach request information and the second attach request information;The acquisition user terminal
Attach request information, comprising:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
10. method as claimed in claim 9, which is characterized in that the first attach request information carries the user terminal
The contract user network of identification information and the user terminal of user be sliced identification information;Second attachment is asked
Information is asked to carry the user network slice identification information of the user terminal.
11. method as claimed in claim 10, which is characterized in that the user network slice identity letter of the user terminal
Breath is included in the preconfigured user network slice identification information of the user terminal, and is sliced function including the network
Energy entity is sliced identification information according to the user network that the registration information of the user terminal generates.
12. method as claimed in claim 10, which is characterized in that the user network slice identity letter of the user terminal
Breath is one or more.
13. a kind of network is sliced functional entity device, which is characterized in that described device includes first memory and the first processing
Device;The first memory is stored with the authentication calculations machine program of the network slice for the device;The computer program quilt
The first processor executes, to perform the steps of
Network slice corresponding with the user network of user terminal slice identification information is obtained from network authentication entity to authenticate
Vector;
Ciphering Key is sliced according to the network to be authenticated with the user terminal.
14. device as claimed in claim 13, which is characterized in that the network slice Ciphering Key includes at least following ginseng
Number: random number, expected corresponding, network slice key and authentication token;
The certification is that the certifiede-mail protocol agreement AKA of mobile communication network is authenticated;
The user that the network slice Ciphering Key is forwarded by the network authentication entity according to mobile communications network entity
First attach request information of terminal is generated or is generated according to the second attach request information that user terminal is sent.
15. device as claimed in claim 14, which is characterized in that the use obtained from network authentication entity with user terminal
Family network is sliced before the corresponding network slice Ciphering Key of identification information, further includes:
Receive the second attach request information of the user terminal;
The second attach request information is sent to the network authentication entity, so that described in network authentication entity generation
Network is sliced Ciphering Key.
16. device as claimed in claim 14, which is characterized in that the first attach request information carries the user terminal
The contract user network of identification information and the user terminal of user be sliced identification information;Second attachment is asked
Information is asked to carry the user network slice identification information of the user terminal.
17. the device as described in any one of claim 13-16, which is characterized in that described to be obtained from network authentication entity
Before network slice Ciphering Key corresponding with the user network of user terminal slice identification information, further includes:
Receive the registration information of the user terminal;
User network, which is generated, according to the registration information is sliced identification information;
User network slice identification information is sent to the user terminal.
18. device as claimed in claim 17, which is characterized in that the registration information carries the use of the user terminal
Family signing identification information and network are sliced identification information.
19. a kind of network authentication entity device, which is characterized in that described device includes second memory and second processor, institute
State the authentication calculations machine program for the network slice that second memory is stored with for the device;The computer program is by described
Two processors execute, to perform the steps of
Obtain the attach request information of user terminal;
Network corresponding with the user network of user terminal slice identification information is generated according to the attach request information to cut
Piece Ciphering Key;
By the network slice Ciphering Key be sent to network slice functional entity so that the network be sliced functional entity according to
The network slice Ciphering Key and the user end certification.
20. device as claimed in claim 19, which is characterized in that the computer program is executed by the second processor,
Also perform the steps of
Movement corresponding with the user of user terminal signing identification information is also generated according to the attach request information
Communication authentication vector;
The Mobile Authentication vector is sent to mobile communications network entity so that the mobile communications network entity according to
The Mobile Authentication vector is authenticated with the user terminal.
21. device as claimed in claim 20, which is characterized in that the network slice Ciphering Key includes at least following ginseng
Number: random number, expected corresponding, network slice key and authentication token;
The attach request information includes the first attach request information and the second attach request information;The acquisition user terminal
Attach request information, comprising:
Receive the first attach request information of the mobile communications network entity forwarding;Or
Receive the second attach request information that the user terminal is sent.
22. device as claimed in claim 21, which is characterized in that the first attach request information carries the user terminal
The contract user network of identification information and the user terminal of user be sliced identification information;Second attachment is asked
Information is asked to carry the user network slice identification information of the user terminal.
23. device as claimed in claim 22, which is characterized in that the user network slice identity letter of the user terminal
Breath is included in the preconfigured user network slice identification information of the user terminal, and is sliced function including the network
Energy entity is sliced identification information according to the user network that the registration information of the user terminal generates.
24. device as claimed in claim 22, which is characterized in that the user network slice identity letter of the user terminal
Breath is one or more.
25. a kind of Verification System of network slice, the system comprises the networks as described in any one of claim 13-18
It is sliced functional entity device, network authentication entity device and mobile radio communication as described in any one of claim 19-24
Network entity;
The attach request information is transmitted to described by the network entity in the attach request information for receiving user terminal
Network authentication entity device;When receiving Mobile Authentication vector, according to the Mobile Authentication vector and the user
Terminal is authenticated.
26. a kind of computer readable storage medium, which is characterized in that the media storage has for network slice functional entity dress
Set network slice the first computer program of certification, and/or be stored with for network authentication entity device network slice
Authenticate second computer program;
When first computer program is executed by least one processor, to realize such as any one of claim 1-6
The step of the method;
When the second computer program is executed by least one processor, to realize such as any one of claim 7-12
The step of the method.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710469951.7A CN109104726A (en) | 2017-06-20 | 2017-06-20 | The authentication method and related device, system and medium of network slice |
PCT/CN2018/101337 WO2018233726A1 (en) | 2017-06-20 | 2018-08-20 | Network slice authentication method, corresponding apparatus and system, and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710469951.7A CN109104726A (en) | 2017-06-20 | 2017-06-20 | The authentication method and related device, system and medium of network slice |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109104726A true CN109104726A (en) | 2018-12-28 |
Family
ID=64735511
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710469951.7A Withdrawn CN109104726A (en) | 2017-06-20 | 2017-06-20 | The authentication method and related device, system and medium of network slice |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109104726A (en) |
WO (1) | WO2018233726A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110768836A (en) * | 2019-10-28 | 2020-02-07 | 中国联合网络通信集团有限公司 | Network slice management method and device |
CN112105015A (en) * | 2019-06-17 | 2020-12-18 | 华为技术有限公司 | Secondary authentication method and device |
WO2021004444A1 (en) * | 2019-07-09 | 2021-01-14 | 华为技术有限公司 | Communication method and network element |
WO2021026927A1 (en) * | 2019-08-15 | 2021-02-18 | 华为技术有限公司 | Communication method and related devices |
WO2021082558A1 (en) * | 2019-10-31 | 2021-05-06 | 华为技术有限公司 | Access control method for network slice, apparatus, and storage medium |
CN113596831A (en) * | 2020-04-14 | 2021-11-02 | 华为技术有限公司 | Communication method and communication equipment for identifying user equipment in slice authentication |
CN113784351A (en) * | 2020-06-10 | 2021-12-10 | 华为技术有限公司 | Slicing service verification method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951590A (en) * | 2010-09-03 | 2011-01-19 | 中兴通讯股份有限公司 | Authentication method, device and system |
CN106210042A (en) * | 2016-07-11 | 2016-12-07 | 清华大学 | A kind of user based on end to end network section services request selection method |
CN106375987A (en) * | 2015-07-22 | 2017-02-01 | 中兴通讯股份有限公司 | Method and system for selecting network slice |
CN106550410A (en) * | 2015-09-17 | 2017-03-29 | 华为技术有限公司 | A kind of communication control method and controller, user equipment, function example |
CN106572517A (en) * | 2015-10-09 | 2017-04-19 | ***通信集团公司 | Network slice processing method, access network selecting method and apparatus |
CN106713406A (en) * | 2015-11-18 | 2017-05-24 | ***通信集团公司 | Method and system for accessing to slice network |
-
2017
- 2017-06-20 CN CN201710469951.7A patent/CN109104726A/en not_active Withdrawn
-
2018
- 2018-08-20 WO PCT/CN2018/101337 patent/WO2018233726A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951590A (en) * | 2010-09-03 | 2011-01-19 | 中兴通讯股份有限公司 | Authentication method, device and system |
CN106375987A (en) * | 2015-07-22 | 2017-02-01 | 中兴通讯股份有限公司 | Method and system for selecting network slice |
CN106550410A (en) * | 2015-09-17 | 2017-03-29 | 华为技术有限公司 | A kind of communication control method and controller, user equipment, function example |
CN106572517A (en) * | 2015-10-09 | 2017-04-19 | ***通信集团公司 | Network slice processing method, access network selecting method and apparatus |
CN106713406A (en) * | 2015-11-18 | 2017-05-24 | ***通信集团公司 | Method and system for accessing to slice network |
CN106210042A (en) * | 2016-07-11 | 2016-12-07 | 清华大学 | A kind of user based on end to end network section services request selection method |
Non-Patent Citations (1)
Title |
---|
TECHNICAL SPECIFICATION GROUP SERVICES AND SYSTEM ASPECTS: ""Study on the security aspects of the next generation system"", 《3GPP TR 33.899 V0.4.1 RELEASE 14》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112105015A (en) * | 2019-06-17 | 2020-12-18 | 华为技术有限公司 | Secondary authentication method and device |
CN112291784B (en) * | 2019-07-09 | 2022-04-05 | 华为技术有限公司 | Communication method and network element |
WO2021004444A1 (en) * | 2019-07-09 | 2021-01-14 | 华为技术有限公司 | Communication method and network element |
CN112291784A (en) * | 2019-07-09 | 2021-01-29 | 华为技术有限公司 | Communication method and network element |
WO2021026927A1 (en) * | 2019-08-15 | 2021-02-18 | 华为技术有限公司 | Communication method and related devices |
CN110768836B (en) * | 2019-10-28 | 2022-02-08 | 中国联合网络通信集团有限公司 | Network slice management method and device |
CN110768836A (en) * | 2019-10-28 | 2020-02-07 | 中国联合网络通信集团有限公司 | Network slice management method and device |
WO2021082558A1 (en) * | 2019-10-31 | 2021-05-06 | 华为技术有限公司 | Access control method for network slice, apparatus, and storage medium |
CN113596831A (en) * | 2020-04-14 | 2021-11-02 | 华为技术有限公司 | Communication method and communication equipment for identifying user equipment in slice authentication |
CN113596831B (en) * | 2020-04-14 | 2022-12-30 | 华为技术有限公司 | Communication method and communication equipment for identifying user equipment in slice authentication |
CN113784351A (en) * | 2020-06-10 | 2021-12-10 | 华为技术有限公司 | Slicing service verification method and device |
WO2021249325A1 (en) * | 2020-06-10 | 2021-12-16 | 华为技术有限公司 | Slice service verification method and apparatus |
CN113784351B (en) * | 2020-06-10 | 2024-03-01 | 华为技术有限公司 | Slice service verification method, entity and equipment |
Also Published As
Publication number | Publication date |
---|---|
WO2018233726A1 (en) | 2018-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109104726A (en) | The authentication method and related device, system and medium of network slice | |
CN101039311B (en) | Identification web page service network system and its authentication method | |
CN110800331B (en) | Network verification method, related equipment and system | |
US11570617B2 (en) | Communication method and communications apparatus | |
CN105635165B (en) | A kind of method and apparatus of safe online registration and the configuration of wireless device | |
JP5392879B2 (en) | Method and apparatus for authenticating a communication device | |
JP5613324B2 (en) | Secure registration of a group of clients using a single registration procedure | |
EP1713289A1 (en) | A method for establishing security association between the roaming subscriber and the server of the visited network | |
CN106921963A (en) | A kind of smart machine accesses the method and device of WLAN | |
CN104104516A (en) | Portal authentication method and device | |
CN105376059B (en) | The method and system of application signature is carried out based on electron key | |
CN103581154B (en) | Authentication method and device in system of Internet of Things | |
WO2006097041A1 (en) | A general authentication former and a method for implementing the authentication | |
CN108347728B (en) | Information processing method and device | |
CN108616532A (en) | Ballot processing method, apparatus and terminal device | |
CN108566275A (en) | Identity identifying method, device and block chain node | |
WO2012094879A1 (en) | Key sharing method and system for machine type communication (mtc) server | |
CN110417563A (en) | A kind of methods, devices and systems of network slice access | |
CN104869121B (en) | A kind of authentication method and device based on 802.1x | |
WO2016179966A1 (en) | Method for realizing network access, terminal and computer storage medium | |
CN109314693A (en) | The method and apparatus of authentication secret requesting party | |
CN102195988B (en) | Realize method that enterprise network aaa server and public network aaa server unify and device | |
CN103051594A (en) | Method, network side equipment and system of establishing end-to-end security of marked net | |
CN104349294B (en) | Authentication and accounting method, system based on MiFi terminals and MiFi terminals | |
CN109819440A (en) | The method and apparatus of authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20191204 Address after: 518057 Nanshan District science and technology, Guangdong Province, South Road, No. 55, No. Applicant after: ZTE Communications Co., Ltd. Address before: 201203 No. 889 Bibo Road, Shanghai Pudong New Area Free Trade Pilot Area Applicant before: Shanghai Zhongxing Software Co., Ltd. |
|
TA01 | Transfer of patent application right | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20181228 |
|
WW01 | Invention patent application withdrawn after publication |