CN117479158A - Equipment authorization method and device and network equipment - Google Patents

Equipment authorization method and device and network equipment Download PDF

Info

Publication number
CN117479158A
CN117479158A CN202210868562.2A CN202210868562A CN117479158A CN 117479158 A CN117479158 A CN 117479158A CN 202210868562 A CN202210868562 A CN 202210868562A CN 117479158 A CN117479158 A CN 117479158A
Authority
CN
China
Prior art keywords
information
matching
authentication
network function
authorization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210868562.2A
Other languages
Chinese (zh)
Inventor
谢振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vivo Mobile Communication Co Ltd
Original Assignee
Vivo Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vivo Mobile Communication Co Ltd filed Critical Vivo Mobile Communication Co Ltd
Priority to CN202210868562.2A priority Critical patent/CN117479158A/en
Priority to PCT/CN2023/107674 priority patent/WO2024017181A1/en
Publication of CN117479158A publication Critical patent/CN117479158A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The application discloses a device authorization method, a device and network side equipment, which belong to the field of mobile communication, and the device authorization method in the embodiment of the application comprises the following steps: the first device receives first information from a first network function; the first device initiates a first authentication procedure between a second network function and a second device in response to the first information, the first authentication procedure including authentication of the second device by the second network function.

Description

Equipment authorization method and device and network equipment
Technical Field
The application belongs to the technical field of mobile communication, and particularly relates to a device authorization method, a device and network side equipment.
Background
When the access device accesses to the mobile network through the gateway device, the access device does not support non-access stratum (Non Access Stratum, NAS) signaling, so that the authentication of the access device is not accurate enough, and other devices cannot be prevented from impersonating the access device to obtain some communication rights of the access device, thereby causing potential safety hazards.
Disclosure of Invention
The embodiment of the application provides a device authorization method, a device and network side equipment, which can solve the problem that authentication of access equipment is not accurate enough.
In a first aspect, a device authorization method is provided, applied to a first device, and the method includes:
the first device receives first information from a first network function;
the first device initiates a first authentication procedure between a second network function and a second device in response to the first information, the first authentication procedure including authentication of the second device by the second network function.
In a second aspect, there is provided a device authorization apparatus comprising:
a transceiver module for receiving first information from a first network function;
an authentication module for initiating a first authentication procedure between a second network function and a second device in response to the first information, the first authentication procedure comprising authentication of the second device by the second network function.
In a third aspect, a device authorization method is provided, applied to a first device, and the method includes:
the first device receives first information from a first network function, the first information including first matching information;
the first device receives second information from a second network function, the second information being obtained based on a first authentication procedure for the second device, the second information comprising second matching information;
The first device performs at least one of:
matching the first matching information and the second matching information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first matching information and the second information.
In a fourth aspect, there is provided a device authorization apparatus comprising:
a transceiver module for receiving first information from a first network function, the first information comprising first matching information;
the transceiver module is further configured to receive second information from a second network function, where the second information is obtained based on a first authentication procedure for a second device, and the second information includes second matching information;
an authentication module for performing at least one of:
matching the first matching information and the second matching information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first matching information and the second information.
In a fifth aspect, a device authorization method is provided, applied to a first network function, the method comprising:
The first network function sends first information to the first device, the first information being used to indicate at least one of:
performing a first authentication procedure of the second network function with the second device;
matching the first information and the second information;
transmitting third information to the first network function;
wherein the second information is sent by the second network function based on a first authentication procedure for the second device, and the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
In a sixth aspect, there is provided a device authorization apparatus comprising:
the acquisition module is used for acquiring the first information;
a transmission module, configured to send the first information to a first device, where the first information is used to indicate at least one of:
performing a first authentication procedure of the second network function with the second device;
matching the first information and the second information;
transmitting third information to the device authorization apparatus;
wherein the second information is sent by the second network function based on a first authentication procedure for the second device, and the third information is used to indicate at least one of:
Authentication result information for the second device;
and matching result information of the first information and the second information.
In a seventh aspect, a device authorization method is provided, applied to a second network function, the method including:
the second network function performs a first authentication procedure with the second device;
the second network function sends second information to the first device according to the first authentication process;
wherein the second information includes at least one of:
an authentication success indication or an authentication failure indication;
and second matching information for matching the first matching information transmitted by the first device.
In an eighth aspect, there is provided a device authorization apparatus comprising:
an execution module for executing a first authentication procedure with a second device;
the sending module is used for sending second information to the first equipment according to the first authentication process;
wherein the second information includes at least one of:
an authentication success indication or an authentication failure indication;
and second matching information for matching the first matching information transmitted by the first device.
In a ninth aspect, a network side device is provided, the network side device comprising a processor and a memory storing a program or instructions executable on the processor, the program or instructions implementing the method according to the first aspect, or implementing the method according to the third aspect, or implementing the method according to the fifth aspect, or implementing the steps of the method according to the seventh aspect.
In a tenth aspect, there is provided a device authorization system comprising: a first device operable to perform the steps of the device authorisation method as described in the first or third aspect, a first network function operable to perform the steps of the device authorisation method as described in the fifth aspect, and a second network function operable to perform the steps of the device authorisation method as described in the seventh aspect.
In an eleventh aspect, there is provided a readable storage medium having stored thereon a program or instructions which when executed by a processor, performs the steps of the method according to the first aspect, or performs the steps of the method according to the third aspect, or performs the steps of the method according to the fifth aspect, or performs the steps of the method according to the seventh aspect.
In a twelfth aspect, there is provided a chip comprising a processor and a communication interface, the communication interface and the processor being coupled, the processor being configured to execute a program or instructions to implement the method according to the first aspect, or to implement the method according to the third aspect, or to implement the method according to the fifth aspect, or to implement the steps of the method according to the seventh aspect.
In a thirteenth aspect, there is provided a computer program/program product stored in a storage medium, the computer program/program product being executable by at least one processor to implement the device authorization method according to the first aspect, or to implement the device authorization method according to the third aspect, or to implement the device authorization method according to the fifth aspect, or to implement the steps of the device authorization method according to the seventh aspect.
In the embodiment of the application, the first information is received from the first network function, and the first authentication process between the second network function and the second device is initiated in response to the first information, wherein the first authentication process comprises the authentication of the second network function to the second device, namely, the first authentication process is triggered by the first device in response to the first information, so that the authorization of the second device when the second device is accessed to the mobile network is realized.
Drawings
Fig. 1 is a schematic structural diagram of a wireless communication system to which embodiments of the present application are applicable;
fig. 2 is a schematic structural diagram of a device authorization system according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a device authorization method according to an embodiment of the present application;
Fig. 4 is a schematic flow chart of another device authorization method provided in an embodiment of the present application;
fig. 5 is a signaling flow diagram of a device authorization method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus authorization device according to an embodiment of the present application;
fig. 7 is a schematic flow chart of another device authorization method provided in an embodiment of the present application;
fig. 8 is a schematic structural diagram of another device authorization apparatus provided in an embodiment of the present application;
fig. 9 is a schematic flow chart of another device authorization method provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of another device authorization apparatus provided in an embodiment of the present application;
FIG. 11 is a flowchart of another method for device authorization according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of another device authorization apparatus provided in an embodiment of the present application;
fig. 13 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a network side device for implementing an embodiment of the present application.
Detailed Description
Technical solutions in the embodiments of the present application will be clearly described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application are within the scope of the protection of the present application.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or otherwise described herein, and that the terms "first" and "second" are generally intended to be used in a generic sense and not to limit the number of objects, for example, the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/" generally means a relationship in which the associated object is an "or" before and after.
It is noted that the techniques described in embodiments of the present application are not limited to long term evolution (Long Term Evolution, LTE)/LTE evolution (LTE-Advanced, LTE-a) systems, but may also be used in other wireless communication systems, such as code division multiple access (Code Division Multiple Access, CDMA), time division multiple access (Time Division Multiple Access, TDMA), frequency division multiple access (Frequency Division Multiple Access, FDMA), orthogonal frequency division multiple access (Orthogonal Frequency Division Multiple Access, OFDMA), single carrier frequency division multiple access (Single-carrier FrequencyDivision Multiple Access, SC-FDMA), and other systems. The terms "system" and "network" in embodiments of the present application are often used interchangeably, and the techniques described may be used for both the above-mentioned systems and radio technologies, as well as other systems and radio technologies. The following description describes a new air interface (NR) system for purposes of example and uses NR terminology in much of the description that follows, but these techniques are also applicable to applications other than NR system applications, such as generation 6 (6) th Generation, 6G) communication system.
Fig. 1 shows a block diagram of a wireless communication system to which embodiments of the present application are applicable. The wireless communication system includes a terminal (also referred to as User Equipment (UE)) 11 and a network-side device 12. The terminal 11 may be a mobile phone, a tablet (Tablet Personal Computer), a Laptop (Laptop Computer) or a terminal-side Device called a notebook, a personal digital assistant (Personal Digital Assistant, PDA), a palm top, a netbook, an ultra-mobile personal Computer (ultra-mobile personal Computer, UMPC), a mobile internet appliance (Mobile Internet Device, MID), an augmented reality (augmented reality, AR)/Virtual Reality (VR) Device, a robot, a Wearable Device (weather Device), a vehicle-mounted Device (VUE), a pedestrian terminal (PUE), a smart home (home Device with a wireless communication function, such as a refrigerator, a television, a washing machine, or a furniture), a game machine, a personal Computer (personal Computer, PC), a teller machine, or a self-service machine, and the Wearable Device includes: intelligent wrist-watch, intelligent bracelet, intelligent earphone, intelligent glasses, intelligent ornament (intelligent bracelet, intelligent ring, intelligent necklace, intelligent anklet, intelligent foot chain etc.), intelligent wrist strap, intelligent clothing etc.. Note that, the specific type of the terminal 11 is not limited in the embodiment of the present application. The network-side device 12 may comprise an access network device or a core network device, wherein the access network device 12 may also be referred to as a radio access network device, a radio access network (Radio Access Network, RAN), a radio access network function or a radio access network element. Access network device 12 may include a base station, a WLAN access point, a WiFi node, or the like, which may be referred to as a node B, an evolved node B (eNB), an access point, a base transceiver station (Base Transceiver Station, BTS), a radio base station, a radio transceiver, a basic service set (Basic Service Set, BSS), an extended service set (Extended Service Set, ESS), a home node B, a home evolved node B, a transmitting/receiving point (TransmittingReceivingPoint, TRP), or some other suitable terminology in the art, and the base station is not limited to a particular technical vocabulary so long as the same technical effect is achieved, and it should be noted that in the embodiments of the present application, only a base station in an NR system is described as an example, and the specific type of the base station is not limited. The core network device may include, but is not limited to, at least one of: a core network node, a core network function, a mobility management entity (Mobility Management Entity, MME), an access mobility management function (Access and Mobility Management Function, AMF), a session management function (Session Management Function, SMF), a user plane function (User Plane Function, UPF), a policy control function (Policy Control Function, PCF), a policy and charging rules function (Policy and Charging Rules Function, PCRF), an edge application service discovery function (EdgeApplicationServerDiscoveryFunction, EASDF), unified data management (Unified Data Management, UDM), unified data repository (Unified Data Repository, UDR), a home subscriber server (Home Subscriber Server, HSS), a centralized network configuration (Centralized network configuration, CNC), a network storage function (Network Repository Function, NRF), a network opening function (NetworkExposureFunction, NEF), a local NEF (LocalNEF, or L-NEF), a binding support function (Binding Support Function, BSF), an application function (Application Function, AF), and the like. In the embodiment of the present application, only the core network device in the NR system is described as an example, and the specific type of the core network device is not limited.
The device authorization method, device and network side device provided in the embodiments of the present application are described in detail below with reference to the accompanying drawings through some embodiments and application scenarios thereof.
As shown in fig. 2 and 3, the embodiment of the present application provides a device authorization method, where the execution subject of the method is a first device, in other words, the method may be executed by software or hardware installed in the first device. The method further comprises the following steps.
S310, the first device receives first information from a first network function.
The authentication of the personal internet of things device (PINElement, PINE) 201 in the personal internet of things (Personal IoT Networks, PIN) is realized through the mobile network, and as shown in fig. 2, the PIN further comprises the personal internet of things device (PIN Elements with Management Capability, PEMC) 202 with the management function and the personal internet of things device (PIN Elements with Gateway Capability, PEGC) 203 with the gateway function. The mobile network may include: a personal internet of things management function (PIN Management Function, PINMF) 211 connected to the network where the access device is located, a session management function (Session Management Function, SMF) 212 in the mobile network, a network opening function (Network Exposure Function, NEF), a policy control function (Policy Control Function, PCF) and a unified data management function (Unified Data Management, UDM) 213 or a third party authentication function, such as authentication authorization and accounting (Authentication Authorization Accounting, AAA).
The first device may be a terminal, a network device or a network function, as shown in fig. 2, and may be PEMC or SMF. For simplicity, the first device is exemplified as an SMF in the following embodiments. Accordingly, in the following embodiments, the second device may be a pin, the third device may be a PMEC, the fourth device is a PEGC, the first network function may be a PINMF, a NEF or a PCF, and the second network function may be a UDM or an AAA.
The first network function will send the first information to the first device after receiving a request message such as data forwarding or authentication of the second device from the third device and/or the fourth device.
The first information may include authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
S320, the first device initiates a first authentication procedure between a second network function and a second device in response to the first information, the first authentication procedure including authentication of the second device by the second network function.
The first authentication process may be one-way or two-way, where one-way authentication is authentication of the second device by the second network function, and the two-way authentication further includes authentication of the second device by the second network function, which is exemplified in the following embodiments for simplicity.
Optionally, as shown in fig. 4, after step S320, the method further includes:
s330, the first device receives second information from the second network function, the second information being obtained based on a first authentication procedure for a second device.
The second network function may send second information to the first device after completing the first authentication process for the second device, where the second information may include an authentication result of the first authentication process, and may specifically include: an authentication success indication or an authentication failure indication. Or, the second network function may also send second information including an authentication success indication to the first device when the authentication result in the first authentication process is authentication success, and not send corresponding second information when the authentication result is authentication failure, and accordingly, the first device may also determine that authentication to the second device fails when the second information is not received within a preset period of time.
S340, the first device performs at least one of the following:
matching the first information with the second information, and determining whether the second information and the first information correspond to the same device or not according to a matching result, namely, whether the first authentication process execution object is a second device or not;
Transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
the authentication result information of the second device may include, for example, an authentication success indication or an authentication failure indication;
and matching result information of the first information and the second information.
In one embodiment, the first device may send, after performing matching between the first information and the second information, third information including a matching success indication or an authentication success indication to the first network function according to the matching result information, if the matching result information is that the first information and the second information match, that is, correspond to the same device, and accordingly, the first network function may determine that authorization for the second device is successful according to the received third information, and send, to the second device, a response message for indicating that authentication is successful or that access is successful through the third device and/or the fourth device; if the matching result information is that the first information and the second information are not matched, that is, the first information and the second information are corresponding to different devices, third information is not sent to the first network function, and accordingly, the first network function can also judge that the authorization to the second device fails under the condition that the third information is not received in a preset time period.
The manner in which the first device matches the first information with the second information may vary, and in one embodiment, the first information includes first matching information, the second information includes second matching information, and matching the first information and the second information includes:
and matching the first matching information with the second matching information.
The first matching information and the second matching information may be set according to actual needs, and in one embodiment, the first matching information and the second matching information include at least one of the following information:
a media access control (Medium Access Control, MAC) address;
number information;
identification information, such as a device identification, PINEID, or UEID;
internet protocol (Internet Protocol, IP) address information;
other matching information such as tokens (token), preset matching strings, etc.
The first network function determines whether to realize the authorization of the second device according to the received third information, sends the authorization result to the third device and the fourth device through feedback information, and then sends the authorization result to the second device through the third device and the fourth device.
Based on the above embodiments, as shown in fig. 5, a specific signaling flow diagram is provided in the embodiment of the present application, and the device authorization method mainly includes the following steps.
A1. The PINE sends a relay request (pinerelay request) message to the pinem through PEGC and PEMC, where the relay request message may include a personal internet of things identifier (PINID) of the network where the PINE is located, a personal internet of things device identifier (PINEID) of the second device, a data filtering rule (Packet filters), a data network related identifier (DataNetworkspecific Identifier, DN-specific ID), and the like.
A2-a3.Pinmf sends first information to the SMF through the NEF and PCF, the first information may be carried by a Relay activation or deactivation request (Relay activation/Deactivate Request) message, the first information may include first matching information and authentication indication information, wherein the first matching information may be represented as authentication auxiliary information (Authentication Assistance Info), and in addition, the first information may further include: optional subscriber permanent identity (Subscription Permanent Identifier, SUPI) or general public subscriber identity (Generic Public Subscription Identifier, GPSI), terminal address (UE address), optional data network name (Data Network Name, DNN) or slice related information (such as single network slice selection assistance information (Single Network Slice Selection Assistance Information, S-NSSAI), network slice identity (Network Slicing Identifier, NSI)), PIN ID, inter-device Routing information (Device to Device Routing Information, D2D Routing Info), inter-device and inter-device Routing information (Device to Network Routing Information, D2N Routing Info), inter-device Routing information (Network to Network Routing Information, N2N Routing Info), downstream data process rules (Downlink Packet Filters, DL Packet filters), upstream data filtering rules (Uplink Packet filter, UL Packet filters), frame Routing information (Framed Route Info), quality of service reference (Quality of Service reference, qoS reference etc. The authentication assistance information may include: at least one of MAC address, number information, identification information, IP address, and other matching information.
A4. the SMF initiates a first authentication procedure between the UDM and the PINE or between the AAA and the PINE, e.g. the SMF performs authentication and authorization based on the EAP framework by sending an extensible authentication protocol request message (Extensible Authentication Protocol, EAP Identity Request) to the PINE. In case the authentication is successful, the AAA or UDM will send a second information to the SMF, which may include an authentication success indication and second matching information, which may include: at least one of MAC address, number information, identification information, IP address, and other matching information. The SMF matches the first matching information and the second matching information.
The A5-A6.SMF sends third information to the PINMF through PCF and NEF, wherein the third information comprises matching result information of the first matching information and the second matching information and is used for indicating whether the matching is successful or not. The third information may further include relay auxiliary information (Relay Assistance Info), specifically including information about the PINE, for example, a translated IPv6 address, a translated IPv4 address, and a PI port (port) range of the PINE.
The A7-a8.Pinem sends feedback information to PEMC, PEGC, PINE indicating the request result.
As can be seen from the technical solutions of the foregoing embodiments, in the embodiments of the present application, by receiving first information from a first network function, and initiating a first authentication procedure between a second network function and a second device in response to the first information, where the first authentication procedure includes authentication of the second network function on the second device, so as to implement authorization of the second device when accessing to a mobile network.
According to the equipment authorization method provided by the embodiment of the application, the execution body can be an equipment authorization device. In the embodiment of the present application, an apparatus authorization device executes an apparatus authorization method as an example, and the apparatus authorization device provided in the embodiment of the present application is described.
As shown in fig. 6, the apparatus authorization device includes: a transceiver module 601 and an authentication module 602.
The transceiver module 601 is configured to receive first information from a first network function; the authentication module 602 is configured to initiate a first authentication procedure between a second network function and a second device in response to the first information, where the first authentication procedure includes authentication of the second device by the second network function.
Optionally, the transceiver module 601 is further configured to receive second information from the second network function, where the second information is obtained based on a first authentication procedure for a second device;
the authentication module 602 is further configured to perform at least one of:
matching the first information and the second information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
Optionally, the first information includes first matching information, the second information includes second matching information, and the authentication module 602 is configured to match the first matching information and the second matching information.
Optionally, the first information includes at least one of:
first matching information;
authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
Optionally, the second information includes at least one of:
an authentication success indication or an authentication failure indication;
and second matching information.
Optionally, the first matching information and the second matching information include at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
unified data management functions;
and a third party authentication function.
As can be seen from the technical solutions of the foregoing embodiments, in the embodiments of the present application, by receiving first information from a first network function, and initiating a first authentication procedure between a second network function and a second device in response to the first information, where the first authentication procedure includes authentication of the second network function on the second device, so as to implement authorization of the second device when accessing to a mobile network.
The device authorization apparatus in the embodiments of the present application may be an electronic device, for example, an electronic device with an operating system, or may be a component in an electronic device, for example, an integrated circuit or a chip. The electronic device may be a terminal, or may be other devices than a terminal. By way of example, terminals may include, but are not limited to, the types of terminals 11 listed above, other devices may be servers, network attached storage (Network Attached Storage, NAS), etc., and embodiments of the application are not specifically limited.
The device authorization apparatus provided in the embodiment of the present application can implement each process implemented by the embodiments of the methods of fig. 3 to 5, and achieve the same technical effects, so that repetition is avoided, and no further description is provided herein.
As shown in fig. 7, the embodiment of the present application provides a device authorization method, where the execution subject of the method is a first device, in other words, the method may be executed by software or hardware installed on the first device. The method further comprises the following steps.
S710, the first device receiving first information from a first network function, the first information comprising first matching information;
s720, the first device receives second information from a second network function, wherein the second information is obtained based on a first authentication process of the second device, and the second information comprises second matching information;
S730, the first device performs at least one of:
matching the first matching information and the second matching information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first matching information and the second information.
Optionally, the first information further includes
Authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
Optionally, the second information further includes:
an authentication success indication or an authentication failure indication.
Optionally, the first matching information and the second matching information include at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
a unified data management entity;
and a third party authentication function.
Steps S710-730 may implement the method embodiment of steps S330-340 shown in fig. 4, and obtain the same technical effects, and the repetition of which is not repeated here.
As can be seen from the technical solutions of the foregoing embodiments, in the embodiments of the present application, first information is received from a first network function, where the first information includes first matching information; receiving second information from a second network function, the second information comprising second matching information; and matching the first matching information and the second matching information; and sending third information to the first network function, so that the authentication and authorization of the second device are realized when the second device is accessed to the mobile network.
According to the equipment authorization method provided by the embodiment of the application, the execution body can be an equipment authorization device. In the embodiment of the present application, an apparatus authorization device executes an apparatus authorization method as an example, and the apparatus authorization device provided in the embodiment of the present application is described.
As shown in fig. 8, the apparatus authorizing device includes: a transceiver module 801 and an authentication module 802.
The transceiver module 801 is configured to receive first information from a first network function, where the first information includes first matching information; the transceiver module 801 is further configured to receive second information from a second network function, where the second information is obtained based on a first authentication procedure for a second device, and the second information includes second matching information; the authentication module 802 is configured to perform at least one of:
matching the first matching information and the second matching information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first matching information and the second information.
Optionally, the first information further includes
Authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
Optionally, the second information further includes:
an authentication success indication or an authentication failure indication.
Optionally, the first matching information and the second matching information include at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
a unified data management entity;
and a third party authentication function.
As can be seen from the technical solutions of the foregoing embodiments, in the embodiments of the present application, first information is received from a first network function, where the first information includes first matching information; receiving second information from a second network function, the second information comprising second matching information; and matching the first matching information and the second matching information; and sending third information to the first network function, so that the authentication and authorization of the second device are realized when the second device is accessed to the mobile network.
The device authorization apparatus in the embodiments of the present application may be an electronic device, for example, an electronic device with an operating system, or may be a component in an electronic device, for example, an integrated circuit or a chip. The electronic device may be a terminal, or may be other devices than a terminal. By way of example, terminals may include, but are not limited to, the types of terminals 11 listed above, other devices may be servers, network attached storage (Network Attached Storage, NAS), etc., and embodiments of the application are not specifically limited.
The device authorization apparatus provided in the embodiment of the present application can implement each process implemented by the method embodiment of fig. 7, and achieve the same technical effects, so that repetition is avoided, and details are not repeated here.
As shown in fig. 9, the embodiment of the present application provides a device authorization method, where the execution subject of the method is a first network function, in other words, the method may be executed by software or hardware installed in the first network function. The method further comprises the following steps.
S910, the first network function sends first information to the first device, where the first information is used to indicate at least one of the following:
performing a first authentication procedure of the second network function with the second device;
matching the first information and the second information;
transmitting third information to the first network function;
wherein the second information is sent by the second network function based on a first authentication procedure for the second device, and the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
Optionally, the first information includes at least one of:
first matching information;
Authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
Optionally, the first matching information includes at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
a unified data management entity;
and a third party authentication function.
Step S910 may implement the method embodiments shown in fig. 3 and fig. 4, and obtain the same technical effects, and the repetition of the description is omitted here.
As can be seen from the technical solutions of the foregoing embodiments, in embodiments of the present application, first information is sent to a first device, where the first information is used to indicate at least one of the following: performing a first authentication procedure of the second network function with the second device; matching the first information and the second information; and sending third information to the first network function so as to realize authentication and authorization of the second device when the second device accesses the mobile network.
According to the equipment authorization method provided by the embodiment of the application, the execution body can be an equipment authorization device. In the embodiment of the present application, an apparatus authorization device executes an apparatus authorization method as an example, and the apparatus authorization device provided in the embodiment of the present application is described.
As shown in fig. 10, the apparatus authorization device includes: an acquisition module 1001 and a transmission module 1002.
The acquiring module 1001 is configured to acquire first information; the transmission module 1002 is configured to send the first information to a first device, where the first information is used to indicate at least one of:
performing a first authentication procedure of the second network function with the second device;
matching the first information and the second information;
transmitting third information to the device authorization apparatus;
wherein the second information is sent by the second network function based on a first authentication procedure for the second device, and the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
Optionally, the first information includes at least one of:
first matching information;
authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
Optionally, the first matching information includes at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
a unified data management entity;
and a third party authentication function.
As can be seen from the technical solutions of the foregoing embodiments, in embodiments of the present application, first information is sent to a first device, where the first information is used to indicate at least one of the following: performing a first authentication procedure of the second network function with the second device; matching the first information and the second information; and sending third information to the first network function so as to realize authentication and authorization of the second device when the second device accesses the mobile network.
The device authorization apparatus in the embodiments of the present application may be an electronic device, for example, an electronic device with an operating system, or may be a component in an electronic device, for example, an integrated circuit or a chip. The electronic device may be a terminal, or may be other devices than a terminal. By way of example, terminals may include, but are not limited to, the types of terminals 11 listed above, other devices may be servers, network attached storage (Network Attached Storage, NAS), etc., and embodiments of the application are not specifically limited.
The device authorization apparatus provided in this embodiment of the present application can implement each process implemented by the method embodiment of fig. 9, and achieve the same technical effects, so that repetition is avoided, and details are not repeated here.
As shown in fig. 11, the embodiment of the present application provides a device authorization method, where the execution subject of the method is the second network function, in other words, the method may be executed by software or hardware installed in the second network function. The method further comprises the following steps.
S1110, the second network function performs a first authentication procedure with the second device;
s1120, the second network function sends second information to the first device according to the first authentication process;
wherein the second information includes at least one of:
an authentication success indication or an authentication failure indication;
and second matching information for matching the first matching information transmitted by the first device.
Optionally, the first authentication procedure is initiated by the first device.
Optionally, the first matching information and the second matching information include at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
a unified data management entity;
and a third party authentication function.
Steps S1110 to S1120 may implement the method embodiment shown in fig. 3 or fig. 4, and obtain the same technical effects, and the repetition is not repeated here.
As can be seen from the technical solutions of the foregoing embodiments, in the embodiments of the present application, a first authentication process is performed with a second device, and second information is sent to the first device according to the first authentication process; wherein the second information includes at least one of: an authentication success indication or an authentication failure indication; and the second matching information is used for matching the first matching information sent by the first equipment, so that the authentication and authorization of the second equipment are realized when the second equipment is accessed to the mobile network.
According to the equipment authorization method provided by the embodiment of the application, the execution body can be an equipment authorization device. In the embodiment of the present application, an apparatus authorization device executes an apparatus authorization method as an example, and the apparatus authorization device provided in the embodiment of the present application is described.
As shown in fig. 12, the apparatus authorizing device includes: an execution module 1201 and a transmission module 1202.
The execution module 1201 is configured to perform a first authentication procedure with a second device; the sending module 1202 is configured to send second information to a first device according to the first authentication procedure;
wherein the second information includes at least one of:
an authentication success indication or an authentication failure indication;
And second matching information for matching the first matching information transmitted by the first device.
Optionally, the first authentication procedure is initiated by the first device.
Optionally, the first matching information and the second matching information include at least one of the following information:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
Optionally, the second network function is one of:
a unified data management entity;
and a third party authentication function.
As can be seen from the technical solutions of the foregoing embodiments, in the embodiments of the present application, a first authentication process is performed with a second device, and second information is sent to the first device according to the first authentication process; wherein the second information includes at least one of: an authentication success indication or an authentication failure indication; and the second matching information is used for matching the first matching information sent by the first equipment, so that the authentication and authorization of the second equipment are realized when the second equipment is accessed to the mobile network.
The device authorization apparatus in the embodiments of the present application may be an electronic device, for example, an electronic device with an operating system, or may be a component in an electronic device, for example, an integrated circuit or a chip. The electronic device may be a terminal, or may be other devices than a terminal. By way of example, terminals may include, but are not limited to, the types of terminals 11 listed above, other devices may be servers, network attached storage (Network Attached Storage, NAS), etc., and embodiments of the application are not specifically limited.
The device authorization apparatus provided in this embodiment of the present application can implement each process implemented by the method embodiment of fig. 11, and achieve the same technical effects, so that repetition is avoided, and details are not repeated here.
Optionally, as shown in fig. 13, the embodiment of the present application further provides a communication device 1300, including a processor 1301 and a memory 1302, where the memory 1302 stores a program or instructions that can be executed on the processor 1301, for example, when the communication device 1300 is a terminal, the program or instructions implement the steps of the device authorization method embodiment described above when executed by the processor 1301, and achieve the same technical effects. When the communication device 1300 is a network side device, the program or the instruction, when executed by the processor 1301, implements the steps of the above device authorization method embodiment, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.
Specifically, the embodiment of the application also provides network side equipment. As shown in fig. 14, the network side device 1400 includes: a processor 1401, a network interface 1402 and a memory 1403. The network interface 1402 is, for example, a common public radio interface (common public radio interface, CPRI).
Specifically, the network side device 1400 of the embodiment of the present invention further includes: instructions or programs stored in the memory 1403 and executable on the processor 1401, the processor 1401 invokes the instructions or programs in the memory 1403 to perform the methods performed by the modules shown in fig. 6, 8, 10 or 12, and achieve the same technical effects, so repetition is avoided and will not be described herein.
The embodiment of the present application further provides a readable storage medium, where the readable storage medium may be non-transient or non-volatile, and a program or an instruction is stored on the readable storage medium, where the program or the instruction implements each process of the above device authorization method embodiment when executed by a processor, and the process may achieve the same technical effect, so that repetition is avoided and no further description is given here.
Wherein the processor is a processor in the terminal described in the above embodiment. The readable storage medium includes computer readable storage medium such as computer readable memory ROM, random access memory RAM, magnetic or optical disk, etc.
The embodiment of the application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled with the processor, the processor is used for running a program or an instruction, implementing each process of the above device authorization method embodiment, and achieving the same technical effect, so as to avoid repetition, and no redundant description is provided herein.
It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, or the like.
The embodiments of the present application further provide a computer program/program product, where the computer program/program product is stored in a storage medium, and the computer program/program product is executed by at least one processor to implement each process of the above device authorization method embodiment, and achieve the same technical effects, so that repetition is avoided, and details are not repeated herein.
The embodiment of the application also provides a device authorization system, which comprises: a first device operable to perform the steps of the device authorization method as described above, a first network function operable to perform the steps of the device authorization method as described above, and a second network function operable to perform the steps of the device authorization method as described above.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solutions of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), comprising several instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method described in the embodiments of the present application.
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those of ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are also within the protection of the present application.

Claims (26)

1. A method of device authorization, comprising:
the first device receives first information from a first network function;
the first device initiates a first authentication procedure between a second network function and a second device in response to the first information, the first authentication procedure including authentication of the second device by the second network function.
2. The method according to claim 1, wherein the method further comprises:
the first device receiving second information from the second network function, the second information being derived based on a first authentication procedure for the second device;
the first device performs at least one of:
matching the first information and the second information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
3. The method of claim 2, wherein the first information comprises first matching information and the second information comprises second matching information, the matching the first information and the second information comprising:
And matching the first matching information with the second matching information.
4. The method of claim 2, wherein the first information comprises at least one of:
first matching information;
authentication instruction information for instructing to perform a first authentication procedure of the second network function and the second device.
5. The method of claim 2, the second information comprising at least one of:
an authentication success indication or an authentication failure indication;
and second matching information.
6. A method according to claim 3, wherein the first and second matching information comprises at least one of:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
7. The method of claim 1, wherein the second network function is one of:
unified data management functions;
and a third party authentication function.
8. A device authorization apparatus, comprising:
a transceiver module for receiving first information from a first network function;
an authentication module for initiating a first authentication procedure between a second network function and a second device in response to the first information, the first authentication procedure comprising authentication of the second device by the second network function.
9. A method of device authorization, comprising:
the first device receives first information from a first network function, the first information including first matching information;
the first device receives second information from a second network function, the second information being obtained based on a first authentication procedure for the second device, the second information comprising second matching information;
the first device performs at least one of:
matching the first matching information and the second matching information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first matching information and the second information.
10. The method of claim 9, wherein the first information further comprises
Authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
11. The method of claim 9, wherein the second information further comprises:
an authentication success indication or an authentication failure indication.
12. The method of any of claims 9, wherein the first and second matching information comprises at least one of:
A media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
13. The method of claim 9, wherein the second network function is one of:
a unified data management entity;
and a third party authentication function.
14. A device authorization apparatus, comprising:
a transceiver module for receiving first information from a first network function, the first information comprising first matching information;
the transceiver module is further configured to receive second information from a second network function, where the second information is obtained based on a first authentication procedure for a second device, and the second information includes second matching information;
an authentication module for performing at least one of:
matching the first matching information and the second matching information;
transmitting third information to the first network function;
wherein the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first matching information and the second information.
15. A method of device authorization, comprising:
the first network function sends first information to the first device, the first information being used to indicate at least one of:
Performing a first authentication procedure of the second network function with the second device;
matching the first information and the second information;
transmitting third information to the first network function;
wherein the second information is sent by the second network function based on a first authentication procedure for the second device, and the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
16. The method of claim 15, wherein the first information comprises at least one of:
first matching information;
authentication indication information for indicating to perform a first authentication procedure of a second network function with the second device.
17. The method of claim 16, wherein the first matching information comprises at least one of:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
18. The method of claim 15, wherein the second network function is one of:
a unified data management entity;
and a third party authentication function.
19. A device authorization apparatus, comprising:
the acquisition module is used for acquiring the first information;
a transmission module, configured to send the first information to a first device, where the first information is used to indicate at least one of:
performing a first authentication procedure of the second network function with the second device;
matching the first information and the second information;
transmitting third information to the device authorization apparatus;
wherein the second information is sent by the second network function based on a first authentication procedure for the second device, and the third information is used to indicate at least one of:
authentication result information for the second device;
and matching result information of the first information and the second information.
20. A method of device authorization, comprising:
the second network function performs a first authentication procedure with the second device;
the second network function sends second information to the first device according to the first authentication process;
wherein the second information includes at least one of:
an authentication success indication or an authentication failure indication;
and second matching information for matching the first matching information transmitted by the first device.
21. The method of claim 20, wherein the first authentication process is initiated by the first device.
22. The method of claim 20, wherein the first matching information and the second matching information comprise at least one of:
a media access control address;
number information;
identification information;
internet protocol address information;
other matching information.
23. The method of claim 20, wherein the second network function is one of:
a unified data management entity;
and a third party authentication function.
24. A device authorization apparatus, comprising:
an execution module for executing a first authentication procedure with a second device;
the sending module is used for sending second information to the first equipment according to the first authentication process;
wherein the second information includes at least one of:
an authentication success indication or an authentication failure indication;
and second matching information for matching the first matching information transmitted by the first device.
25. A network side device comprising a processor and a memory storing a program or instructions executable on the processor, the program or instructions implementing the device authorization method of any one of claims 1 to 7, or the device authorization method of any one of claims 9 to 13, or the device authorization method of any one of claims 15 to 18, or the steps of the device authorization method of any one of claims 20 to 23, when executed by the processor.
26. A readable storage medium, characterized in that the readable storage medium has stored thereon a program or instructions which, when executed by a processor, implement the device authorization method of any one of claims 1 to 7, or implement the device authorization method of any one of claims 9 to 13, or implement the device authorization method of any one of claims 15 to 18, or implement the steps of the device authorization method of any one of claims 20 to 23.
CN202210868562.2A 2022-07-22 2022-07-22 Equipment authorization method and device and network equipment Pending CN117479158A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210868562.2A CN117479158A (en) 2022-07-22 2022-07-22 Equipment authorization method and device and network equipment
PCT/CN2023/107674 WO2024017181A1 (en) 2022-07-22 2023-07-17 Device authorization method and apparatus, and network-side device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210868562.2A CN117479158A (en) 2022-07-22 2022-07-22 Equipment authorization method and device and network equipment

Publications (1)

Publication Number Publication Date
CN117479158A true CN117479158A (en) 2024-01-30

Family

ID=89617145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210868562.2A Pending CN117479158A (en) 2022-07-22 2022-07-22 Equipment authorization method and device and network equipment

Country Status (2)

Country Link
CN (1) CN117479158A (en)
WO (1) WO2024017181A1 (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3565371A4 (en) * 2017-07-20 2020-03-25 Huawei International Pte. Ltd. Session processing method and device
CN109511115B (en) * 2017-09-14 2020-09-29 华为技术有限公司 Authorization method and network element
JP2024503037A (en) * 2021-01-11 2024-01-24 テレフオンアクチーボラゲット エルエム エリクソン(パブル) User Equipment (UE) Identifier Request

Also Published As

Publication number Publication date
WO2024017181A1 (en) 2024-01-25

Similar Documents

Publication Publication Date Title
US11950175B2 (en) Communication method and communications apparatus
CN117479158A (en) Equipment authorization method and device and network equipment
CN116347591A (en) Registration method and device of Internet of things equipment, communication equipment, core network equipment, storage medium and system
WO2023213236A1 (en) Policy configuration method and device
CN117560790A (en) Session establishment method, session establishment device, communication equipment and network element
WO2023143441A1 (en) Notification method, first network function, and second network function
WO2023216961A1 (en) Privacy protection information processing method and apparatus, and communication device
CN117998357A (en) Configuration method, device and readable storage medium
CN117633851A (en) Equipment association method and device
WO2024027578A1 (en) Traffic routing method and apparatus, and device
WO2023143423A1 (en) Information acquisition, storage and reporting method and device, terminal, and network function
CN116567625A (en) Equipment authentication method, device, terminal and network function
CN116567626A (en) Equipment authentication method and device and communication equipment
CN117641497A (en) Equipment path selection method, device, terminal and network side equipment
CN117692982A (en) Routing policy execution condition processing method, device and equipment
CN117177229A (en) Data transmission method, device, communication equipment and network element
CN117793951A (en) Network communication method, device, network side equipment, terminal and medium
CN116567591A (en) Direct connection air interface configuration method, terminal and network side equipment
CN116567593A (en) Notification method, first network function and second network function
CN117528666A (en) Access information transmission method, device and network equipment
CN117750349A (en) Parameter acquisition method and device, first network function and second network function
CN116567777A (en) Access parameter using method, terminal and network side
CN117998344A (en) Information determination method, apparatus, communication device, and readable storage medium
CN116567613A (en) Data transmission and configuration method and device, terminal and network side equipment
CN117440466A (en) Equipment data path management and control method, equipment, terminal and network side equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination