WO2018233726A1 - Network slice authentication method, corresponding apparatus and system, and medium - Google Patents

Network slice authentication method, corresponding apparatus and system, and medium Download PDF

Info

Publication number
WO2018233726A1
WO2018233726A1 PCT/CN2018/101337 CN2018101337W WO2018233726A1 WO 2018233726 A1 WO2018233726 A1 WO 2018233726A1 CN 2018101337 W CN2018101337 W CN 2018101337W WO 2018233726 A1 WO2018233726 A1 WO 2018233726A1
Authority
WO
WIPO (PCT)
Prior art keywords
network slice
authentication
user terminal
user
network
Prior art date
Application number
PCT/CN2018/101337
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
上海中兴软件有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海中兴软件有限责任公司 filed Critical 上海中兴软件有限责任公司
Publication of WO2018233726A1 publication Critical patent/WO2018233726A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present disclosure relates to, but is not limited to, the field of mobile communications.
  • NFV Network Function Virtualization
  • the authentication is performed by the AKA (Authentication and Key Agreement), and the UE directly accesses the services provided by the core network after accessing the network.
  • AKA Authentication and Key Agreement
  • the network slice needs to be further accessed to receive the service provided based on the network slice. Due to the dynamic deployment feature of the network slice, the AKA authentication of the attach process cannot meet the authentication requirements of the UE access network slice.
  • the present disclosure provides a method for authenticating a network slice, including: acquiring, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of a user terminal; according to the network slice authentication vector and the The user terminal performs authentication.
  • the present disclosure provides a method for authenticating a network slice, including: acquiring attachment request information of a user terminal; and generating a network slice authentication vector corresponding to user network slice identity information of the user terminal according to the attachment request information; And sending the network slice authentication vector to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the present disclosure provides a network slice function entity device including a first memory and a first processor; the first memory stores a computer program for authentication of a network slice of the network slice function entity device; When the computer program is executed by the first processor, the following steps are performed: acquiring, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of the user terminal; according to the network slice authentication vector and the The user terminal performs authentication.
  • the present disclosure provides a network authentication entity device including a second memory and a second processor, the second memory storing a computer program for authentication of a network slice of the network authentication entity device;
  • the program When the program is executed by the second processor, the following steps are performed: acquiring the attachment request information of the user terminal; and generating, according to the attachment request information, a network slice authentication vector corresponding to the user network slice identity information of the user terminal;
  • the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the present disclosure provides an authentication system for a network slice, comprising any of the network slice function entity devices described herein, any of the network authentication entity devices and mobile communication network entities described herein; Receiving the attach request information of the user terminal, forwarding the attach request information to the network authentication entity device; and when receiving the mobile communication authentication vector, performing authentication according to the mobile communication authentication vector and the user terminal.
  • the present disclosure provides a computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or authenticating a network slice for a network authentication entity device a second computer program; when the first computer program is executed by at least one processor, implementing the steps of any of the methods described herein for a network slicing functional entity device; when the second computer program is The steps of any of the methods described herein for a network authentication entity device are implemented when at least one processor executes.
  • FIG. 1 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure
  • FIG. 2 is an interaction diagram of a UE attaching to a network and a network slice in an embodiment of the present disclosure
  • FIG. 3 is an interaction diagram of another UE attached to a network and a network slice in an embodiment of the present disclosure
  • FIG. 4 is an interaction diagram of a UE attaching a network slice according to a selection in the embodiment of the present disclosure
  • FIG. 5 is an interaction diagram of a UE registering to a network slice in an embodiment of the present disclosure
  • FIG. 6 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure
  • FIG. 7 is a schematic structural diagram of a network slice function entity device in an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a network authentication entity device according to an embodiment of the present disclosure.
  • the present disclosure provides a method for authenticating a network slice and corresponding devices, systems, and media.
  • the present disclosure will be further described in detail below in conjunction with the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are merely illustrative of the disclosure,
  • the 5G (Fifth Generation Mobile Communication Technology) network architecture will introduce new IT technologies such as Network Function Virtualization (NFV).
  • NFV Network Function Virtualization
  • 3G/4G network the protection of functional network elements is largely dependent on the security isolation of physical devices.
  • some functional network elements are deployed on the cloud infrastructure in the form of virtual function network elements.
  • a virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user terminals (UEs).
  • a typical network slice includes a set of virtualized core network functions, such as a slice control plane unit, which is mainly responsible for slice mobility, session management, and authentication authentication related functions.
  • the slice user plane unit mainly provides users with sliced user resources.
  • the slice policy control unit is responsible for the function of the user policy, and the slice charging unit is responsible for the user's charging function.
  • the function of network slicing is determined by the operator according to the requirements and the operator's policy. For example, some network slices may include a dedicated forwarding plane in addition to the control plane function; and some network slices may only include some basic control plane functions. Other core network related functions are shared with other network slices. Network slices may be created, modified, or deleted based on requirements. A UE may also receive services from different network slices simultaneously.
  • the authentication is performed by the AKA (Authentication and Key Agreement), and the UE directly accesses the services provided by the core network after accessing the network.
  • AKA Authentication and Key Agreement
  • the network slice needs to be further accessed to receive the service provided based on the network slice. Due to the dynamic deployment feature of the network slice, the AKA authentication of the attach process cannot meet the authentication requirements of the UE access network slice.
  • the present disclosure particularly provides authentication methods and corresponding apparatus, systems, and media for network slicing that substantially obviate one or more of the problems due to the limitations and disadvantages of the related techniques.
  • FIG. 1 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure. As shown in FIG. 1, in some embodiments, the authentication method of the network slice may include the following steps S101 and S102.
  • step S101 a network slice authentication vector corresponding to user network slice identity information SID (Slice Identification) of the user terminal UE is acquired from the network authentication entity; and S102 is performed, and the user terminal performs authentication according to the network slice authentication vector.
  • SID Selice Identification
  • the network authentication entity may be a Home Subscriber Server (HSS).
  • HSS Home Subscriber Server
  • the method in the embodiments of the present disclosure is for a network slice function entity.
  • the embodiment of the present disclosure acquires a network slice authentication vector corresponding to the user network slice identity identification information of the user terminal UE from the network authentication entity, and then performs authentication according to the network slice authentication vector with the user terminal, thereby implementing the mobile communication system (for example, in 5G), after the network slice is introduced, after the UE attaches to the mobile communication network, when the network slice is further accessed to receive the service provided by the network slice, the dynamic deployment feature of the network slice is satisfied, so that the attachment is performed. The process satisfies the authentication requirements of the UE access network slice.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
  • the authentication is an authentication and key agreement protocol AKA authentication of the mobile communication network.
  • the network slice authentication vector is generated by the network authentication entity according to the first attach request information of the user terminal forwarded by the mobile communication network entity (for example, the base station) or according to the second attach request sent by the user terminal. Information generation.
  • the method may further include the step of: receiving the second attachment of the user terminal Requesting information; and transmitting the second attach request information to the network authentication entity to cause the network authentication entity to generate the network slice authentication vector.
  • the first attach request information carries the user subscription identity information IMSI (International Mobile Subscriber Identity) of the user terminal and user network slice identity information of the user terminal;
  • the second attach request information carries the User network slice identity information of the user terminal.
  • IMSI International Mobile Subscriber Identity
  • FIG. 2 is an interaction diagram of a UE attaching to a network and a network slice in an embodiment of the present disclosure.
  • the UE may simultaneously attach to the network slice in the process of reattaching the network.
  • the process of the UE reattaching to the network and further attaching to the network slice may include steps 201-206.
  • the UE sends first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information and user network slice identity information.
  • the mobile communication network entity further forwards the first attach request information of the UE to the HSS.
  • the HSS In step 203, the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • a mobile communication authentication vector (1) corresponding to the user subscription identity information IMSI is generated, and the vector may be composed of an existing AKA authentication vector (ie, mobile communication authentication vector) parameter, including a random number generated by the RAND (rand() function. ), XRES (Expected Response), KASME (Access Security Management Entity Key), and AUTN (Authentication Token).
  • AKA authentication vector ie, mobile communication authentication vector
  • XRES Exected Response
  • KASME Access Security Management Entity Key
  • AUTN Authentication Token
  • a network slice authentication vector (2) corresponding to the user network slice identity information SID is generated, and the vector is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). composition.
  • the generated authentication vector when the two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two network slices corresponding to SID1 and SID2, respectively. Authentication vector.
  • the generated authentication vector when the plurality of user network slice identity information is included in the attachment information, includes an AKA authentication vector corresponding to the IMSI and a plurality of different authentication vectors respectively corresponding to the plurality of user network slice identity information. .
  • the HSS sends the authentication vector (1) corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector (2) corresponding to the SID to the network slice function entity.
  • step 205 after receiving the authentication vector (1), the mobile communication network entity performs AKA authentication with the UE based on the authentication vector (1) corresponding to the IMSI.
  • step 206 after receiving the authentication vector (2), the network slice function entity performs AKA authentication with the UE based on the authentication vector (2) corresponding to the SID.
  • FIG 3 is an interaction diagram of another UE attached to a network and a network slice in an embodiment of the present disclosure.
  • the UE may also be attached to the pre-configured network slice in the process of reattaching the network according to the configuration of the user.
  • the process in which the UE simultaneously attaches to the user-preconfigured network slice during re-attachment of the network according to the configuration of the user may include steps 301 to 307.
  • step 301 the user configures network slice information that needs to be accessed in the UE.
  • the UE transmits first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information, pre-configured user network slice identity information.
  • the mobile communication network entity further forwards the attachment request information of the UE to the HSS.
  • step 304 the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • a mobile communication authentication vector (1) corresponding to the user subscription identity information IMSI is generated, and the vector may be composed of existing AKA authentication vector (ie, mobile communication authentication vector) parameters, including RAND (random number generated by the rand () function). , XRES (Expected Response), KASME (Access Security Management Entity Key), and AUTN (Authentication Token).
  • AKA authentication vector ie, mobile communication authentication vector
  • RAND random number generated by the rand () function
  • XRES Extended Response
  • KASME Access Security Management Entity Key
  • AUTN Authentication Token
  • a network slice authentication vector (2) corresponding to the user network slice identity information SID is generated, and the vector is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). composition.
  • the generated authentication vector when the attachment information includes two pre-configured user network slice identity information (eg, SID1 and SID2), the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two corresponding SID1 and SID2, respectively. Network slice authentication vector.
  • the generated authentication vector when the plurality of pre-configured user network slice identity information is included in the attachment information, includes an AKA authentication vector corresponding to the IMSI and a plurality of different correspondences corresponding to the plurality of user network slice identity information respectively. Authentication vector.
  • the HSS sends the authentication vector (1) corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector (2) corresponding to the SID to the network slice function entity.
  • the mobile communication network entity After receiving the authentication vector (1), the mobile communication network entity performs AKA authentication with the UE based on the authentication vector (1) corresponding to the IMSI.
  • step 307 after receiving the authentication vector (2), the network slice function entity performs AKA authentication with the UE based on the authentication vector (2) corresponding to the SID.
  • FIG. 4 is an interaction diagram of a UE attaching a network slice according to a selection in the embodiment of the present disclosure.
  • the UE may also attach to the network slice according to the user's selection after the mobile communication network (which may be simply referred to as a network in the present disclosure) has been attached.
  • the process by which the UE attaches to the network slice may include steps 401 through 406.
  • step 401 the UE sends second attachment request information to the selected network slice function entity.
  • the second attach request information includes user network slice identity information.
  • the network slice function entity further forwards the attach request information of the UE to the HSS.
  • step 403 the HSS generates a corresponding authentication vector according to the user network slice identity information of the UE.
  • the generated authentication vector corresponding to the user network slice identity information SID is a random number generated by the RAND (rand() function), XRES (Expected Response, expected response), network slice key Kslice, and AUTN (Authentication Token, authentication order) Card) composition.
  • the generated authentication vector when two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes two authentication vectors corresponding to SID1 and SID2, respectively.
  • the generated authentication vector when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes different authentication vectors respectively corresponding to the plurality of user network slice identity information.
  • step 404 the HSS sends the network slice authentication vector generated according to the attach request information (authentication request information) to the network slice function entity corresponding to the user network slice identity information SID.
  • step 405 after receiving the network slice authentication vector, the network slice function entity performs AKA authentication with the UE based on the received network slice authentication vector.
  • the method before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes the steps of: receiving the registration request information of the user terminal; Decoding the request information to generate user network slice identity information; and transmitting the user network slice identity information to the user terminal.
  • the registration request information carries user subscription identity information and network slice identification information of the user terminal.
  • FIG. 5 is an interaction diagram of a UE registering to a network slice in an embodiment of the present disclosure. As shown in FIG. 5, in some embodiments, the process of the UE registering to the network slice may include steps 501 to 503.
  • step 501 after the UE attaches to the mobile communication network (for example, a 5G network), the UE sends the registration request information to the network slice.
  • the registration request information includes user subscription identity information IMSI and network slice identification information of the UE.
  • the network slice function entity In step 502, the network slice function entity generates a user network slice identity information SID (Slice Identification) of the UE for the user subscription identity information IMSI of the UE.
  • SID Selice Identification
  • the user network slice identity information SID generated here can be used to derive network slice identification information in other processes (eg, after the UE reboots).
  • the network slice function entity sends the generated user network slice identity information SID of the UE to the UE, so that the UE carries the identity information when transmitting the attach request information.
  • the user terminal UE first registers with the network slice. After the registration is completed, the UE may further attach to the network slice while reattaching the network. The UE may also directly attach to the network slice according to the user configuration; or attach to the corresponding network slice according to the user configuration while reattaching to the network; of course, the UE may also attach to the corresponding network according to the user selection after attaching the network. slice. Therefore, the user terminal UE can be attached to the dynamically deployed network slice at any time, so that the authentication problem of the user terminal UE accessing the network slice is well solved.
  • FIG. 6 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure. As shown in FIG. 6, in some embodiments, the method for authenticating the network slice may include the following steps S601 to S603.
  • step S601 the attachment request information of the user terminal is acquired.
  • step S602 a network slice authentication vector corresponding to the user network slice identity information of the user terminal is generated according to the attach request information.
  • step S603 the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the method in the embodiments of the present disclosure is for a network authentication entity, such as an HSS.
  • the embodiment of the present disclosure obtains the connection request information of the user terminal, generates a network slice authentication vector corresponding to the user network slice identity identification information of the user terminal according to the attachment request information, and sends the network slice authentication vector to the network slice function.
  • An entity such that the network slice function entity authenticates with the user terminal according to the network slice authentication vector, so that in the mobile communication system (eg, 5G), when the network slice is introduced, when the UE attaches to the mobile communication network.
  • the network slice is further accessed to receive the service provided by the network slice, the dynamic deployment feature of the network slice is satisfied, so that the attach process satisfies the authentication requirement of the UE access network slice.
  • the method may further include: generating, according to the attach request information, a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal; transmitting the mobile communication authentication vector to the mobile communication a network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
  • the attach request information includes first attach request information and second attach request information.
  • the acquiring the attachment request information of the user terminal may include: receiving the first attachment request information forwarded by the mobile communication network entity; or receiving the second attachment request information sent by the user terminal.
  • the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
  • the user network slice identity information of the user terminal includes user network slice identity information pre-configured at the user terminal, and includes registration request information of the network slice function entity according to the user terminal. Generated user network slice identity information.
  • the user network slice identity information of the user terminal is one or more.
  • the UE may simultaneously attach to the network slice during the process of reattaching the network.
  • the process of the UE reattaching to the network and further attaching to the network slice may include the following steps 701-706.
  • the UE transmits first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information and user network slice identity information.
  • the mobile communication network entity further forwards the first attach request information of the UE to the HSS.
  • the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • the generated authentication vector of the corresponding user subscription identity information IMSI is composed of existing AKA authentication vector parameters, including RAND, XRES (Expected Response), KASME, and AUTN (Authentication Token).
  • the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token).
  • the generated authentication vector when the two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two network slices corresponding to SID1 and SID2, respectively. Authentication vector. In some embodiments, when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and a plurality of different authentication vectors respectively corresponding to the plurality of user network slice identity information. .
  • step 704 the HSS sends the authentication vector corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector corresponding to the SID to the network slice function entity.
  • step 705 after receiving the authentication vector, the mobile communication network entity performs AKA authentication with the UE based on the authentication vector corresponding to the IMSI.
  • the network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
  • the UE may also be attached to the pre-configured network slice in the process of reattaching the network according to the configuration of the user.
  • the process in which the UE simultaneously attaches to the user-preconfigured network slice during re-attachment of the network according to the configuration of the user may include steps 801 to 807.
  • step 801 the user configures network slice information that needs to be accessed at the UE.
  • the UE transmits first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information, pre-configured user network slice identity information.
  • the mobile communication network entity further forwards the attachment request information of the UE to the HSS.
  • the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • the generated authentication vector of the corresponding user subscription identity information IMSI is composed of existing AKA authentication vector parameters, including RAND, XRES (Expected Response), KASME, and AUTN (Authentication Token).
  • the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token).
  • the generated authentication vector when the attachment information includes two pre-configured user network slice identity information (eg, SID1 and SID2), the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two corresponding SID1 and SID2, respectively.
  • Network slice authentication vector when the plurality of pre-configured user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and different authentications corresponding to the plurality of user network slice identity information respectively. vector.
  • step 805 the HSS sends the authentication vector corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector corresponding to the SID to the network slice function entity.
  • step 806 after receiving the authentication vector, the mobile communication network entity performs AKA authentication with the UE based on the authentication vector corresponding to the IMSI.
  • Step 807 The network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
  • the UE may also attach to the network slice according to the user's selection after the network has been attached.
  • the process in which the UE may also attach to the network slice according to the user's selection after the network has been attached may include steps 901 to 906.
  • step 901 the UE sends attachment request information to the selected network slice function entity.
  • the attach request information includes user network slice identity information;
  • the network slice function entity further forwards the attach request information of the UE to the HSS.
  • the HSS generates a corresponding authentication vector according to the user network slice identity information of the UE.
  • the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token).
  • the generated authentication vector when two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes two authentication vectors corresponding to SID1 and SID2, respectively.
  • the generated authentication vector when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes different authentication vectors respectively corresponding to the plurality of user network slice identity information.
  • step 904 the HSS sends the authentication vector generated according to the attach request information (authentication request information) to the network slice function entity corresponding to the user network slice identity information SID.
  • step 905 after receiving the authentication vector, the network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
  • FIG. 7 is a schematic structural diagram of a network slice function entity device in an embodiment of the present disclosure.
  • the network slice function entity device may include a first memory 70 and a first processor 72; the first memory 70 stores a network for the network slice function entity device a sliced authenticated computer program; when the computer program is executed by the first processor 72, the following steps may be implemented: obtaining, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of the user terminal; And authenticating with the user terminal according to the network slice authentication vector.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
  • the authentication is an authentication and key agreement protocol AKA authentication of the mobile communication network.
  • the network slice authentication vector is generated by the network authentication entity according to the first attachment request information of the user terminal forwarded by the mobile communication network entity or generated according to the second attachment request information sent by the user terminal.
  • the method before the acquiring, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes: receiving the second attach request information of the user terminal; Transmitting the second attach request information to the network authentication entity, so that the network authentication entity generates the network slice authentication vector.
  • the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
  • the method before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes: receiving the registration request information of the user terminal; Generating user network slice identity information; and transmitting the user network slice identity information to the user terminal.
  • the registration request information carries user subscription identity information and network slice identification information of the user terminal.
  • embodiments of the present disclosure may also be implemented in the form of a software module.
  • the present disclosure provides a network slice function entity device (which may be referred to as a network slice function entity in the present disclosure), and the network slice function entity device may include: a receiving module configured to receive a network authentication function entity The network slice authentication vector sent.
  • the network slice authentication vector includes a RAND, an XRES (Expected Response), a network slice key Kslice, and an AUTN (Authentication Token) parameter.
  • the network slice function entity device further includes: an authentication module configured to perform authentication with the UE.
  • the receiving module may be further configured to: receive a registration request message sent by the UE; the registration request information includes user subscription identity information IMSI and network slice identification information of the UE.
  • the network slice function entity device may further include: a generating module configured to generate user network slice identity information according to the registration request information; and a sending module configured to send user network slice identity information to the UE.
  • FIG. 8 is a schematic structural diagram of a network authentication entity device according to an embodiment of the present disclosure.
  • the network authentication entity device can include a second memory 80 and a second processor 82 that stores authentication for a network slice of the network authentication entity device.
  • the computer program is executed by the second processor 82, the following steps may be performed: acquiring attachment request information of the user terminal; and generating, according to the attachment request information, corresponding to user network slice identity identification information of the user terminal
  • the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the computer program is executed by the second processor, further implementing the step of: generating a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal according to the attachment request information; Transmitting the mobile communication authentication vector to a mobile communication network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
  • the attach request information includes first attach request information and second attach request information.
  • the acquiring the attachment request information of the user terminal may include: receiving the first attachment request information forwarded by the mobile communication network entity; or receiving the second attachment request information sent by the user terminal.
  • the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
  • the user network slice identity information of the user terminal includes user network slice identity information pre-configured at the user terminal, and includes registration request information of the network slice function entity according to the user terminal. Generated user network slice identity information.
  • the user network slice identity information of the user terminal is one or more.
  • the present disclosure provides a network authentication function entity device (which may be referred to as a network authentication function entity in the present disclosure), and the network authentication function entity may include: a receiving module configured to receive and send by the mobile communication network entity Attach request information.
  • the attachment request information includes user subscription identity information, user network slice identity information, or only user network slice identity information; and a generating module configured to generate a corresponding authentication based on user subscription identity information and user network slice identity information.
  • a vectoring module configured to send an authentication vector to the mobile communication network entity and the network slice function entity.
  • An embodiment of the present disclosure further provides an authentication system for a network slice, the authentication system comprising the network slice function entity device of any one of the methods described with reference to FIG. 7, the network authentication entity as described with reference to FIG. Device and mobile communication network entity.
  • the mobile communication network entity forwards the attach request information to the network authentication entity device when receiving the attach request information of the user terminal; and when receiving the mobile communication authentication vector, according to the mobile communication authentication vector and the The user terminal performs authentication.
  • Embodiments of the present disclosure also provide a computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or storing a network slice for a network authentication entity device a second computer program that is authenticated; when the first computer program is executed by at least one processor, implementing the steps of the method in any of the embodiments described with reference to Figures 1 through 5; when the second computer The program is executed by at least one processor to implement the steps of the method as in any of the embodiments described with reference to FIG.
  • the computer readable storage medium in embodiments of the present disclosure may be RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable hard drive, CD-ROM, or any other form of storage medium known in the art.
  • a storage medium can be coupled to the processor to enable the processor to read information from, and write information to, the storage medium; or the storage medium can be an integral part of the processor.
  • the processor and the storage medium may be located in an application specific integrated circuit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are a network slice authentication method, a corresponding apparatus and system, and a medium. The method comprises: obtaining a network slice authentication vector corresponding to user network slice identification information of a user terminal from a network authentication entity; performing authentication with the user terminal according to the network slice authentication vector.

Description

网络切片的认证方法及相应装置、***和介质Network slice authentication method and corresponding device, system and medium 技术领域Technical field
本公开涉及但不限于移动通讯领域。The present disclosure relates to, but is not limited to, the field of mobile communications.
背景技术Background technique
在5G(第五代移动通信技术)网络中,由于网络功能虚拟化(NFV,Network Function Virtualization)技术的部署,使得部分功能网元以虚拟功能网元的形式部署在云化的基础设施上。基于网络业务需求构建的虚拟核心网称为网络切片,一个网络切片构成一个虚拟核心网,为一组特定用户终端(UE)提供移动网络接入服务。In the 5G (Fifth Generation Mobile Communication Technology) network, due to the deployment of Network Function Virtualization (NFV) technology, some functional network elements are deployed in a clouded infrastructure in the form of virtual function network elements. A virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user terminals (UEs).
现有的3G/4G移动通信***中,通过AKA(Authentication and Key Agreement,移动通讯网络的认证与密钥协商协议)认证,UE接入网络后直接使用核心网提供的业务。In the existing 3G/4G mobile communication system, the authentication is performed by the AKA (Authentication and Key Agreement), and the UE directly accesses the services provided by the core network after accessing the network.
而在5G***中,由于引入了网络切片概念,使得UE附着网络后,需要进一步接入网络切片,以接收基于网络切片提供的业务。由于网络切片的动态部署特征,附着过程的AKA认证不能满足UE接入网络切片的认证需求。In the 5G system, after the network slice concept is introduced, after the UE attaches to the network, the network slice needs to be further accessed to receive the service provided based on the network slice. Due to the dynamic deployment feature of the network slice, the AKA authentication of the attach process cannot meet the authentication requirements of the UE access network slice.
发明内容Summary of the invention
一方面,本公开提供了的一种网络切片的认证方法,包括:从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;根据所述网络切片认证向量与所述用户终端进行认证。In one aspect, the present disclosure provides a method for authenticating a network slice, including: acquiring, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of a user terminal; according to the network slice authentication vector and the The user terminal performs authentication.
另一方面,本公开提供了一种网络切片的认证方法,包括:获取用户终端的附着请求信息;根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;将所述网络切片认证向量发送给网络切片功能实体,以使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端认证。In another aspect, the present disclosure provides a method for authenticating a network slice, including: acquiring attachment request information of a user terminal; and generating a network slice authentication vector corresponding to user network slice identity information of the user terminal according to the attachment request information; And sending the network slice authentication vector to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
另一方面,本公开提供了一种网络切片功能实体装置,包括第 一存储器和第一处理器;所述第一存储器存储有用于该网络切片功能实体装置的网络切片的认证的计算机程序;所述计算机程序被所述第一处理器执行时,以实现以下步骤:从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;根据所述网络切片认证向量与所述用户终端进行认证。In another aspect, the present disclosure provides a network slice function entity device including a first memory and a first processor; the first memory stores a computer program for authentication of a network slice of the network slice function entity device; When the computer program is executed by the first processor, the following steps are performed: acquiring, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of the user terminal; according to the network slice authentication vector and the The user terminal performs authentication.
另一方面,本公开提供了一种网络认证实体装置,包括第二存储器和第二处理器,所述第二存储器存储有用于该网络认证实体装置的网络切片的认证的计算机程序;所述计算机程序被所述第二处理器执行时,实现以下步骤:获取用户终端的附着请求信息;根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;将所述网络切片认证向量发送给网络切片功能实体,以使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端认证。In another aspect, the present disclosure provides a network authentication entity device including a second memory and a second processor, the second memory storing a computer program for authentication of a network slice of the network authentication entity device; When the program is executed by the second processor, the following steps are performed: acquiring the attachment request information of the user terminal; and generating, according to the attachment request information, a network slice authentication vector corresponding to the user network slice identity information of the user terminal; The network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
另一方面,本公开提供了一种网络切片的认证***,包括本文所述的任一网络切片功能实体装置、本文所述的任一网络认证实体装置和移动通信网络实体;所述网络实体在接收到用户终端的附着请求信息时,将所述附着请求信息转发给所述网络认证实体装置;在接收移动通信认证向量时,根据所述移动通信认证向量与所述用户终端进行认证。In another aspect, the present disclosure provides an authentication system for a network slice, comprising any of the network slice function entity devices described herein, any of the network authentication entity devices and mobile communication network entities described herein; Receiving the attach request information of the user terminal, forwarding the attach request information to the network authentication entity device; and when receiving the mobile communication authentication vector, performing authentication according to the mobile communication authentication vector and the user terminal.
另一方面,本公开提供了一种计算机可读存储介质,存储有用于网络切片功能实体装置的网络切片的认证的第一计算机程序,和/或存储有用于网络认证实体装置的网络切片的认证的第二计算机程序;当所述第一计算机程序被至少一个处理器执行时,实现本文所述的用于网络切片功能实体装置的任一所述方法的步骤;当所述第二计算机程序被至少一个处理器执行时,实现本文所述的用于网络认证实体装置的任一所述方法的步骤。In another aspect, the present disclosure provides a computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or authenticating a network slice for a network authentication entity device a second computer program; when the first computer program is executed by at least one processor, implementing the steps of any of the methods described herein for a network slicing functional entity device; when the second computer program is The steps of any of the methods described herein for a network authentication entity device are implemented when at least one processor executes.
附图说明DRAWINGS
图1是本公开实施例中一种网络切片的认证方法的流程图;1 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure;
图2是本公开实施例中一种UE附着到网络和网络切片的交互图;2 is an interaction diagram of a UE attaching to a network and a network slice in an embodiment of the present disclosure;
图3是本公开实施例中另一种UE附着到网络和网络切片的交互图;3 is an interaction diagram of another UE attached to a network and a network slice in an embodiment of the present disclosure;
图4是本公开实施例中UE根据选择附着网络切片的交互图;4 is an interaction diagram of a UE attaching a network slice according to a selection in the embodiment of the present disclosure;
图5是本公开实施例中UE注册到网络切片的交互图;5 is an interaction diagram of a UE registering to a network slice in an embodiment of the present disclosure;
图6是本公开实施例中一种网络切片的认证方法的流程图;6 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure;
图7是本公开实施例中一种网络切片功能实体装置的结构示意图;7 is a schematic structural diagram of a network slice function entity device in an embodiment of the present disclosure;
图8是本公开实施例中一种网络认证实体装置的结构示意图。FIG. 8 is a schematic structural diagram of a network authentication entity device according to an embodiment of the present disclosure.
具体实施方式Detailed ways
为了解决现有技术的问题,本公开提供了一种网络切片的认证方法及相应装置、***和介质,以下结合附图以及实施例,对本公开进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本公开,并不限定本公开。In order to solve the problems of the prior art, the present disclosure provides a method for authenticating a network slice and corresponding devices, systems, and media. The present disclosure will be further described in detail below in conjunction with the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are merely illustrative of the disclosure,
5G(第五代移动通信技术)网络架构将引入新的IT技术,如网络功能虚拟化(NFV,Network Function Virtualization)。在3G/4G网络中,功能网元的保护很大程度上依赖于对物理设备的安全隔离。而5G网络中,由于NFV技术的部署,使得部分功能网元以虚拟功能网元的形式部署在云化的基础设施上。基于网络业务需求构建的虚拟核心网称为网络切片,一个网络切片构成一个虚拟核心网,为一组特定用户终端(UE)提供移动网络接入服务。一个典型的网络切片包括一组虚拟化的核心网功能,如切片控制面单元,主要负责切片的移动性、会话管理以及鉴权认证相关的功能,切片用户面单元主要为用户提供切片的用户资源,切片策略控制单元负责用户策略的功能,切片计费单元负责用户的计费功能。网络切片的功能由运营商根据需求和运营商策略确定,比如,某些网络切片除了包括控制面功能外还可以包括专用的转发面;而某些网络切片可能只包括一些基本的控制面功能,其他的核心网相关功能与其他网络切片共享。网络切片可能基于需求被创建、修改或删除。一个UE也可能同时接收来自不同网络切片的服务。The 5G (Fifth Generation Mobile Communication Technology) network architecture will introduce new IT technologies such as Network Function Virtualization (NFV). In a 3G/4G network, the protection of functional network elements is largely dependent on the security isolation of physical devices. In the 5G network, due to the deployment of the NFV technology, some functional network elements are deployed on the cloud infrastructure in the form of virtual function network elements. A virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user terminals (UEs). A typical network slice includes a set of virtualized core network functions, such as a slice control plane unit, which is mainly responsible for slice mobility, session management, and authentication authentication related functions. The slice user plane unit mainly provides users with sliced user resources. The slice policy control unit is responsible for the function of the user policy, and the slice charging unit is responsible for the user's charging function. The function of network slicing is determined by the operator according to the requirements and the operator's policy. For example, some network slices may include a dedicated forwarding plane in addition to the control plane function; and some network slices may only include some basic control plane functions. Other core network related functions are shared with other network slices. Network slices may be created, modified, or deleted based on requirements. A UE may also receive services from different network slices simultaneously.
现有的3G/4G移动通信***中,通过AKA(Authentication and Key Agreement,移动通讯网络的认证与密钥协商协议)认证,UE接入网络后直接使用核心网提供的业务。In the existing 3G/4G mobile communication system, the authentication is performed by the AKA (Authentication and Key Agreement), and the UE directly accesses the services provided by the core network after accessing the network.
在5G***中,由于引入了网络切片概念,使得UE附着网络后,需要进一步接入网络切片,以接收基于网络切片提供的业务。由于网络切片的动态部署特征,附着过程的AKA认证不能满足UE接入网络切片的认证需求。In the 5G system, after the network slice concept is introduced, after the UE attaches to the network, the network slice needs to be further accessed to receive the service provided based on the network slice. Due to the dynamic deployment feature of the network slice, the AKA authentication of the attach process cannot meet the authentication requirements of the UE access network slice.
因此,本公开特别提供了网络切片的认证方法及相应装置、***和介质,其实质上避免了由于相关技术的局限和缺点所导致的问题中的一个或多个。Accordingly, the present disclosure particularly provides authentication methods and corresponding apparatus, systems, and media for network slicing that substantially obviate one or more of the problems due to the limitations and disadvantages of the related techniques.
图1是本公开实施例中一种网络切片的认证方法的流程图。如图1所示,在一些实施例中,所述网络切片的认证方法可以包括如下步骤S101和S102。FIG. 1 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure. As shown in FIG. 1, in some embodiments, the authentication method of the network slice may include the following steps S101 and S102.
在步骤S101,从网络认证实体获取与用户终端UE的用户网络切片身份标识信息SID(Slice Identification)对应的网络切片认证向量;以及S102,根据所述网络切片认证向量与所述用户终端进行认证。In step S101, a network slice authentication vector corresponding to user network slice identity information SID (Slice Identification) of the user terminal UE is acquired from the network authentication entity; and S102 is performed, and the user terminal performs authentication according to the network slice authentication vector.
这里,网络认证实体可以是归属签约用户服务器(Home Subscriber Server,HSS)。Here, the network authentication entity may be a Home Subscriber Server (HSS).
本公开实施例中方法用于网络切片功能实体。The method in the embodiments of the present disclosure is for a network slice function entity.
本公开实施例通过从网络认证实体获取与用户终端UE的用户网络切片身份标识信息对应的网络切片认证向量;然后根据所述网络切片认证向量与所述用户终端进行认证,从而在移动通信***(例如5G)中,在引入了网络切片的基础上,当UE附着移动通信网络后,在进一步接入网络切片,以接收基于网络切片提供的业务时,满足了网络切片的动态部署特征,使得附着过程满足UE接入网络切片的认证需求。The embodiment of the present disclosure acquires a network slice authentication vector corresponding to the user network slice identity identification information of the user terminal UE from the network authentication entity, and then performs authentication according to the network slice authentication vector with the user terminal, thereby implementing the mobile communication system ( For example, in 5G), after the network slice is introduced, after the UE attaches to the mobile communication network, when the network slice is further accessed to receive the service provided by the network slice, the dynamic deployment feature of the network slice is satisfied, so that the attachment is performed. The process satisfies the authentication requirements of the UE access network slice.
在上述实施例的基础上,进一步提出上述实施例的变型实施例,在此需要说明的是,为了使描述简要,在各变型实施例中仅描述与上述实施例的不同之处。On the basis of the above-mentioned embodiments, a modified embodiment of the above embodiment is further proposed. It is to be noted that, in order to simplify the description, only the differences from the above embodiment will be described in the respective modified embodiments.
本公开实施例中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌。In the embodiment of the present disclosure, the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
本公开实施例中,所述认证为移动通讯网络的认证与密钥协商协议AKA认证。In the embodiment of the present disclosure, the authentication is an authentication and key agreement protocol AKA authentication of the mobile communication network.
本公开实施例中,所述网络切片认证向量由所述网络认证实体根据移动通信网络实体(例如基站)转发的所述用户终端的第一附着请求信息生成或者根据用户终端发送的第二附着请求信息生成。In the embodiment of the present disclosure, the network slice authentication vector is generated by the network authentication entity according to the first attach request information of the user terminal forwarded by the mobile communication network entity (for example, the base station) or according to the second attach request sent by the user terminal. Information generation.
在此需要说明的是,本公开实施例中的在附着请求信息前使用的“第一”、“第二”等术语仅为了有利于本公开的说明,其本身没有特定的意义。It should be noted that the terms “first”, “second” and the like used before the attachment request information in the embodiments of the present disclosure are merely for the convenience of the description of the present disclosure, and have no specific meaning per se.
在一些实施例中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,所述方法还可以包括步骤:接收所述用户终端的所述第二附着请求信息;以及将所述第二附着请求信息发送给所述网络认证实体,以使所述网络认证实体生成所述网络切片认证向量。In some embodiments, before the acquiring, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method may further include the step of: receiving the second attachment of the user terminal Requesting information; and transmitting the second attach request information to the network authentication entity to cause the network authentication entity to generate the network slice authentication vector.
这里,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息IMSI(International Mobile Subscriber Identity)和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。Here, the first attach request information carries the user subscription identity information IMSI (International Mobile Subscriber Identity) of the user terminal and user network slice identity information of the user terminal; the second attach request information carries the User network slice identity information of the user terminal.
下面,以示例方式对本公开的实施方式进行说明。Hereinafter, embodiments of the present disclosure will be described by way of examples.
图2是本公开实施例中一种UE附着到网络和网络切片的交互图。以第一附着请求信息为例,如图2所示,UE在网络切片注册完成后,可以在重新附着网络的过程中同时附着到网络切片。在一些实施例中,UE重新附着到网络,并进一步附着到网络切片的过程可以包括步骤201至206。2 is an interaction diagram of a UE attaching to a network and a network slice in an embodiment of the present disclosure. Taking the first attach request information as an example, as shown in FIG. 2, after the network slice registration is completed, the UE may simultaneously attach to the network slice in the process of reattaching the network. In some embodiments, the process of the UE reattaching to the network and further attaching to the network slice may include steps 201-206.
在步骤201,UE向移动通信网络实体发送第一附着请求信息。第一附着请求信息包括用户签约身份标识信息、用户网络切片身份标识信息。In step 201, the UE sends first attach request information to the mobile communication network entity. The first attach request information includes user subscription identity information and user network slice identity information.
在步骤202,移动通信网络实体进一步向HSS转发UE的第一附着请求信息。At step 202, the mobile communication network entity further forwards the first attach request information of the UE to the HSS.
在步骤203,HSS根据UE的用户签约身份标识信息IMSI和用户网络切片身份标识信息SID生成对应的认证向量。In step 203, the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
例如,生成对应于用户签约身份标识信息IMSI的移动通信认证向量(1),该向量可以由现有AKA认证向量(即移动通信认证向量)参数组成,包括RAND(rand()函数产生的随机数)、XRES(Expected Response,预期响应)、KASME(Access Security Management Entity Key,接入安全管理实体密钥)和AUTN(Authentication Token,认证令牌)。For example, a mobile communication authentication vector (1) corresponding to the user subscription identity information IMSI is generated, and the vector may be composed of an existing AKA authentication vector (ie, mobile communication authentication vector) parameter, including a random number generated by the RAND (rand() function. ), XRES (Expected Response), KASME (Access Security Management Entity Key), and AUTN (Authentication Token).
例如,生成对应于用户网络切片身份标识信息SID的网络切片认证向量(2),该向量由RAND、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)组成。For example, a network slice authentication vector (2) corresponding to the user network slice identity information SID is generated, and the vector is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). composition.
在一些实施例中,当附着信息中包含两个用户网络切片身份标识信息(例如,SID1和SID2)时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应SID1和SID2的两个网络切片认证向量。In some embodiments, when the two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two network slices corresponding to SID1 and SID2, respectively. Authentication vector.
在一些实施例中,当附着信息中包含多个用户网络切片身份标识信息时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应多个用户网络切片身份标识信息的多个不同的认证向量。In some embodiments, when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and a plurality of different authentication vectors respectively corresponding to the plurality of user network slice identity information. .
在步骤204,HSS将IMSI对应的认证向量(1)发送给移动通信网络实体,将SID对应的认证向量(2)发送给网络切片功能实体。In step 204, the HSS sends the authentication vector (1) corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector (2) corresponding to the SID to the network slice function entity.
在步骤205,移动通信网络实体收到认证向量(1)后,基于IMSI对应的认证向量(1)与UE进行AKA认证。In step 205, after receiving the authentication vector (1), the mobile communication network entity performs AKA authentication with the UE based on the authentication vector (1) corresponding to the IMSI.
在步骤206,网络切片功能实体接收到认证向量(2)后,基于SID对应的认证向量(2)与UE进行AKA认证。In step 206, after receiving the authentication vector (2), the network slice function entity performs AKA authentication with the UE based on the authentication vector (2) corresponding to the SID.
图3是本公开实施例中另一种UE附着到网络和网络切片的交互图。3 is an interaction diagram of another UE attached to a network and a network slice in an embodiment of the present disclosure.
还以第一附着请求信息为例,如图3所示,UE还可以根据用户的配置,在重新附着网络的过程中同时附着到用户预先配置的网络切片。在一些实施例中,UE根据用户的配置,在重新附着网络的过程中同时附着到用户预先配置的网络切片的过程可以包括步骤301至 307。For example, as shown in FIG. 3, the UE may also be attached to the pre-configured network slice in the process of reattaching the network according to the configuration of the user. In some embodiments, the process in which the UE simultaneously attaches to the user-preconfigured network slice during re-attachment of the network according to the configuration of the user may include steps 301 to 307.
在步骤301,用户在UE配置需要接入的网络切片信息。In step 301, the user configures network slice information that needs to be accessed in the UE.
在步骤302,UE向移动通信网络实体发送第一附着请求信息。第一附着请求信息包括用户签约身份标识信息、预先配置的用户网络切片身份标识信息。At step 302, the UE transmits first attach request information to the mobile communication network entity. The first attach request information includes user subscription identity information, pre-configured user network slice identity information.
在步骤303,移动通信网络实体进一步向HSS转发UE的附着请求信息。At step 303, the mobile communication network entity further forwards the attachment request information of the UE to the HSS.
在步骤304,HSS根据UE的用户签约身份标识信息IMSI和用户网络切片身份标识信息SID生成对应的认证向量。In step 304, the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
例如,生成对应用户签约身份标识信息IMSI的移动通信认证向量(1),该向量可以由现有AKA认证向量(即移动通信认证向量)参数组成,包括RAND(rand()函数产生的随机数)、XRES(Expected Response,预期响应)、KASME(Access Security Management Entity Key,接入安全管理实体密钥)和AUTN(Authentication Token,认证令牌)。For example, a mobile communication authentication vector (1) corresponding to the user subscription identity information IMSI is generated, and the vector may be composed of existing AKA authentication vector (ie, mobile communication authentication vector) parameters, including RAND (random number generated by the rand () function). , XRES (Expected Response), KASME (Access Security Management Entity Key), and AUTN (Authentication Token).
例如,生成对应于用户网络切片身份标识信息SID的网络切片认证向量(2),该向量由RAND、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)组成。For example, a network slice authentication vector (2) corresponding to the user network slice identity information SID is generated, and the vector is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). composition.
在一些实施例中,当附着信息中包含两个预先配置的用户网络切片身份标识信息(例如,SID1和SID2)时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应SID1和SID2的两个网络切片认证向量。In some embodiments, when the attachment information includes two pre-configured user network slice identity information (eg, SID1 and SID2), the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two corresponding SID1 and SID2, respectively. Network slice authentication vector.
在一些实施例中,当附着信息中包含多个预先配置的用户网络切片身份标识信息时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应多个用户网络切片身份标识信息的多个不同的认证向量。In some embodiments, when the plurality of pre-configured user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and a plurality of different correspondences corresponding to the plurality of user network slice identity information respectively. Authentication vector.
在步骤305,HSS将IMSI对应的认证向量(1)发送给移动通信网络实体,将SID对应的认证向量(2)发送给网络切片功能实体。In step 305, the HSS sends the authentication vector (1) corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector (2) corresponding to the SID to the network slice function entity.
在步骤306,移动通信网络实体收到认证向量(1)后,基于IMSI 对应的认证向量(1)与UE进行AKA认证。At step 306, after receiving the authentication vector (1), the mobile communication network entity performs AKA authentication with the UE based on the authentication vector (1) corresponding to the IMSI.
在步骤307,网络切片功能实体接收到认证向量(2)后,基于SID对应的认证向量(2)与UE进行AKA认证。In step 307, after receiving the authentication vector (2), the network slice function entity performs AKA authentication with the UE based on the authentication vector (2) corresponding to the SID.
图4是本公开实施例中UE根据选择附着网络切片的交互图。4 is an interaction diagram of a UE attaching a network slice according to a selection in the embodiment of the present disclosure.
以第二附着请求信息为例,如图4所示,UE还可以在已经附着移动通信网络(在本公开中可以简称为网络)后,根据用户的选择附着到网络切片。在一些实施例中,UE附着到网络切片的过程可以包括步骤401至406。Taking the second attachment request information as an example, as shown in FIG. 4, the UE may also attach to the network slice according to the user's selection after the mobile communication network (which may be simply referred to as a network in the present disclosure) has been attached. In some embodiments, the process by which the UE attaches to the network slice may include steps 401 through 406.
在步骤401,UE向选择的网络切片功能实体发送第二附着请求信息。第二附着请求信息包括用户网络切片身份标识信息。In step 401, the UE sends second attachment request information to the selected network slice function entity. The second attach request information includes user network slice identity information.
在步骤402,网络切片功能实体进一步向HSS转发UE的附着请求信息。At step 402, the network slice function entity further forwards the attach request information of the UE to the HSS.
在步骤403,HSS根据UE的用户网络切片身份标识信息生成对应的认证向量。In step 403, the HSS generates a corresponding authentication vector according to the user network slice identity information of the UE.
例如,生成的对应用户网络切片身份标识信息SID的认证向量由RAND(rand()函数产生的随机数)、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)组成。For example, the generated authentication vector corresponding to the user network slice identity information SID is a random number generated by the RAND (rand() function), XRES (Expected Response, expected response), network slice key Kslice, and AUTN (Authentication Token, authentication order) Card) composition.
在一些实施例中,当附着信息中包含两个用户网络切片身份标识信息(例如,SID1和SID2)时,生成的认证向量包括分别对应SID1和SID2的两个认证向量。In some embodiments, when two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes two authentication vectors corresponding to SID1 and SID2, respectively.
在一些实施例中,当附着信息中包含多个用户网络切片身份标识信息时,生成的认证向量包括分别对应多个用户网络切片身份标识信息的不同的认证向量。In some embodiments, when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes different authentication vectors respectively corresponding to the plurality of user network slice identity information.
在步骤404,HSS将根据附着请求信息(认证请求信息)生成的网络切片认证向量发送给用户网络切片身份标识信息SID对应的网络切片功能实体。In step 404, the HSS sends the network slice authentication vector generated according to the attach request information (authentication request information) to the network slice function entity corresponding to the user network slice identity information SID.
在步骤405,网络切片功能实体接收到网络切片认证向量后,基于接收到的网络切片认证向量与UE进行AKA认证。In step 405, after receiving the network slice authentication vector, the network slice function entity performs AKA authentication with the UE based on the received network slice authentication vector.
在一些实施例中,所述从网络认证实体获取与用户终端的用户 网络切片身份标识信息对应的网络切片认证向量之前,所述方法还包括步骤:接收所述用户终端的注册请求信息;根据所述注册请求信息生成用户网络切片身份标识信息;以及将所述用户网络切片身份标识信息发送给所述用户终端。In some embodiments, before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes the steps of: receiving the registration request information of the user terminal; Decoding the request information to generate user network slice identity information; and transmitting the user network slice identity information to the user terminal.
这里,所述注册请求信息携带所述用户终端的用户签约身份标识信息和网络切片标识信息。Here, the registration request information carries user subscription identity information and network slice identification information of the user terminal.
图5是本公开实施例中UE注册到网络切片的交互图。如图5所示,在一些实施例中,UE注册到网络切片的过程可以包括步骤501至步骤503。FIG. 5 is an interaction diagram of a UE registering to a network slice in an embodiment of the present disclosure. As shown in FIG. 5, in some embodiments, the process of the UE registering to the network slice may include steps 501 to 503.
在步骤501,UE附着移动通信网络(例如5G网络)后,向网络切片发送注册请求信息。注册请求信息包括UE的用户签约身份标识信息IMSI、网络切片标识信息。In step 501, after the UE attaches to the mobile communication network (for example, a 5G network), the UE sends the registration request information to the network slice. The registration request information includes user subscription identity information IMSI and network slice identification information of the UE.
在步骤502,网络切片功能实体针对UE的用户签约身份标识信息IMSI生成UE的用户网络切片身份标识信息SID(Slice Identification)。这里产生的用户网络切片身份标识信息SID可以用于在其它处理中(例如,UE重新开机后)推导出网络切片标识信息。In step 502, the network slice function entity generates a user network slice identity information SID (Slice Identification) of the UE for the user subscription identity information IMSI of the UE. The user network slice identity information SID generated here can be used to derive network slice identification information in other processes (eg, after the UE reboots).
在步骤503,网络切片功能实体将生成的UE的用户网络切片身份标识信息SID发送给UE,以使UE在发送附着请求信息时携带该标识信息。In step 503, the network slice function entity sends the generated user network slice identity information SID of the UE to the UE, so that the UE carries the identity information when transmitting the attach request information.
在本公开的各实施例中,用户终端UE首先在网络切片进行注册,注册完成后,UE可以在重新附着网络的同时,进一步附着到网络切片。UE还可以根据用户配置,直接附着到网络切片;或在重新附着到网络的同时,根据用户配置附着到相应的网络切片;当然UE还可以在附着网络后,根据用户选择,附着到对应的网络切片。从而使得用户终端UE可以随时附着到动态部署的网络切片,从而很好的解决了用户终端UE接入网络切片的认证问题。In various embodiments of the present disclosure, the user terminal UE first registers with the network slice. After the registration is completed, the UE may further attach to the network slice while reattaching the network. The UE may also directly attach to the network slice according to the user configuration; or attach to the corresponding network slice according to the user configuration while reattaching to the network; of course, the UE may also attach to the corresponding network according to the user selection after attaching the network. slice. Therefore, the user terminal UE can be attached to the dynamically deployed network slice at any time, so that the authentication problem of the user terminal UE accessing the network slice is well solved.
图6是本公开实施例中一种网络切片的认证方法的流程图。如图6所示,在一些实施例中,所述网络切片的认证方法可以包括如下步骤S601至步骤S603。FIG. 6 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure. As shown in FIG. 6, in some embodiments, the method for authenticating the network slice may include the following steps S601 to S603.
在步骤S601,获取用户终端的附着请求信息。In step S601, the attachment request information of the user terminal is acquired.
在步骤S602,根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量。In step S602, a network slice authentication vector corresponding to the user network slice identity information of the user terminal is generated according to the attach request information.
在步骤S603,将所述网络切片认证向量发送给网络切片功能实体,以使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端认证。In step S603, the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
本公开实施例中方法用于网络认证实体,例如HSS。The method in the embodiments of the present disclosure is for a network authentication entity, such as an HSS.
本公开实施例通过获取用户终端的附着请求信息;根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;并将所述网络切片认证向量发送给网络切片功能实体,从而使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端认证,从而在移动通信***(例如5G)中,在引入了网络切片的基础上,当UE附着移动通信网络后,在进一步接入网络切片,以接收基于网络切片提供的业务时,满足了网络切片的动态部署特征,使得附着过程满足UE接入网络切片的认证需求。The embodiment of the present disclosure obtains the connection request information of the user terminal, generates a network slice authentication vector corresponding to the user network slice identity identification information of the user terminal according to the attachment request information, and sends the network slice authentication vector to the network slice function. An entity, such that the network slice function entity authenticates with the user terminal according to the network slice authentication vector, so that in the mobile communication system (eg, 5G), when the network slice is introduced, when the UE attaches to the mobile communication network Then, when the network slice is further accessed to receive the service provided by the network slice, the dynamic deployment feature of the network slice is satisfied, so that the attach process satisfies the authentication requirement of the UE access network slice.
在一些实施例中,所述方法还可以包括:根据所述附着请求信息还生成与所述用户终端的用户签约身份标识信息对应的移动通信认证向量;将所述移动通信认证向量发送给移动通信网络实体,以使所述移动通信网络实体根据所述移动通信认证向量与所述用户终端进行认证。In some embodiments, the method may further include: generating, according to the attach request information, a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal; transmitting the mobile communication authentication vector to the mobile communication a network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
本公开实施例中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌。In the embodiment of the present disclosure, the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
在一些实施例中,所述附着请求信息包括第一附着请求信息和第二附着请求信息。In some embodiments, the attach request information includes first attach request information and second attach request information.
具体地,所述获取用户终端的附着请求信息,可以包括:接收所述移动通信网络实体转发的所述第一附着请求信息;或者接收所述用户终端发送的第二附着请求信息。Specifically, the acquiring the attachment request information of the user terminal may include: receiving the first attachment request information forwarded by the mobile communication network entity; or receiving the second attachment request information sent by the user terminal.
这里,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。Here, the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
在一些实施例中,所述用户终端的用户网络切片身份标识信息包括在所述用户终端预先配置的用户网络切片身份标识信息,以及包括所述网络切片功能实体根据所述用户终端的注册请求信息生成的用户网络切片身份标识信息。In some embodiments, the user network slice identity information of the user terminal includes user network slice identity information pre-configured at the user terminal, and includes registration request information of the network slice function entity according to the user terminal. Generated user network slice identity information.
所述用户终端的用户网络切片身份标识信息为一个或多个。The user network slice identity information of the user terminal is one or more.
下面,以示例方式对本公开的实施方式进行说明。Hereinafter, embodiments of the present disclosure will be described by way of examples.
例如,UE在网络切片注册完成后,UE可以在重新附着网络的过程中同时附着到网络切片。在一些实施例中,UE重新附着到网络,并进一步附着到网络切片的过程(附着认证过程)可以包括如下步骤701至706。For example, after the UE completes the network slice registration, the UE may simultaneously attach to the network slice during the process of reattaching the network. In some embodiments, the process of the UE reattaching to the network and further attaching to the network slice (attach authentication process) may include the following steps 701-706.
在步骤701,UE向移动通信网络实体发送第一附着请求信息。第一附着请求信息包括用户签约身份标识信息、用户网络切片身份标识信息。At step 701, the UE transmits first attach request information to the mobile communication network entity. The first attach request information includes user subscription identity information and user network slice identity information.
在步骤702,移动通信网络实体进一步向HSS转发UE的第一附着请求信息。At step 702, the mobile communication network entity further forwards the first attach request information of the UE to the HSS.
在步骤703,HSS根据UE的用户签约身份标识信息IMSI和用户网络切片身份标识信息SID生成对应的认证向量。例如,生成的对应用户签约身份标识信息IMSI的认证向量由现有AKA认证向量参数组成,包括RAND、XRES(Expected Response,预期响应)、KASME和AUTN(Authentication Token,认证令牌)。例如,生成的对应用户网络切片身份标识信息SID的认证向量由RAND、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)组成。在一些实施例中,当附着信息中包含两个用户网络切片身份标识信息(例如,SID1和SID2)时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应SID1和SID2的两个网络切片认证向量。在一些实施例中,当附着信息中包含多个用户网络切片身份标识信息时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应多个用户网络切片身份标识信息的多个不同的认证向量。In step 703, the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE. For example, the generated authentication vector of the corresponding user subscription identity information IMSI is composed of existing AKA authentication vector parameters, including RAND, XRES (Expected Response), KASME, and AUTN (Authentication Token). For example, the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). In some embodiments, when the two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two network slices corresponding to SID1 and SID2, respectively. Authentication vector. In some embodiments, when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and a plurality of different authentication vectors respectively corresponding to the plurality of user network slice identity information. .
在步骤704,HSS将IMSI对应的认证向量发送给移动通信网络 实体,将SID对应的认证向量发送给网络切片功能实体。In step 704, the HSS sends the authentication vector corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector corresponding to the SID to the network slice function entity.
在步骤705,移动通信网络实体收到认证向量后,基于IMSI对应的认证向量与UE进行AKA认证。In step 705, after receiving the authentication vector, the mobile communication network entity performs AKA authentication with the UE based on the authentication vector corresponding to the IMSI.
在步骤706,网络切片功能实体基于收到的用户网络切片身份标识信息对应的认证向量与UE进行AKA认证。At step 706, the network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
又例如,UE还可以根据用户的配置,在重新附着网络的过程中同时附着到用户预先配置的网络切片。在一些实施例中,UE根据用户的配置,在重新附着网络的过程中同时附着到用户预先配置的网络切片的过程可以包括步骤801至807。For another example, the UE may also be attached to the pre-configured network slice in the process of reattaching the network according to the configuration of the user. In some embodiments, the process in which the UE simultaneously attaches to the user-preconfigured network slice during re-attachment of the network according to the configuration of the user may include steps 801 to 807.
在步骤801,用户在UE配置需要接入的网络切片信息。In step 801, the user configures network slice information that needs to be accessed at the UE.
在步骤802,UE向移动通信网络实体发送第一附着请求信息。第一附着请求信息包括用户签约身份标识信息、预先配置的用户网络切片身份标识信息。At step 802, the UE transmits first attach request information to the mobile communication network entity. The first attach request information includes user subscription identity information, pre-configured user network slice identity information.
在步骤803,移动通信网络实体进一步向HSS转发UE的附着请求信息。At step 803, the mobile communication network entity further forwards the attachment request information of the UE to the HSS.
在步骤804,HSS根据UE的用户签约身份标识信息IMSI和用户网络切片身份标识信息SID生成对应的认证向量。例如,生成的对应用户签约身份标识信息IMSI的认证向量由现有AKA认证向量参数组成,包括RAND、XRES(Expected Response,预期响应)、KASME和AUTN(Authentication Token,认证令牌)。例如,生成的对应用户网络切片身份标识信息SID的认证向量由RAND、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)组成。在一些实施例中,当附着信息中包含两个预先配置的用户网络切片身份标识信息(例如,SID1和SID2)时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应SID1和SID2的两个网络切片认证向量。在一些实施例中,当附着信息中包含多个预先配置的用户网络切片身份标识信息时,生成的认证向量包括对应IMSI的AKA认证向量和分别对应多个用户网络切片身份标识信息的不同的认证向量。In step 804, the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE. For example, the generated authentication vector of the corresponding user subscription identity information IMSI is composed of existing AKA authentication vector parameters, including RAND, XRES (Expected Response), KASME, and AUTN (Authentication Token). For example, the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). In some embodiments, when the attachment information includes two pre-configured user network slice identity information (eg, SID1 and SID2), the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two corresponding SID1 and SID2, respectively. Network slice authentication vector. In some embodiments, when the plurality of pre-configured user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and different authentications corresponding to the plurality of user network slice identity information respectively. vector.
在步骤805,HSS将IMSI对应的认证向量发送给移动通信网络 实体,将SID对应的认证向量发送给网络切片功能实体。In step 805, the HSS sends the authentication vector corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector corresponding to the SID to the network slice function entity.
在步骤806,移动通信网络实体收到认证向量后,基于IMSI对应的认证向量与UE进行AKA认证。In step 806, after receiving the authentication vector, the mobile communication network entity performs AKA authentication with the UE based on the authentication vector corresponding to the IMSI.
步骤807,网络切片功能实体基于接收到的用户网络切片身份标识信息对应的认证向量与UE进行AKA认证。Step 807: The network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
再例如,UE还可以在已经附着网络后,根据用户的选择附着到网络切片。在一些实施例中,UE还可以在已经附着网络后,根据用户的选择附着到网络切片的过程可以包括步骤901至906。For another example, the UE may also attach to the network slice according to the user's selection after the network has been attached. In some embodiments, the process in which the UE may also attach to the network slice according to the user's selection after the network has been attached may include steps 901 to 906.
在步骤901,UE向选择的网络切片功能实体发送附着请求信息。该附着请求信息包括用户网络切片身份标识信息;In step 901, the UE sends attachment request information to the selected network slice function entity. The attach request information includes user network slice identity information;
在步骤902,网络切片功能实体进一步向HSS转发UE的附着请求信息。At step 902, the network slice function entity further forwards the attach request information of the UE to the HSS.
在步骤903,HSS根据UE的用户网络切片身份标识信息生成对应的认证向量。例如,生成的对应用户网络切片身份标识信息SID的认证向量由RAND、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)组成。在一些实施例中,当附着信息中包含两个用户网络切片身份标识信息(例如,SID1和SID2)时,生成的认证向量包括分别对应SID1和SID2的两个认证向量。在一些实施例中,当附着信息中包含多个用户网络切片身份标识信息时,生成的认证向量包括分别对应多个用户网络切片身份标识信息的不同的认证向量。In step 903, the HSS generates a corresponding authentication vector according to the user network slice identity information of the UE. For example, the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). In some embodiments, when two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes two authentication vectors corresponding to SID1 and SID2, respectively. In some embodiments, when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes different authentication vectors respectively corresponding to the plurality of user network slice identity information.
在步骤904,HSS将根据附着请求信息(认证请求信息)生成的认证向量发送给用户网络切片身份标识信息SID对应的网络切片功能实体。In step 904, the HSS sends the authentication vector generated according to the attach request information (authentication request information) to the network slice function entity corresponding to the user network slice identity information SID.
在步骤905,网络切片功能实体接收到认证向量后,基于接收到的用户网络切片身份标识信息对应的认证向量与UE进行AKA认证。In step 905, after receiving the authentication vector, the network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
图7是本公开实施例中一种网络切片功能实体装置的结构示意图。FIG. 7 is a schematic structural diagram of a network slice function entity device in an embodiment of the present disclosure.
如图7所示,在一些实施例中,所述网络切片功能实体装置可以包括第一存储器70和第一处理器72;所述第一存储器70存储有 用于所述网络切片功能实体装置的网络切片的认证的计算机程序;所述计算机程序被所述第一处理器72执行时,可以实现以下步骤:从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;以及根据所述网络切片认证向量与所述用户终端进行认证。As shown in FIG. 7, in some embodiments, the network slice function entity device may include a first memory 70 and a first processor 72; the first memory 70 stores a network for the network slice function entity device a sliced authenticated computer program; when the computer program is executed by the first processor 72, the following steps may be implemented: obtaining, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of the user terminal; And authenticating with the user terminal according to the network slice authentication vector.
本公开实施例中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌。In the embodiment of the present disclosure, the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
本公开实施例中,所述认证为移动通讯网络的认证与密钥协商协议AKA认证。In the embodiment of the present disclosure, the authentication is an authentication and key agreement protocol AKA authentication of the mobile communication network.
本公开实施例中,所述网络切片认证向量由所述网络认证实体根据移动通信网络实体转发的所述用户终端的第一附着请求信息生成或者根据用户终端发送的第二附着请求信息生成。In the embodiment of the present disclosure, the network slice authentication vector is generated by the network authentication entity according to the first attachment request information of the user terminal forwarded by the mobile communication network entity or generated according to the second attachment request information sent by the user terminal.
在一些实施例中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,还包括步骤:接收所述用户终端的所述第二附着请求信息;以及将所述第二附着请求信息发送给所述网络认证实体,以使所述网络认证实体生成所述网络切片认证向量。In some embodiments, before the acquiring, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes: receiving the second attach request information of the user terminal; Transmitting the second attach request information to the network authentication entity, so that the network authentication entity generates the network slice authentication vector.
这里,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。Here, the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
在一些实施例中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,还包括步骤:接收所述用户终端的注册请求信息;根据所述注册请求信息生成用户网络切片身份标识信息;以及将所述用户网络切片身份标识信息发送给所述用户终端。In some embodiments, before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes: receiving the registration request information of the user terminal; Generating user network slice identity information; and transmitting the user network slice identity information to the user terminal.
这里,所述注册请求信息携带所述用户终端的用户签约身份标识信息和网络切片标识信息。Here, the registration request information carries user subscription identity information and network slice identification information of the user terminal.
当然,本公开实施例也可以采用软件模块的形式实现。Of course, the embodiments of the present disclosure may also be implemented in the form of a software module.
在一些实施例中,本公开提供了一种网络切片功能实体装置(本公开中可以简称为网络切片功能实体),所述网络切片功能实体装置 可以包括:接收模块,配置为接收网络认证功能实体发送的网络切片认证向量。所述网络切片认证向量包括RAND、XRES(Expected Response,预期响应)、网络切片密钥Kslice和AUTN(Authentication Token,认证令牌)参数。所述网络切片功能实体装置还包括:认证模块,配置为与UE进行认证。In some embodiments, the present disclosure provides a network slice function entity device (which may be referred to as a network slice function entity in the present disclosure), and the network slice function entity device may include: a receiving module configured to receive a network authentication function entity The network slice authentication vector sent. The network slice authentication vector includes a RAND, an XRES (Expected Response), a network slice key Kslice, and an AUTN (Authentication Token) parameter. The network slice function entity device further includes: an authentication module configured to perform authentication with the UE.
在一些实施例中,接收模块还可以配置为:接收所述UE发送的注册请求消息;所述注册请求信息包括UE的用户签约身份标识信息IMSI和网络切片标识信息。In some embodiments, the receiving module may be further configured to: receive a registration request message sent by the UE; the registration request information includes user subscription identity information IMSI and network slice identification information of the UE.
在一些实施例中,网络切片功能实体装置还可以包括:生成模块,配置为根据所述注册请求信息生成用户网络切片身份标识信息;以及发送模块,配置为向UE发送用户网络切片身份标识信息。In some embodiments, the network slice function entity device may further include: a generating module configured to generate user network slice identity information according to the registration request information; and a sending module configured to send user network slice identity information to the UE.
本实施例在具体实现时可以参阅上述实施例,在此不做赘述。For the specific implementation of the present embodiment, reference may be made to the foregoing embodiments, and details are not described herein.
图8是本公开实施例中一种网络认证实体装置的结构示意图。FIG. 8 is a schematic structural diagram of a network authentication entity device according to an embodiment of the present disclosure.
如图8所示,在一些实施例中,所述网络认证实体装置可以包括第二存储器80和第二处理器82,所述第二存储器80存储有用于该网络认证实体装置的网络切片的认证的计算机程序;所述计算机程序被所述第二处理器82执行时,可以实现以下步骤:获取用户终端的附着请求信息;根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;将所述网络切片认证向量发送给网络切片功能实体,以使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端认证。As shown in FIG. 8, in some embodiments, the network authentication entity device can include a second memory 80 and a second processor 82 that stores authentication for a network slice of the network authentication entity device. When the computer program is executed by the second processor 82, the following steps may be performed: acquiring attachment request information of the user terminal; and generating, according to the attachment request information, corresponding to user network slice identity identification information of the user terminal The network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
在一些实施例中,所述计算机程序被所述第二处理器执行,还实现以下步骤:根据所述附着请求信息还生成与所述用户终端的用户签约身份标识信息对应的移动通信认证向量;将所述移动通信认证向量发送给移动通信网络实体,以使所述移动通信网络实体根据所述移动通信认证向量与所述用户终端进行认证。In some embodiments, the computer program is executed by the second processor, further implementing the step of: generating a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal according to the attachment request information; Transmitting the mobile communication authentication vector to a mobile communication network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
本公开实施例中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌;In an embodiment of the disclosure, the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
在一些实施例中,所述附着请求信息包括第一附着请求信息和第二附着请求信息。In some embodiments, the attach request information includes first attach request information and second attach request information.
具体地,所述获取用户终端的附着请求信息,可以包括:接收所述移动通信网络实体转发的所述第一附着请求信息;或者接收所述用户终端发送的第二附着请求信息。Specifically, the acquiring the attachment request information of the user terminal may include: receiving the first attachment request information forwarded by the mobile communication network entity; or receiving the second attachment request information sent by the user terminal.
这里,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。Here, the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
在一些实施例中,所述用户终端的用户网络切片身份标识信息包括在所述用户终端预先配置的用户网络切片身份标识信息,以及包括所述网络切片功能实体根据所述用户终端的注册请求信息生成的用户网络切片身份标识信息。In some embodiments, the user network slice identity information of the user terminal includes user network slice identity information pre-configured at the user terminal, and includes registration request information of the network slice function entity according to the user terminal. Generated user network slice identity information.
所述用户终端的用户网络切片身份标识信息为一个或多个。The user network slice identity information of the user terminal is one or more.
当然,本公开实施例也可以采用软件模块的形式实现。具体说:Of course, the embodiments of the present disclosure may also be implemented in the form of a software module. Specifically:
在一些实施例中,本公开提供了一种网络认证功能实体装置(本公开中可以简称为网络认证功能实体),所述网络认证功能实体可以包括:接收模块,配置接收移动通信网络实体发送的附着请求信息。所述附着请求信息包括用户签约身份标识信息、用户网络切片身份标识信息或只包括用户网络切片身份标识信息;生成模块,配置为基于用户签约身份标识信息、用户网络切片身份标识信息生成对应的认证向量;发送模块,配置为向移动通信网络实体和网络切片功能实体发送认证向量。In some embodiments, the present disclosure provides a network authentication function entity device (which may be referred to as a network authentication function entity in the present disclosure), and the network authentication function entity may include: a receiving module configured to receive and send by the mobile communication network entity Attach request information. The attachment request information includes user subscription identity information, user network slice identity information, or only user network slice identity information; and a generating module configured to generate a corresponding authentication based on user subscription identity information and user network slice identity information. a vectoring module configured to send an authentication vector to the mobile communication network entity and the network slice function entity.
本实施例在具体实现时可以参阅上述实施例,在此不做赘述。For the specific implementation of the present embodiment, reference may be made to the foregoing embodiments, and details are not described herein.
本公开实施例还提供一种网络切片的认证***,所述认证***包括如参照图7描述的任一所述的网络切片功能实体装置、如参照图8描述的任一所述的网络认证实体装置和移动通信网络实体。An embodiment of the present disclosure further provides an authentication system for a network slice, the authentication system comprising the network slice function entity device of any one of the methods described with reference to FIG. 7, the network authentication entity as described with reference to FIG. Device and mobile communication network entity.
所述移动通信网络实体在接收到用户终端的附着请求信息时,将所述附着请求信息转发给所述网络认证实体装置;在接收移动通信认证向量时,根据所述移动通信认证向量与所述用户终端进行认证。The mobile communication network entity forwards the attach request information to the network authentication entity device when receiving the attach request information of the user terminal; and when receiving the mobile communication authentication vector, according to the mobile communication authentication vector and the The user terminal performs authentication.
本公开实施例还提供一种计算机可读存储介质,所述介质存储有用于网络切片功能实体装置的网络切片的认证的第一计算机程序,和/或存储有用于网络认证实体装置的网络切片的认证的第二计算机 程序;当所述第一计算机程序被至少一个处理器执行时,实现如参照图1至图5描述的任一实施例中的所述方法的步骤;当所述第二计算机程序被至少一个处理器执行时,以实现如参照图6描述的任一实施例中的所述方法的步骤。Embodiments of the present disclosure also provide a computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or storing a network slice for a network authentication entity device a second computer program that is authenticated; when the first computer program is executed by at least one processor, implementing the steps of the method in any of the embodiments described with reference to Figures 1 through 5; when the second computer The program is executed by at least one processor to implement the steps of the method as in any of the embodiments described with reference to FIG.
本公开实施例中计算机可读存储介质可以是RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、移动硬盘、CD-ROM或者本领域已知的任何其他形式的存储介质。可以将一种存储介质耦接至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息;或者该存储介质可以是处理器的组成部分。处理器和存储介质可以位于专用集成电路中。The computer readable storage medium in embodiments of the present disclosure may be RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable hard drive, CD-ROM, or any other form of storage medium known in the art. A storage medium can be coupled to the processor to enable the processor to read information from, and write information to, the storage medium; or the storage medium can be an integral part of the processor. The processor and the storage medium may be located in an application specific integrated circuit.
虽然本申请描述了本公开的特定示例,但本领域技术人员可以在不脱离本公开概念的基础上设计出来本公开的变型。本领域技术人员在本公开技术构思的启发下,在不脱离本公开内容的基础上,还可以对本公开做出各种改进,这仍落在本公开的保护范围之内。While the present application has been described with respect to the specific examples of the present disclosure, those skilled in the art can devise modifications of the present disclosure without departing from the inventive concept. Various modifications of the present disclosure can be made by those skilled in the art without departing from the scope of the present disclosure, which is still within the scope of the present disclosure.

Claims (26)

  1. 一种网络切片的认证方法,包括:A method for authenticating a network slice, comprising:
    从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;Obtaining, from the network authentication entity, a network slice authentication vector corresponding to the user network slice identity information of the user terminal;
    根据所述网络切片认证向量与所述用户终端进行认证。And authenticating with the user terminal according to the network slice authentication vector.
  2. 如权利要求1所述的方法,其中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌;The method of claim 1, wherein the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
    所述认证为移动通讯网络的认证与密钥协商协议认证;The authentication is authentication and key agreement protocol authentication of the mobile communication network;
    所述网络切片认证向量由所述网络认证实体根据移动通信网络实体转发的所述用户终端的第一附着请求信息生成或者根据用户终端发送的第二附着请求信息生成。The network slice authentication vector is generated by the network authentication entity according to the first attachment request information of the user terminal forwarded by the mobile communication network entity or generated according to the second attachment request information sent by the user terminal.
  3. 如权利要求2所述的方法,其中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,所述方法还包括:The method of claim 2, wherein the method further comprises: before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further comprising:
    接收所述用户终端的所述第二附着请求信息;Receiving the second attachment request information of the user terminal;
    将所述第二附着请求信息发送给所述网络认证实体,以使所述网络认证实体生成所述网络切片认证向量。Transmitting the second attach request information to the network authentication entity, so that the network authentication entity generates the network slice authentication vector.
  4. 如权利要求2所述的方法,其中,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。The method of claim 2, wherein the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries User network slice identity information of the user terminal.
  5. 如权利要求1至4中任意一项所述的方法,其中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises: before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further comprises:
    接收所述用户终端的注册请求信息;Receiving registration request information of the user terminal;
    根据所述注册请求信息生成用户网络切片身份标识信息;Generating user network slice identity information according to the registration request information;
    将所述用户网络切片身份标识信息发送给所述用户终端。Transmitting the user network slice identity information to the user terminal.
  6. 如权利要求5所述的方法,其中,所述注册请求信息携带所述用户终端的用户签约身份标识信息和网络切片标识信息。The method of claim 5, wherein the registration request information carries user subscription identity information and network slice identification information of the user terminal.
  7. 一种网络切片的认证方法,包括:A method for authenticating a network slice, comprising:
    获取用户终端的附着请求信息;Obtaining attachment request information of the user terminal;
    根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;Generating, according to the attach request information, a network slice authentication vector corresponding to user network slice identity information of the user terminal;
    将所述网络切片认证向量发送给网络切片功能实体,以使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端进行认证。And sending the network slice authentication vector to the network slice function entity, so that the network slice function entity performs authentication with the user terminal according to the network slice authentication vector.
  8. 如权利要求7所述的方法,还包括:The method of claim 7 further comprising:
    根据所述附着请求信息还生成与所述用户终端的用户签约身份标识信息对应的移动通信认证向量;And generating, according to the attach request information, a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal;
    将所述移动通信认证向量发送给移动通信网络实体,以使所述移动通信网络实体根据所述移动通信认证向量与所述用户终端进行认证。Transmitting the mobile communication authentication vector to a mobile communication network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
  9. 如权利要求8所述的方法,其中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌;The method of claim 8, wherein the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
    所述附着请求信息包括第一附着请求信息和第二附着请求信息;所述获取用户终端的附着请求信息,包括:The attach request information includes the first attach request information and the second attach request information. The obtaining the attachment request information of the user terminal includes:
    接收所述移动通信网络实体转发的所述第一附着请求信息;或者Receiving the first attach request information forwarded by the mobile communication network entity; or
    接收所述用户终端发送的第二附着请求信息。Receiving second attachment request information sent by the user terminal.
  10. 如权利要求9所述的方法,其中,所述第一附着请求信息 携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。The method of claim 9, wherein the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries User network slice identity information of the user terminal.
  11. 如权利要求10所述的方法,其中,所述用户终端的用户网络切片身份标识信息包括在所述用户终端预先配置的用户网络切片身份标识信息,以及包括所述网络切片功能实体根据所述用户终端的注册请求信息生成的用户网络切片身份标识信息。The method of claim 10, wherein the user network slice identity information of the user terminal comprises user network slice identity information pre-configured at the user terminal, and the network slice function entity is included according to the user User network slice identity information generated by the terminal's registration request information.
  12. 如权利要求10所述的方法,其中,所述用户终端的用户网络切片身份标识信息为一个或多个。The method of claim 10, wherein the user network slice identity identification information of the user terminal is one or more.
  13. 一种网络切片功能实体装置,包括第一存储器和第一处理器;所述第一存储器存储有用于该网络切片功能实体装置的网络切片的认证的计算机程序;所述计算机程序被所述第一处理器执行时,实现以下步骤:A network slice function entity device comprising a first memory and a first processor; the first memory storing a computer program for authentication of a network slice of the network slice function entity device; the computer program being the first When the processor executes, the following steps are implemented:
    从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;Obtaining, from the network authentication entity, a network slice authentication vector corresponding to the user network slice identity information of the user terminal;
    根据所述网络切片认证向量与所述用户终端进行认证。And authenticating with the user terminal according to the network slice authentication vector.
  14. 如权利要求13所述的装置,其中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌;The apparatus of claim 13, wherein the network slice authentication vector comprises at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
    所述认证为移动通讯网络的认证与密钥协商协议认证;The authentication is authentication and key agreement protocol authentication of the mobile communication network;
    所述网络切片认证向量由所述网络认证实体根据移动通信网络实体转发的所述用户终端的第一附着请求信息生成或者根据用户终端发送的第二附着请求信息生成。The network slice authentication vector is generated by the network authentication entity according to the first attachment request information of the user terminal forwarded by the mobile communication network entity or generated according to the second attachment request information sent by the user terminal.
  15. 如权利要求14所述的装置,其中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,还包括:The device of claim 14, wherein before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes:
    接收所述用户终端的所述第二附着请求信息;Receiving the second attachment request information of the user terminal;
    将所述第二附着请求信息发送给所述网络认证实体,以使所述网络认证实体生成所述网络切片认证向量。Transmitting the second attach request information to the network authentication entity, so that the network authentication entity generates the network slice authentication vector.
  16. 如权利要求14所述的装置,其中,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。The device according to claim 14, wherein the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries User network slice identity information of the user terminal.
  17. 如权利要求13至16中任意一项所述的装置,其中,所述从网络认证实体获取与用户终端的用户网络切片身份标识信息对应的网络切片认证向量之前,还包括:The device according to any one of claims 13 to 16, wherein before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes:
    接收所述用户终端的注册请求信息;Receiving registration request information of the user terminal;
    根据所述注册请求信息生成用户网络切片身份标识信息;Generating user network slice identity information according to the registration request information;
    将所述用户网络切片身份标识信息发送给所述用户终端。Transmitting the user network slice identity information to the user terminal.
  18. 如权利要求17所述的装置,其中,所述注册请求信息携带所述用户终端的用户签约身份标识信息和网络切片标识信息。The apparatus according to claim 17, wherein said registration request information carries user subscription identity information and network slice identification information of said user terminal.
  19. 一种网络认证实体装置,包括第二存储器和第二处理器,所述第二存储器存储有用于该网络认证实体装置的网络切片的认证的计算机程序;所述计算机程序被所述第二处理器执行时,实现以下步骤:A network authentication entity device comprising a second memory and a second processor, the second memory storing a computer program for authentication of a network slice of the network authentication entity device; the computer program being the second processor When executed, implement the following steps:
    获取用户终端的附着请求信息;Obtaining attachment request information of the user terminal;
    根据所述附着请求信息生成与用户终端的用户网络切片身份标识信息对应的网络切片认证向量;Generating, according to the attach request information, a network slice authentication vector corresponding to user network slice identity information of the user terminal;
    将所述网络切片认证向量发送给网络切片功能实体,以使所述网络切片功能实体根据所述网络切片认证向量与所述用户终端认证。And sending the network slice authentication vector to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  20. 如权利要求19所述的装置,其中,所述计算机程序被所述 第二处理器执行,还实现以下步骤:The apparatus of claim 19 wherein said computer program is executed by said second processor and further implementing the steps of:
    根据所述附着请求信息还生成与所述用户终端的用户签约身份标识信息对应的移动通信认证向量;And generating, according to the attach request information, a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal;
    将所述移动通信认证向量发送给移动通信网络实体,以使所述移动通信网络实体根据所述移动通信认证向量与所述用户终端进行认证。Transmitting the mobile communication authentication vector to a mobile communication network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
  21. 如权利要求20所述的装置,其中,所述网络切片认证向量至少包括以下参数:随机数、预期响应、网络切片密钥和认证令牌;The apparatus of claim 20, wherein the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
    所述附着请求信息包括第一附着请求信息和第二附着请求信息;所述获取用户终端的附着请求信息,包括:The attach request information includes the first attach request information and the second attach request information. The obtaining the attachment request information of the user terminal includes:
    接收所述移动通信网络实体转发的所述第一附着请求信息;或者Receiving the first attach request information forwarded by the mobile communication network entity; or
    接收所述用户终端发送的第二附着请求信息。Receiving second attachment request information sent by the user terminal.
  22. 如权利要求21所述的装置,其中,所述第一附着请求信息携带所述用户终端的用户签约身份标识信息和所述用户终端的用户网络切片身份标识信息;所述第二附着请求信息携带所述用户终端的用户网络切片身份标识信息。The device of claim 21, wherein the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries User network slice identity information of the user terminal.
  23. 如权利要求22所述的装置,其中,所述用户终端的用户网络切片身份标识信息包括在所述用户终端预先配置的用户网络切片身份标识信息,以及包括所述网络切片功能实体根据所述用户终端的注册请求信息生成的用户网络切片身份标识信息。The apparatus according to claim 22, wherein the user network slice identity information of the user terminal comprises user network slice identity information pre-configured at the user terminal, and the network slice function entity is included according to the user User network slice identity information generated by the terminal's registration request information.
  24. 如权利要求22所述的装置,其中,所述用户终端的用户网络切片身份标识信息为一个或多个。The apparatus of claim 22, wherein the user network slice identity identification information of the user terminal is one or more.
  25. 一种网络切片的认证***,所述***包括如权利要求13至18中任意一项所述的网络切片功能实体装置、如权利要求19至24 中任意一项所述的网络认证实体装置和移动通信网络实体;An authentication system for a network slice, the system comprising the network slice function entity device according to any one of claims 13 to 18, the network authentication entity device according to any one of claims 19 to 24, and the mobile Communication network entity;
    所述移动通信网络实体在接收到用户终端的附着请求信息时,将所述附着请求信息转发给所述网络认证实体装置;在接收移动通信认证向量时,根据所述移动通信认证向量与所述用户终端进行认证。The mobile communication network entity forwards the attach request information to the network authentication entity device when receiving the attach request information of the user terminal; and when receiving the mobile communication authentication vector, according to the mobile communication authentication vector and the The user terminal performs authentication.
  26. 一种计算机可读存储介质,所述介质存储有用于网络切片功能实体装置的网络切片的认证的第一计算机程序,和/或存储有用于网络认证实体装置的网络切片的认证的第二计算机程序;A computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or a second computer program storing authentication for a network slice of a network authentication entity device ;
    当所述第一计算机程序被至少一个处理器执行时,实现如权利要求1至6中任意一项所述方法的步骤;The step of the method of any one of claims 1 to 6 when the first computer program is executed by at least one processor;
    当所述第二计算机程序被至少一个处理器执行时,实现如权利要求7至12中任意一项所述方法的步骤。The steps of the method of any one of claims 7 to 12 are carried out when the second computer program is executed by at least one processor.
PCT/CN2018/101337 2017-06-20 2018-08-20 Network slice authentication method, corresponding apparatus and system, and medium WO2018233726A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710469951.7 2017-06-20
CN201710469951.7A CN109104726A (en) 2017-06-20 2017-06-20 The authentication method and related device, system and medium of network slice

Publications (1)

Publication Number Publication Date
WO2018233726A1 true WO2018233726A1 (en) 2018-12-27

Family

ID=64735511

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/101337 WO2018233726A1 (en) 2017-06-20 2018-08-20 Network slice authentication method, corresponding apparatus and system, and medium

Country Status (2)

Country Link
CN (1) CN109104726A (en)
WO (1) WO2018233726A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115835218A (en) * 2019-06-17 2023-03-21 华为技术有限公司 Secondary authentication method and device
CN112291784B (en) * 2019-07-09 2022-04-05 华为技术有限公司 Communication method and network element
CN114223232A (en) * 2019-08-15 2022-03-22 华为技术有限公司 Communication method and related equipment
CN110768836B (en) * 2019-10-28 2022-02-08 中国联合网络通信集团有限公司 Network slice management method and device
CN112752265B (en) * 2019-10-31 2023-09-22 华为技术有限公司 Access control method, device and storage medium for network slice
CN113596831B (en) * 2020-04-14 2022-12-30 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication
CN113784351B (en) * 2020-06-10 2024-03-01 华为技术有限公司 Slice service verification method, entity and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572517A (en) * 2015-10-09 2017-04-19 ***通信集团公司 Network slice processing method, access network selecting method and apparatus
CN106713406A (en) * 2015-11-18 2017-05-24 ***通信集团公司 Method and system for accessing to slice network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951590B (en) * 2010-09-03 2015-07-22 中兴通讯股份有限公司 Authentication method, device and system
CN106375987B (en) * 2015-07-22 2021-08-20 中兴通讯股份有限公司 Network slice selection method and system
CN106550410B (en) * 2015-09-17 2020-07-07 华为技术有限公司 Communication control method, controller, user equipment and related device
CN106210042B (en) * 2016-07-11 2019-06-18 清华大学 A kind of user service request selection method based on end to end network slice

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572517A (en) * 2015-10-09 2017-04-19 ***通信集团公司 Network slice processing method, access network selecting method and apparatus
CN106713406A (en) * 2015-11-18 2017-05-24 ***通信集团公司 Method and system for accessing to slice network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
3GPP: "Study on the security aspects of the next generation system (release 14)", 3GPP TR 33.899 V0.4.1, 31 August 2016 (2016-08-31) *

Also Published As

Publication number Publication date
CN109104726A (en) 2018-12-28

Similar Documents

Publication Publication Date Title
US10848970B2 (en) Network authentication method, and related device and system
WO2018233726A1 (en) Network slice authentication method, corresponding apparatus and system, and medium
CN111669276B (en) Network verification method, device and system
US11296877B2 (en) Discovery method and apparatus based on service-based architecture
US20200195445A1 (en) Registration method and apparatus based on service-based architecture
US20180199265A1 (en) Sending and acquiring wifi networking information
JP6727294B2 (en) User equipment UE access method, access device, and access system
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
US9432349B2 (en) Service access authentication method and system
WO2020029729A1 (en) Communication method and device
WO2023280194A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
CN112512045B (en) Communication system, method and device
US11871223B2 (en) Authentication method and apparatus and device
US20190007835A1 (en) Profile installation based on privilege level
WO2018045983A1 (en) Information processing method and device, and network system
WO2019206286A1 (en) Method, apparatus and system for accessing network slice
US20210168139A1 (en) Network Slice Authentication Method and Communications Apparatus
WO2020029754A1 (en) Signing information configuration method and communication device
WO2021031051A1 (en) Mobile device authentication without electronic subscriber identity module (esim) credentials
JP7416984B2 (en) Service acquisition method, device, communication device and readable storage medium
WO2018099407A1 (en) Account authentication login method and device
US20230232228A1 (en) Method and apparatus for establishing secure communication
WO2019196963A1 (en) Method and device for accessing network slice, storage medium, electronic device
WO2016090927A1 (en) Management method and system for sharing wlan and wlan sharing registration server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18819832

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 29/06/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18819832

Country of ref document: EP

Kind code of ref document: A1