WO2022067831A1 - 一种建立安全通信方法及装置 - Google Patents
一种建立安全通信方法及装置 Download PDFInfo
- Publication number
- WO2022067831A1 WO2022067831A1 PCT/CN2020/119764 CN2020119764W WO2022067831A1 WO 2022067831 A1 WO2022067831 A1 WO 2022067831A1 CN 2020119764 W CN2020119764 W CN 2020119764W WO 2022067831 A1 WO2022067831 A1 WO 2022067831A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication mechanism
- network element
- terminal device
- message
- authentication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/50—Service provisioning or reconfiguring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Definitions
- the present application relates to the field of communication technologies, and in particular, to a method and apparatus for establishing secure communication.
- Multi-access edge computing can use the wireless access network to provide telecom users with information technology (IT) services and cloud technology functions nearby, thereby creating a high-performance,
- IT information technology
- cloud technology functions nearby, thereby creating a high-performance.
- the low-latency and high-bandwidth carrier-class service environment accelerates the rapid download of various contents, services and applications in the network, allowing users to enjoy uninterrupted high-quality network experience.
- One or more edge enabler servers (EES) and one or more edge application servers (EAS) are dynamically deployed on an edge data network (EDN).
- EAS edge application servers
- a user equipment (UE) includes an application client (AC) and an edge enabler client (EEC).
- the MEC architecture Independent of user equipment and EDN, the MEC architecture also includes one or more edge configuration servers (ECS).
- ECS edge configuration servers
- common authentication mechanisms include authentication and key management for applications (AKMA) mechanisms, generic bootstrapping architecture (GBA) mechanisms, and certificate-based authentication mechanisms.
- AKMA authentication and key management for applications
- GAA generic bootstrapping architecture
- certificate-based authentication mechanisms include certificate-based authentication mechanisms.
- the UE cannot know the authentication mechanisms supported by these dynamically deployed EES, EAS and ECS. Further, the UE cannot accurately use the corresponding authentication mechanism to initiate a connection establishment request with the EES, EAS or ECS.
- the present application provides a method and apparatus for establishing a secure communication, which is used to solve the problem that the authentication mechanism supported by the server cannot be known in advance in order to establish a secure communication connection under the MEC architecture.
- a first aspect provides a method for establishing secure communication, the method comprising: a terminal device receiving a first message from a first network element, the first message including an identifier of the second network element and first indication information, the The first indication information is used to indicate a candidate authentication mechanism associated with the second network element; the terminal device establishes a communication connection with the second network element based on the candidate authentication mechanism.
- the terminal device can obtain the candidate authentication mechanism of the dynamically deployed second network element; and establish a communication connection with the second network element based on the candidate authentication mechanism.
- the second network element may be an ECS, EES, or EAS, etc., which can meet the requirements of the MEC architecture.
- the method further includes: the terminal device sends a second message to the first network element, where the first message is a response message to the second message.
- the terminal device can first send the second message to the first network element, and then the first network element sends a response message of the second message, that is, the first message, to the terminal device. That is, when the terminal device needs to acquire the candidate authentication mechanism corresponding to the second network element, it can directly request the first network element, so that the terminal device can acquire the candidate authentication mechanism of the dynamically deployed second network element.
- the candidate authentication mechanism is at least one first authentication mechanism used when establishing a communication connection between the terminal device and the second network element; the second message includes at least one authentication mechanism supported by the terminal device The second authentication mechanism.
- the second network element when the second network element receives the second message, it can directly obtain at least one authentication mechanism supported by the terminal device in the second message; the second network element can obtain at least one authentication mechanism supported by the terminal device according to the at least one authentication mechanism and For at least one authentication mechanism supported by the second network element, a candidate authentication mechanism is determined, so as to ensure that the candidate authentication mechanism is supported by both the terminal device and the second network element.
- the terminal device when the terminal device receives the candidate authentication mechanism, it can directly use the candidate authentication mechanism to establish a communication connection, and the terminal device does not need to perform further processing, which reduces the processing complexity of the terminal device and saves power.
- the above-mentioned second message includes the network type used by the terminal device to access the second network element.
- the network type used by the terminal device to access the second network element may also be considered, so as to ensure that the selected candidate authentication mechanism is also supported by the network.
- This design is mainly to consider that some authentication mechanisms need network support. For example, for the AKMA authentication mechanism, the support of the 5G network is required; for the GBA authentication mechanism, the support of the 4G network is required.
- the above-mentioned second message further includes priority information in at least one second authentication mechanism.
- the second network element may also consider the priorities of the authentication mechanisms supported by the terminal device and the second network element, and preferentially select a high-priority authentication mechanism supported by both to establish a communication connection.
- establishing a communication connection between the terminal device and the second network element based on the candidate authentication mechanism includes: the terminal device determining a target authentication mechanism from the at least one first authentication mechanism; The terminal device generates a first key and a first key identifier corresponding to the target authentication mechanism; the terminal device sends a communication connection establishment request to the second network element, where the communication connection establishment request includes the The first key identifier.
- the first key identifier may be used to identify the terminal device.
- the first key and the first key identifier corresponding to the target authentication mechanism may have been generated and stored in the terminal device in advance.
- the target authentication mechanism is obtained between the terminal devices.
- the first key identifier corresponding to the mechanism is sufficient. That is, establishing a communication connection between the terminal device and the second network element based on the candidate authentication mechanism includes: the terminal device determines a target authentication mechanism from the at least one first authentication mechanism; the terminal device determines a target authentication mechanism from the at least one first authentication mechanism; Obtain a first key identifier corresponding to the target authentication mechanism; the terminal device sends a communication connection establishment request to the second network element, where the communication connection establishment request includes the first key identifier.
- the terminal device can obtain the authentication mechanism of the dynamically deployed second network element based on the candidate authentication mechanism, the terminal device can directly carry the key identifier corresponding to the candidate authentication mechanism in the above communication connection establishment request, and directly Establish a communication connection.
- the terminal device cannot obtain the authentication mechanism of the dynamically deployed second network element, and needs to first send a communication connection establishment request to the second network element, and then the second network element indicates the authentication mechanism supported by the second network element; The second network element sends a communication connection establishment request, and the request carries the key identifier of the authentication mechanism supported by the second network element, which can reduce signaling overhead and connection delay.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the second network element.
- the second network element directly sends the authentication mechanism supported by the second network element to the terminal device, and the terminal device selects the target authentication based on the authentication mechanism supported by the second network element and the authentication mechanism supported by the terminal device. mechanism to establish a communication connection.
- the second network element side does not need to make further judgment, and the workload of the second network element is reduced.
- establishing a communication connection between the terminal device and the second network element based on the candidate authentication mechanism includes: the terminal device determining a target authentication based on the at least one third authentication mechanism and auxiliary information mechanism, the auxiliary information includes at least one of the following: at least one second authentication mechanism supported by the terminal device, and a network type used by the terminal device to access the second network element; the terminal device generating a first key and a first key identifier corresponding to the target authentication mechanism; the terminal device sends a communication connection establishment request to the second network element, where the communication connection establishment request includes the first key logo.
- the terminal device can directly carry the key corresponding to the target authentication mechanism in the communication connection establishment request, and can successfully establish the communication connection between the two by sending the communication connection establishment request once. Compared with the scheme that needs to send the communication connection establishment request multiple times, signaling overhead and connection delay can be reduced.
- the terminal device may also consider priority information, such as priority information of the at least one second authentication mechanism and priority information of the at least one third authentication mechanism, etc., to determine candidate authentication mechanisms. In this way, it can be ensured that the authentication mechanism with a higher priority is preferentially selected to establish a communication connection.
- the above-mentioned first message may further include: priority information in at least one authentication mechanism supported by the second network element, and the like.
- the above target authentication mechanism is an authentication mechanism corresponding to the network type.
- the target authentication mechanism may be the AKMA mechanism.
- the target authentication mechanism may be a GBA mechanism or the like.
- it may further include: the terminal device generates a second key according to the first key and the identifier of the second network element; the terminal device uses the first key The second key performs security protection on the communication connection establishment request to generate a first message authentication code MAC; wherein the communication connection establishment request further includes the first MAC.
- the second network element after receiving the communication connection establishment request, can obtain the first key identifier in the communication connection establishment request, and obtain the second key according to the first key identifier; Second MAC; if the first MAC and the second MAC are the same, the verification is passed, and a communication connection can be established between the two. Subsequently, the second key may also be used for other security protection between the terminal device and the second network element, which is not limited, so as to ensure the establishment of a secure communication connection between the two.
- the method further includes: receiving, by the terminal device, a communication connection establishment response sent by the second network element.
- the communication connection establishment response is secured using the second key.
- the communication connection establishment response includes the third MAC.
- the third MAC is calculated by the second network element based on the second key to some or all of the information in the connection establishment response.
- the terminal device also verifies the third MAC based on the second key to determine that the communication connection establishment response has not been tampered with, and indirectly verifies that the second network element is a legitimate network element. Yuan.
- the first network element is an edge configuration server ECS
- the second network element is an edge enabling server EES
- the terminal device can obtain the candidate authentication mechanism corresponding to the EES through the ECS
- the first network element is EES
- the second network element is the edge application server EAS
- the terminal device can obtain the candidate authentication mechanism corresponding to the EAS through the EES
- the first network element is the access and mobility management function AMF or the session management function SMF
- the second network element is the ECS
- the terminal device can obtain the candidate authentication mechanism corresponding to the ECS through the AMF or the SMF.
- the above-mentioned first message may be a non-access stratum NAS message.
- the first message is a response message for the terminal device to request registration, or a response message for the terminal device to request to establish a protocol data unit PDU session, etc., which is not limited.
- the terminal device can obtain the candidate authentication mechanism of the dynamically deployed EES, EAS or ECS, so as to meet the requirements of the MEC architecture.
- the candidate authentication mechanism includes at least one of the following: application authentication and password management AKMA service, general bootstrapping architecture GBA service, certificate mechanism or other mechanisms for authentication between the terminal device and the second network element, and the like.
- the terminal device can obtain the candidate authentication mechanism corresponding to the dynamically deployed second network element, which is flexible in implementation and has a wide application range.
- a method for establishing a secure communication including: a first network element determines a candidate authentication mechanism; the first network element sends a first message to a terminal device, where the first message includes an identifier of the second network element and first indication information, where the first indication information is used to indicate the candidate authentication mechanism associated with the second network element, and the candidate authentication mechanism is used for establishing a communication connection between the terminal device and the second network element.
- the first network element can indicate the candidate authentication mechanism corresponding to the second network element to the terminal device.
- the above-mentioned second network element may be dynamically deployed, such as ECS, EES or EAS in the MEC architecture, so that the terminal device can dynamically obtain the candidate authentication mechanism of the second network element to meet the requirements of the MEC architecture.
- the above method further includes: receiving, by the first network element, a second message from the terminal device, where the first message is a response message to the second message.
- the terminal device can first send the second message to the first network element, and then the first network element sends a response message of the second message, that is, the first message, to the terminal device. That is, when the terminal device needs to acquire the candidate authentication mechanism corresponding to the second network element, it can directly request the first network element, so that the terminal device can acquire the candidate authentication mechanism of the dynamically deployed second network element.
- the candidate authentication mechanism is at least one first authentication mechanism used when establishing a communication connection between the terminal device and the second network element
- the first network element determines the candidate authentication mechanism mechanism, including: the first network element determines a candidate authentication mechanism according to at least one third authentication mechanism supported by the second network element and auxiliary information, where the auxiliary information includes at least one of the following: at least one second authentication mechanism, and a network type used by the terminal device to access the second network element.
- the first network element can directly indicate to the terminal equipment the authentication mechanism used when establishing the communication connection between the terminal equipment and the second network element, and the terminal equipment does not need to make further judgments, thereby reducing the processing complexity on the terminal equipment side. Save power.
- the second network element may also consider the network type used by the terminal device to access the second network element, so that the selected candidate authentication mechanism can be supported by the access network.
- the above-mentioned second message includes at least one second authentication mechanism supported by the terminal device.
- the second network element may also consider priority information, for example, the priority information of the second authentication mechanism supported by the terminal device and the priority information of the third authentication mechanism supported by the second network element. priority information, etc., so that the selected candidate authentication mechanism has a higher priority.
- the above-mentioned second message may further include priority information of at least one second authentication mechanism supported by the terminal device.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the second network element.
- the first network element directly indicates the authentication mechanism supported by the second network element to the terminal device without additional processing, and the terminal device does not need to notify the first network element of the authentication mechanism supported by itself, reducing the reduction of the first network element. side processing, saving signaling overhead.
- the terminal device determines the final target authentication mechanism between the two according to the authentication mechanism supported by the second network element.
- the terminal device may also consider the priority information of the two authentication mechanisms. Therefore, the first network element needs to notify the terminal device of the priority information of the authentication mechanism supported by itself.
- the above-mentioned first message also includes priority information of at least one third authentication mechanism supported by the terminal device.
- the first network element is the edge configuration server ECS
- the second network element is the edge enabling server EES
- the terminal device can obtain the candidate authentication mechanism corresponding to the EES through the ECS
- the first network element is the EES
- the second network element is the edge application server EAS
- the terminal device can obtain the candidate authentication mechanism corresponding to the EAS through the EES
- the first network element is the access and mobility management function AMF or session management Function SMF
- the second network element is the edge configuration server ECS
- the terminal device can obtain the candidate authentication mechanism corresponding to the ECS through the AMF or the SMF.
- the above-mentioned first message may be a non-access stratum NAS message.
- the first message is a response message for the terminal device to request registration, or a response message for the terminal device to request to establish a protocol data unit PDU session, etc., which is not limited.
- the terminal device can obtain the candidate authentication mechanism of the dynamically deployed EES, EAS or ECS, so as to meet the requirements of the MEC architecture.
- the candidate authentication mechanism includes at least one of the following: application authentication and password management AKMA service, general bootstrapping architecture GBA service, certificate mechanism or other mechanisms for authentication between the terminal device and the second network element, and the like.
- the terminal device can obtain the candidate authentication mechanism corresponding to the dynamically deployed second network element, which is flexible in implementation and has a wide application range.
- an embodiment of the present application further provides an apparatus, and the communication apparatus is applied to a terminal device.
- the device has the function of implementing the behavior in the method embodiment of the first aspect. This function can be implemented by hardware or by executing corresponding software by hardware.
- the hardware or software includes one or more units corresponding to the above-mentioned functions.
- the structure of the apparatus includes a communication unit and a processing unit, and these units can perform the corresponding functions in the method example of the first aspect. For details, refer to the detailed description in the method embodiment, which will not be repeated here.
- an embodiment of the present application further provides an apparatus, the communication apparatus is applied to the first network element, and the beneficial effects can be found in the description of the second aspect, and will not be repeated here.
- the apparatus has the function of implementing the behavior in the method example of the second aspect above. This function can be implemented by hardware or by executing corresponding software by hardware.
- the hardware or software includes one or more units corresponding to the above-mentioned functions.
- the structure of the apparatus includes a communication unit and a processing unit, and these units can perform the corresponding functions in the method example of the second aspect. For details, please refer to the detailed description in the method example, which will not be repeated here.
- an embodiment of the present application further provides an apparatus, where the communication apparatus is applied to a terminal device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
- the structure of the communication apparatus includes a processor and a memory, and the processor is configured to support the terminal device to perform the corresponding functions in the method of the first aspect.
- the memory is coupled to the processor and holds program instructions and data necessary for the communication device.
- the structure of the communication device also includes a communication interface for communicating with other devices.
- an embodiment of the present application further provides an apparatus, where the communication apparatus is applied to the first network element, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
- the structure of the communication device includes a processor and a memory, and the processor is configured to support the first network element to perform the corresponding functions in the method of the second aspect.
- the memory is coupled to the processor and holds program instructions and data necessary for the communication device.
- the structure of the communication device also includes a communication interface for communicating with other devices.
- the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium is run on a computer, the computer is made to execute the method of the first aspect, or to execute the second aspect. Methods.
- the present application further provides a computer program product comprising instructions, which, when run on a computer, cause the computer to perform the method of the first aspect or the method of the second aspect.
- the present application further provides a computer chip, the chip is connected to a memory, and the chip is used to read and execute a software program stored in the memory, execute the method of the first aspect, or execute the method of the second aspect.
- FIG. 1 is a schematic diagram of an MEC architecture provided by an embodiment of the present application.
- FIG. 2 is a schematic diagram of a communication process in an MEC architecture provided by an embodiment of the present application.
- FIG. 3 is a schematic diagram of a 3GPP network provided by an embodiment of the present application.
- FIG. 5 is a flowchart of the ECS obtaining at least one authentication mechanism supported by the EES according to the embodiment of the present application;
- FIG. 6 is a flowchart of a communication method provided by an embodiment of the present application.
- FIG. 7 is a flowchart of the EES obtaining at least one authentication mechanism information supported by the EAS provided by the embodiment of the present application;
- FIG. 8 is another flowchart of the communication method provided by the embodiment of the present application.
- FIG. 9 is another flowchart of the communication method provided by the embodiment of the present application.
- FIG. 10 is a flowchart of the AKMA authentication provided by the embodiment of the present application.
- FIG. 11 is a schematic structural diagram of an apparatus provided by an embodiment of the present application.
- FIG. 12 is another schematic structural diagram of an apparatus provided by an embodiment of the present application.
- At least one item(s) below” or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s).
- at least one (a) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c may be single or multiple .
- words such as “first” and “second” are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that the words “first”, “second” and the like do not limit the quantity and execution order, and the words “first”, “second” and the like are not necessarily different.
- the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application.
- the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
- the embodiment of the present application provides a multi-access edge computing (multi-access edge computing, MEC) enabled edge application architecture, as shown in FIG. 1 , at least including the following functional network elements:
- An edge application server is an application server deployed in the EDN. Among them, the application provider can dynamically instantiate EAS in different EDN networks as needed.
- the application client is the peer entity of the EAS on the terminal device side.
- the AC is used by an application user (user) to obtain application services from an application server.
- the AC is a client program applied in the terminal device.
- the AC can connect to the application server on the cloud to obtain application services, or connect to the EAS deployed and run in one or more EDNs to obtain application services.
- the AC can be a Tencent client installed on a terminal device, an iQiyi client, a vehicle to everything (V2X) client, or a mission critical (MC) client, etc.
- the edge enabler server can provide enabling capabilities for the EAS deployed in the EDN.
- the EES can provide management capabilities for the EAS, and can support the registration of the edge application server EAS, so as to obtain the identification of the EAS and the authentication mechanism supported by the EAS, and optionally, also obtain the priority of the authentication mechanism supported by the EAS.
- the EES can also provide the terminal equipment with information related to the identification and authentication of the available EAS. The authentication-related information is used for the authentication process between the terminal device and the EAS. Further, the EES can also support sending the identifier of the EAS to the ECS. EES is deployed in EDN.
- an EAS is registered with an EES, or the information of an EAS is configured on an EES through a management system, the EES is called the EES associated with the EAS, and the EES can control, manage, register or configure the EES associated with the EES.
- the edge enabler client is the peer entity of the EES on the terminal device side.
- EEC is used to register EEC information and AC information with EES, perform security authentication and authentication, obtain EAS identification from EES, provide edge computing enabling capabilities to AC, such as EAS discovery service, return EAS identification to AC, etc. .
- the edge configuration server (ECS) is responsible for EDN configuration management, such as providing EES information to terminal devices.
- the application user may sign a service agreement with the application provider, so as to obtain the service provided by the application provider's server.
- the application user can log in to the AC on the terminal device and communicate with the EAS through the AC connection to use the service provided by the application provider's server.
- the enabling client eg, EEC
- EEC can be a middleware layer, generally located in the operating system, or located between the AC and the operating system, and can also be implemented inside the AC.
- the AC can obtain the edge-enabled service from the enabling client through an application programming interface (application program interface, API).
- the edge service provider dynamically deploys the EDN network as required, deploys the EES in the EDN network, and dynamically instantiates the specific EAS according to the needs of the application provider.
- EAS sends the registration process to EES in order to provide EAS information to EES.
- EAS identity For example, EAS identity, port information (such as fully qualified domain name (FQDN), IP address or uniform resource identifier (URI), etc.), and application client identifier (application client identifier, AC ID) )Wait.
- the EAS information enables the EES to provide available EAS to the EEC according to the EEC's request.
- the EES in the EDN network initiates a registration process to the ECS, so as to provide the ECS with EES information, the EES information enables the ECS to provide available EES to the EEC according to the request of the EEC. Further, the EES may also provide the ECS with the information of the EAS registered on the EES during the registration process.
- the EEC may first request the ECS to provide the edge service, so as to obtain the available EES information through the ECS.
- the ECS may send the information of the available EES to the EEC according to the request of the EEC.
- the EEC determines the EES for communication according to the EES information obtained from the ECS, and establishes a connection with the determined EES.
- the EEC obtains specific EAS information for providing edge application services from the connected EES.
- the EEC sends the EAS information corresponding to the AC to the AC according to the obtained EAS information.
- the AC establishes a connection with the EAS to obtain services according to the EAS information obtained from the EEC.
- An embodiment of the present application further provides a network architecture, as shown in FIG. 3 , including at least one of the following: a terminal device, an access network, a core network, and a data network (DN).
- a network architecture including at least one of the following: a terminal device, an access network, a core network, and a data network (DN).
- Different access network devices can be connected through the Xn interface, and the access network device and the core network device can be connected through the NG interface.
- Terminal equipment which can be referred to as terminal for short, is a device with wireless transceiver functions. Terminal equipment can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on water (such as ships, etc.); In the air (eg on airplanes, balloons and satellites, etc.).
- the terminal device may be a mobile phone, a tablet computer, a computer with a wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, and a wireless terminal in industrial control (industrial control).
- the terminal device may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a wireless communication functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in future fifth generation (5G) networks or future evolved public land mobile communication networks ( Terminal equipment in public land mobile network, PLMN), etc.
- Terminal equipment may also sometimes be referred to as user equipment (UE), access terminal equipment, in-vehicle terminal equipment, industrial control terminal equipment, UE unit, UE station, mobile station, mobile station, remote station, remote terminal equipment, mobile equipment, wireless communication equipment, UE proxy or UE device, etc.
- Terminal devices can also be stationary or mobile. This embodiment of the present application does not limit this.
- the access network is used to implement functions related to wireless access.
- the access network can provide network access functions for terminal equipment in a specific area, including radio access network (RAN) equipment and access network (AN) equipment.
- RAN devices are mainly wireless network devices defined in 3GPP networks
- AN devices are mainly access network devices not defined by 3GPP.
- RAN equipment can provide functions such as radio resource management, quality of service management, data encryption and compression for terminal equipment.
- the core network is mainly used to manage the terminal equipment and provide the function of communicating with the external network.
- Core network equipment may include one or more of the following network elements:
- Access and mobility management function (access and mobility management function, AMF) network element: mainly responsible for the mobility management in the mobile network, such as user location update, user registration network, user switching and so on.
- Session management function (SMF) network element It is mainly used for session management, IP address allocation and management of terminal equipment, selection of user plane functions, termination point of policy control or charging function interface, and downlink data notification, etc.
- SMF Session management function
- UPF network element mainly responsible for forwarding and receiving user data.
- the UPF network element can receive user data from the data network (DN) and transmit it to the terminal equipment through the access network equipment; in the uplink transmission, the UPF network element can receive the user data from the terminal equipment through the access network equipment User data, forward the user data to the DN.
- the transmission resources and scheduling functions in the UPF network element that provide services for the terminal equipment may be managed and controlled by the SMF network element.
- Authentication service function authentication server function, AUSF
- AUSF authentication server function
- Network exposure function (NEF) network element It is mainly used to support the opening of capabilities and events, such as securely opening services and capabilities provided by 3GPP network functions to the outside world.
- Network storage function network function, NF, repository function, NRF
- network element used to store the description information of network function entities and the services they provide, support service discovery, and network element entity discovery, etc.
- PCF Policy control function
- Unified data management (UDM) network element used to generate authentication credentials, user identification processing (such as storing and managing user permanent identities, etc.), access authorization control and contract data management, etc.
- NSSAAF Network slice specific authentication and authorization function
- the above-mentioned core network may also include network elements such as NSSF, AF, and SCP, which will not be introduced one by one. It should be noted that, in different communication systems, the network elements in the above-mentioned core network may have different names.
- the fifth-generation mobile communication system is used as an example for description, which is not intended to limit the present application.
- a DN may be a network that provides data transmission services to users.
- the DN may be an IP multimedia service (IP multi-media service) network or an Internet network, or the like.
- Multiple application servers can be included in the DN.
- the terminal device may establish a protocol data unit (protocol data unit, PDU) session from the terminal device to the DN to access the DN.
- PDU protocol data unit
- a data network may have one or more local data networks (local data network, Local DN), and these local data networks are data network access points (access points) close to the user's point of attachment (point of attachment).
- the EES and EAS in the architecture shown in FIG. 1 may be configured in one or more EDNs.
- the remote DN or central DN corresponds to the EDN
- the application server deployed in the EDN is called EAS
- the server deployed in the remote DN or central DN is the remote server or central server.
- Each EAS can provide application services for users nearby, and the central server or remote server can provide application services for all users.
- the EDN network can be dynamically deployed according to demand, for example, when a large-scale event is held in Shanghai area A with a large flow of people, an EDN network can be deployed in this place for access by nearby personnel. After the subsequent large-scale event is over, the EDN network deployed in Region A can also be withdrawn.
- the EES and EAS in each EDN network can also be dynamically deployed. For example, a new game is launched, and a large number of young people of the game are gathered in region B, and the game can be instantiated and provided in the EDN network of region B. EAS of service. It can be seen that in the MEC architecture, EES, EAS, and even ECS are dynamically deployed, and terminal devices cannot learn the authentication mechanisms supported by dynamically deployed EES, EAS, and ECS through pre-configuration.
- the terminal device since the terminal device does not know the authentication mechanism supported by the server (such as EES, EAS or ECS), the terminal device directly sends a communication connection establishment request to the server, and the communication connection establishment request may not carry any Certification Information. Since the communication connection establishment request does not carry any authentication information, the server will instruct the terminal device to send the communication connection establishment request by using an authentication mechanism supported by itself. For example, the server will send a communication establishment connection response to the terminal device, and the communication establishment connection response may instruct the terminal device to use the authentication mechanism supported by the server to initiate a communication connection establishment request, etc. The terminal device receives the communication connection establishment response, and initiates the communication connection establishment request again according to the indication of the communication establishment connection response. The difference is that the communication connection establishment request carries the authentication information corresponding to the authentication mechanism supported by the server. When the server receives the re-initiated communication connection establishment request, it establishes the communication connection between the two.
- the server receives the re-initiated communication connection establishment request, it establishes the communication connection
- an embodiment of the present application provides a method for establishing a secure communication, by which a terminal device can learn at least one authentication mechanism supported by a dynamically deployed EES, EAS, or ECS, and is applicable to the MEC architecture, so that the client and the server can communicate with each other.
- the method includes: the terminal device receives a first message from a first network element, the first message includes an identifier of the second network element and first indication information, and the first indication information is used to indicate The candidate authentication mechanism associated with the second network element; optionally, the identifier of the second network element and the first indication information may be transmitted to the terminal device through the same message, for example, the first message may also be transmitted through different messages
- the terminal equipment there is no limitation.
- the identifier of the above-mentioned second network element may be a uniform resource identifier (uniform resource identifier, URI) of the second network element, a fully qualified domain name (fully qualified domain name, FQDN), or an internet protocol (Internet Protocol, IP) address, etc.
- the terminal device establishes a communication connection with the second network element according to the candidate authentication mechanism.
- the second network element may be EES, EAS or ECS, etc.
- the candidate authentication mechanism may be an authentication mechanism supported by the second network element, or an authentication mechanism used for establishing a communication connection between the second network element and the terminal device etc., without limitation.
- the process of establishing a communication connection between the terminal device and the second network element based on the candidate authentication mechanism may be: based on the candidate authentication mechanism, the terminal device sends a communication connection establishment request to the second network element, and the communication connection establishment request is in the It carries the authentication information corresponding to the above-mentioned candidate authentication mechanism (for example, the key identifier of Kakma in the following).
- the second network element After the second network element receives the communication connection establishment request, it verifies the terminal device according to the authentication information. After the verification is passed, the key used for the secure communication between the terminal device and the second network element can be obtained, so that the terminal device can communicate with the second network element.
- a secure communication connection is established between network elements.
- the above authentication information may be a key identifier
- the second network element may send the key identifier to the 3GPP network element when receiving the communication connection establishment request.
- mutual authentication is performed between the 3GPP network element and the second network element, and the authentication is passed.
- the 3GPP network element obtains the key of the second network element according to the key identifier, and sends the key to the second network element.
- the second network element obtains the same key shared with the UE. Further, further authentication can be performed between the second network element and the UE based on the shared key and a communication connection can be established.
- the method in this embodiment of the present application may further include: the terminal device sends a second message to the first network element, where the first message is a response message to the second message.
- the first network element in this embodiment of the present application may be a network element that can provide identifiers of other network elements and candidate authentication mechanisms corresponding to the other network elements.
- the second network element is also not limited to ECS, ESS, EAS, etc.
- the second network element may be a network element that enables the first network element to obtain its identity and corresponding candidate authentication mechanisms.
- the authentication mechanism involved in the implementation of this application may include at least one of the following: authentication and key management for applications (AKMA) service, generic bootstrapping architecture (GBA) service, certificate mechanism, EES Credentials or other mechanisms for authentication between the terminal device and the second network element.
- AKMA authentication and key management for applications
- GBA generic bootstrapping architecture
- certificate mechanism certificate mechanism
- EES Credentials or other mechanisms for authentication between the terminal device and the second network element.
- the terminal device is UE, the UE includes AC and EEC, the first network element is ECS, the second network element is EES, the second message is provisioning request message, and the first message is provisioning response (provisioning response) message as an example to illustrate.
- a flow of a communication method including:
- step 400 the ECS acquires at least one authentication mechanism supported by the EES.
- the ECS may also acquire priority information of one or more authentication mechanisms in at least one authentication mechanism supported by the EES.
- the ECS may acquire at least one authentication mechanism supported by the EES and its corresponding priority information in a pre-configured manner.
- the ECS can obtain at least one authentication mechanism supported by the EES and its corresponding priority information by interacting with the EES.
- An authentication mechanism and its corresponding priority information are sent to ECS etc. This embodiment of the present application does not limit the specific manner in which the ECS obtains the information of the EES.
- Step 401 The EEC sends a provision request message to the ECS, where the provision request message includes the UE identifier and the application client configuration text information.
- the EEC may send a provision request message to the ECS according to the preconfigured ECS address or the discovered ECS address or the ECS address from the AC.
- the UE identifier is used to uniquely identify the UE in the public land mobile network (PLMN) network, and may be, for example, a generic public subscription identifier (GPSI), and the embodiment of the present application does not limit the UE The specific implementation form of the identification.
- the application client configuration text information includes information for determining services and service characteristics required by the application client AC in the UE, and the like.
- the application client configuration text can include AC ID, application client type, whether business continuity must be supported, etc.
- the AC ID is used to identify a specific application on the terminal device, and the application client type can be a V2X type, etc.
- Step 402 The ECS receives the offer request message.
- the ECS checks whether the EEC is authorized to obtain the information of the edge server.
- the ECS stores the information of the legal EEC authorized by the ECS, and only the legal EEC authorized by the ECS can obtain the information of the edge server.
- the ECS can specifically determine whether the EEC that sends the provision request message is included in the list of legal EECs stored in the ECS, and if so, the authorization check for the EEC passes, otherwise the authorization check for the EEC fails. pass.
- the authorization check for the EEC passes, otherwise the authorization check for the EEC fails. pass.
- Specifically how to determine whether the EEC is authorized to obtain the information of the edge server is not limited in this embodiment.
- Step 403 The ECS sends an offer response message to the EEC.
- the above-mentioned provision response message may include the identifier of the EES and first indication information, where the first indication information is used to indicate a candidate authentication mechanism associated with the EES.
- the authorization check of the above-mentioned EEC fails, the above-mentioned provision response message may carry second indication information, and the second indication information is used to indicate that the authorization check of the EEC fails, etc.
- the ECS can determine the corresponding EDN configuration information according to the application client configuration text information carried in the above-mentioned provision request message; the provision response message sent by the ECS to the EEC It may carry the above EDN configuration information.
- the EDN configuration information includes EES information, EDN connection information, and the like.
- the EES information includes an EES identifier, and the EES identifier may be the EES's FQDN, URL, or IP address, etc., which is not limited.
- the EDN connection information is used to establish a PDU session between the UE and the EDN.
- the EDN connection information may include a data network name (DNN), an access point name (APN), and the like.
- the above-mentioned EDN configuration information may further include single network slice selection assistance information (single network slice selection assistance information, S-NSSAI), EDN service area, and the like.
- the EDN configuration information may further include first indication information for indicating candidate authentication mechanisms associated with the EES, and the like.
- the indication information of the authentication mechanism carried in a certain message/information can also be described as carrying the authentication mechanism in a certain message/information, the two are not distinguished and can be replaced with each other. Unless otherwise specified, in the following description, it is uniformly expressed as carrying an authentication mechanism in a certain message/information.
- Step 404 The EEC establishes a communication connection with the EES according to the candidate authentication mechanism.
- the authentication mechanism used for communication between the UE and the EES determined by the ECS is called the first authentication mechanism; the authentication mechanism supported by the UE can be called the first authentication mechanism.
- the second authentication mechanism; the authentication mechanism supported by the EES may be called the third authentication mechanism.
- the authentication mechanism supported by the UE since the UE includes the AC or the EEC, in the following description of the embodiments of this application, the authentication mechanism supported by the UE may sometimes be described as the authentication mechanism supported by the EEC or the AC.
- the establishment of a communication connection between the EEC or the AC and the second network element can also be described as establishing a communication connection between the UE and the second network element.
- the second network element includes, but is not limited to, ECS, EES, or EAS.
- the above candidate authentication mechanism is at least one third authentication mechanism supported by the EES.
- the above-mentioned provision response message carries at least one third authentication mechanism supported by the EES.
- the offer response message may further carry priority information of at least one third authentication mechanism supported by the EES.
- the EEC determines a target authentication mechanism according to at least one third authentication mechanism supported by the EES and auxiliary information, where the auxiliary information includes at least one of the following: at least one second authentication mechanism supported by the UE, and the UE's access to the EES. network type, etc.
- the above auxiliary information may further include: priority information of at least one second authentication mechanism supported by the UE, and priority information of at least one third authentication mechanism supported by the EES.
- the EEC may determine the authentication mechanism supported by both the UE and the EES as the target authentication mechanism.
- the at least one authentication mechanism supported by the EES includes A, B, and C
- the at least one authentication mechanism supported by the UE includes C, D, and E
- the target authentication mechanism includes C.
- the target authentication mechanism may be an authentication mechanism corresponding to the network type.
- the authentication mechanisms supported by EES include AKMA and GBA
- the AKMA mechanism is an authentication mechanism based on a 5G network
- the GBA mechanism is an authentication mechanism based on a 4G network.
- the target authentication mechanism is AKMA; or, if the current access network of the UE is a 4G network, the UE determines that the target authentication mechanism is GBA.
- the EEC may also consider priority information of different authentication mechanisms, and preferentially select an authentication mechanism with a higher priority.
- the auxiliary information includes priority information of at least one third authentication mechanism supported by the EES
- the UE may preferentially select an authentication mechanism with a higher priority as the target authentication mechanism.
- the EEC generates a first key and a first key identifier corresponding to the target authentication mechanism.
- the EEC may also request the bottom layer of the terminal device for information corresponding to the target authentication mechanism, and the bottom layer of the terminal device generates the first key and the identifier of the first key according to the information corresponding to the target authentication mechanism , the bottom layer of the terminal device sends the first key identifier and the like to the EEC; the EEC sends a communication connection establishment request to the EES, and the communication connection establishment request includes the first key identifier.
- the bottom layer of the terminal device can also generate a second key according to the first key and the identifier of the EES, and send the second key to the EEC; the EEC uses the second key to secure the communication connection establishment request, such as A first message authentication code (message authentication code, MAC) is generated according to the second key and all or part of the information in the communication connection establishment request; wherein the communication connection establishment request includes the first MAC.
- a first message authentication code messages authentication code, MAC
- the EES When the EES receives the communication connection establishment request, it can obtain the first key identifier in the communication connection establishment request; the EES obtains the second key according to the first key identifier, for example, the EES can send the first key identifier to the
- the 3GPP network element can obtain the first key corresponding to the first key identifier according to the corresponding relationship between the key identifier and the key, and according to the first key and the EES , generate a second key, and return the second key to the EES; EES generates a second MAC according to the second key; compares the generated second MAC with the first MAC carried in the above-mentioned communication connection establishment request.
- the passing of the verification of the UE by the EES may indicate meaning: the EES may consider that the information received from the UE has not been tampered with by an attacker, and the UE is a legitimate UE verified by a 3GPP network element. Further, the UE and the EES can further negotiate the security context used for subsequent communication according to the second key, and the security context includes an encryption key and/or an integrity protection key, etc., a corresponding encryption algorithm, and an integrity protection algorithms, etc. In one example, the EES may send the first key identifier and the like to the 3GPP network element for supporting the target authentication mechanism through the NEF. Further, in the process of obtaining the second key by the EES, two-way authentication may be performed between the 3GPP network element and the EES, and only the EES that has passed the authentication legally can obtain the second key corresponding to the first key identifier.
- the candidate authentication mechanism is at least one first authentication mechanism used when establishing a communication connection between the EEC and the EES.
- the implementation process of the method may be as follows: the above-mentioned provision request message may carry at least one second authentication mechanism supported by the UE.
- the provision request message may further carry at least one of the following items: priority information of at least one third authentication mechanism supported by the UE, network type used by the UE to access the EES, and the like.
- the ECS determines candidate authentication mechanisms according to at least one third authentication mechanism supported by the ECS and auxiliary information, where the auxiliary information at least includes at least one third authentication mechanism supported by the UE and the network type used by the UE to access the EES.
- the auxiliary information may further include at least one of the following: priority information of at least one second authentication mechanism supported by the UE, priority information of at least one third authentication mechanism supported by the EES, and the like.
- the above-mentioned offer response message may carry the above-mentioned candidate authentication mechanism.
- the EEC receives the offer response message from the ECS, and obtains the candidate authentication mechanism in the offer response message; it can be understood that, if only one third authentication mechanism is included in the above candidate authentication mechanism, the EEC can directly Establishing a communication connection with the EES, the third authentication mechanism can be considered as the target authentication mechanism; or, when the above candidate authentication mechanisms include multiple authentication mechanisms, the EEC can select an authentication mechanism among the above multiple authentication mechanisms, After establishing a communication connection, the selected authentication mechanism is the target authentication mechanism.
- the process of establishing a communication connection between the EEC and the EES reference may be made to the above description, and details are not repeated here.
- the EEC determines the target authentication machine according to the candidate authentication mechanism as an example for description, which is not intended to limit the present application.
- Other modules in the UE may also perform the process of determining the target authentication mechanism according to the candidate authentication mechanisms.
- priority information of at least one authentication mechanism supported by UE and priority information of at least one authentication mechanism supported by EES are mainly involved.
- the priority information can be displayed in the form of indication, for example, the multiple authentication mechanisms supported by the EES are respectively authentication mechanism A, authentication mechanism B and authentication mechanism C.
- the priority information of the multiple authentication mechanisms supported by the EES may be the priority information 0 of the authentication mechanism A, the priority information 1 of the authentication mechanism B, and the priority information 2 of the authentication mechanism C, respectively.
- the smaller the value of the priority information the higher the corresponding priority.
- the priority information may also be in the form of an implicit indication, and the priority information may also be referred to as a priority rule.
- the above three authentication mechanisms may be sorted according to priority rules.
- the subsequent UE may determine the priorities of the multiple authentication mechanisms supported by the EES according to the above priority sorting rules. For example, the UE and the EES may negotiate in advance, and the higher the priority, the higher the arrangement position. It is assumed that the order of the three authentication mechanisms supported by the EES is: authentication mechanism C, authentication mechanism A, and authentication mechanism B.
- the UE may determine the priorities of the three authentication mechanisms according to the receiving order of the above three authentication mechanisms, respectively: authentication mechanism C, authentication mechanism A, and authentication mechanism B, etc.
- the three authentication mechanisms supported by EES may include recommended authentication mechanisms.
- the priority information may be: authentication mechanism C (recommended), authentication mechanism A, and authentication mechanism B, indicating that authentication mechanism C has the highest priority. , the priority of authentication mechanism A and authentication mechanism B are second, and both have the same priority.
- priority information are only for convenience of description, and in practical applications, the above examples of priority information may be combined with each other to form various flexible priority rules.
- This application does not limit this. For example, only the authentication mechanisms with specified high (or low) priorities can be displayed, and the priorities of other authentication mechanisms are determined according to the ordering.
- the priority information in this application can reflect the priority difference of different authentication mechanisms in at least one authentication mechanism supported by the EES or the UE.
- the EEC can obtain the candidate authentication mechanism corresponding to the EES by interacting with the ECS, and a communication connection can be established between the EEC and the EES based on the candidate authentication mechanism, which reduces signaling overhead, reduces the delay in establishing communication, and improves communication experience.
- a flow of a communication method is provided, and the flow can be used for the interaction between ECS and EES to obtain at least one authentication mechanism supported by EES, including:
- Step 501 EES sends an edge enabler server registration or update request (edge enabler server registration/update request) message to ECS, the registration or update request message includes EES identifier (such as URI, FQDN, IP address, etc.), EAS configuration, etc. .
- EES identifier such as URI, FQDN, IP address, etc.
- the above registration or update request message further includes at least one authentication mechanism supported by the EES, or an EES provider identifier.
- the above registration or update request message may further include priority information of at least one authentication mechanism supported by the EES.
- the at least one authentication mechanism supported by the above-mentioned EES may be set by the user as required, or a preconfigured default value, etc., which are not limited.
- the at least one authentication mechanism supported by the EAS or the EC can also be set as required by the user, or a preconfigured default value, etc., which will not be described later.
- Step 502 After receiving the EES registration or update request message, the ECS verifies whether the EES is authorized. If authorized, the information in the above registration or update request message is stored.
- the ECS directly stores the at least one authentication mechanism supported by the EES.
- the ECS may also store priority information of the at least one authentication mechanism.
- the ECS may determine at least one authentication mechanism supported by the EES according to the EES provider identifier.
- the ECS stores at least one authentication mechanism corresponding to the EES provider, and optionally may also store priority information and the like of the at least one authentication mechanism corresponding to the EES provider.
- the ECS may determine at least one authentication mechanism supported by the EES according to the stored correspondence between the EES provider and the authentication mechanism, and optionally, may also determine priority information of the at least one authentication mechanism.
- Step 503 The ECS sends an edge-enabled service registration or update response message to the EES, where the response message includes indication information of registration/update success or failure.
- the response message may further include an expiration time, which is used to indicate the expiration time of the registration or update.
- the response message may further include a registration ID.
- the ECS can obtain at least one authentication mechanism supported by the EES and its corresponding priority information by interacting with the EEC.
- the terminal device is the UE, the UE includes the AC and the EEC, the first edge server is the EES, the second edge server is the EAS, and the second message is the edge enabler client registration request (edge enabler client registration request). ) message, the first message is an edge enabler client registration response message as an example to illustrate.
- a flow of a communication method including:
- step 600 the EES acquires at least one authentication mechanism supported by the EAS.
- the EES may also acquire priority information of at least one authentication mechanism supported by the EAS.
- the EES may obtain at least one authentication mechanism supported by the EAS and its corresponding priority information in a pre-configured manner, or the EES may also obtain at least one authentication mechanism supported by the EAS and its corresponding priority information by interacting with the EAS. Corresponding priority information. For example, after the EAS is successfully instantiated, it can send at least one authentication mechanism supported by itself and its corresponding priority information to the EES by means of active registration. This embodiment of the present application does not limit the manner in which the EES obtains the EAS information.
- Step 601 The EEC sends an edge-enabled client registration request message to the EES, where the request message includes the EEC ID and the application client configuration file.
- the EEC may send an edge-enabled client registration request message to the EES according to the EES information obtained from the ECS.
- the application client configuration file may include AC ID, EAS ID (used to identify the EAS requesting discovery), and edge server provider, etc.
- the EEC ID is used to uniquely identify an EEC.
- the EAS ID is used to identify a specific application.
- the above-mentioned edge-enabled client registration request message may also include at least one of the following: UE ID, context ID (context ID), EES ID (also called source EES ID) for assigning context IDs, and EAS ID (used to identify discovered EAS), etc.
- the context ID is used to identify the context of the last EEC registration, and so on.
- Step 602 The EES receives the edge client registration request message.
- the EES may perform an authorization check, that is, the EES checks whether the EEC is authorized to request the discovery of the EAS.
- the edge-enabled client registration response message in the following step 804 may carry the EAS ID of the authorization discovery and the first indication information indicating the candidate authentication mechanism associated with the EAS of the authorization discovery. Otherwise, the edge-enabled client registration response message in the following step 804 may carry the second indication information that the request fails, and the like.
- step 603 after the EEC authorization check is passed, if the edge-enabled client registration request message in the foregoing step 801 contains the context ID and the source EES ID, the EES obtains the registration context from the source EES. If the request message does not include the context ID and source EES ID, skip this step. EES obtains the registration context according to the normal process.
- the above step 603 is mainly designed for mobile scenarios. For example, if a user moves from Shanghai to Beijing, the EDN network in Shanghai originally provides services for the user, and the EDN network in Beijing needs to provide services for the user in the future. For the EDN network in Beijing, you can go to the EDN network in Shanghai to obtain relevant information.
- Step 604 The EES sends an edge-enabled client registration response message to the EEC.
- the edge-enabled client registration response message may include an EAS information list.
- the EES may determine the EAS information list indicated by the client configuration file according to the registration context.
- the EAS information list includes the EAS ID, etc.
- the EASID is used by the AC to send a request to the EAS.
- the EAS information list may further include the identifier of the EAS provider, the storage available for the EAS, and the like.
- the EAS information list may further include a candidate authentication mechanism corresponding to the EAS.
- the authentication mechanism used for the communication between the UE and the EAS determined by the EES is called the first authentication mechanism; the authentication mechanism supported by the UE can be called the first authentication mechanism.
- the second authentication mechanism; the authentication mechanism supported by the EAS can be called the third authentication mechanism.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the EAS.
- the edge-enabled client registration response message includes at least one third authentication mechanism supported by the EAS.
- the edge-enabled client registration response message may further include priority information of at least one third authentication mechanism supported by the EAS.
- the EEC receives the edge-enabled client registration response message, and obtains at least one third authentication mechanism supported by the EAS in the edge-enabled client registration response message.
- priority information of at least one third authentication mechanism supported by the EAS may also be acquired.
- the EEC determines a target authentication mechanism according to at least one authentication mechanism supported by the EAS and auxiliary information, where the auxiliary information at least includes at least one of the following: at least one second authentication mechanism supported by the UE, and an authentication mechanism used by the UE to access the EAS.
- Network Type the auxiliary information may further include at least one of the following: priority information of at least one authentication mechanism supported by the UE, and priority information of at least one authentication mechanism supported by the EAS.
- the EEC may obtain priority information in at least one authentication mechanism supported by the UE, or the network type used by the UE to access the EAS, from a non-access stratum (NAS) layer or other layers.
- NAS non-access stratum
- the EEC sends an EAS information provision message to the AC, where the EAS information provision message includes a candidate authentication mechanism, the AC establishes a communication connection with the EAS according to the target authentication mechanism, and the target authentication mechanism is included in the at least one third authentication mechanism. in an authentication mechanism.
- the process of establishing the communication connection between the AC and the EAS is similar to the process of establishing the communication connection between the EEC and the EES, and can refer to each other.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the EAS.
- the edge-enabled client registration response message includes at least one third authentication mechanism supported by the EAS.
- the edge-enabled client registration response message may further include priority information of at least one third authentication mechanism supported by the EAS.
- the EEC receives the edge-enabled client registration response message, and obtains at least one third authentication mechanism supported by the EAS in the edge-enabled client registration response message.
- priority information of at least one authentication mechanism supported by the EAS may also be acquired.
- the EEC sends the AC at least one third authentication mechanism supported by the EAS.
- the EEC may also send priority information of at least one authentication mechanism supported by the EAS to the AC.
- the AC determines the target authentication mechanism according to the at least one third authentication mechanism supported by the EAS and auxiliary information, where the auxiliary information includes at least one of the following: at least one second authentication mechanism supported by the UE, and a second authentication mechanism used by the UE to access the EAS. network type.
- the auxiliary information may further include at least one of the following: priority information of at least one second authentication mechanism supported by the UE, and priority information of at least one third authentication mechanism supported by the EAS.
- the AC may acquire, from the NAS layer or other layers, priority information of at least one second authentication mechanism supported by the UE, and/or the network type used by the UE to access the EAS, and the like.
- the AC establishes a communication connection with the EAS according to the target authentication mechanism.
- the process of establishing the communication connection between the AC and the EAS is similar to the process of establishing the communication connection between the EEC and the EES, and can refer to each other.
- the candidate authentication mechanism is at least one first authentication mechanism used when establishing a communication connection between the AC and the EAS.
- the edge-enabled client registration request message includes capability information of the UE, and the capability information of the UE includes at least one second authentication mechanism supported by the UE.
- the capability information of the UE may further include: a network type used by the UE to access the EAS, and priority information of at least one authentication mechanism supported by the UE.
- the EES determines candidate authentication mechanisms according to at least one third authentication mechanism supported by the EAS and auxiliary information, and the auxiliary information includes at least one of the following: at least one second authentication mechanism supported by the UE, and at least one third authentication mechanism supported by the EAS Authentication mechanism.
- the auxiliary information may further include at least one of the following: priority information of at least one second authentication mechanism supported by the UE, and priority information of at least one third authentication mechanism supported by the EAS.
- the EES sends an edge client registration response message to the EEC, where the edge client registration response message includes the above-mentioned candidate authentication mechanism. If an authentication mechanism is included in the above candidate authentication mechanisms, the authentication mechanism is used as the target authentication mechanism. Alternatively, if the above-mentioned candidate authentication mechanisms include multiple authentication mechanisms, one authentication mechanism may be selected from the above-mentioned multiple authentication mechanisms as the target authentication mechanism or the like.
- the EEC may send an EAS information providing message to the AC, where the EAS information providing message includes the target authentication mechanism; the AC establishes a communication connection with the EAS according to the target authentication mechanism.
- the EEC may directly send the candidate authentication mechanism to the AC; the AC determines the target authentication mechanism according to the candidate authentication mechanism, which is not limited.
- the EEC or AC determines the target authentication mechanism according to the candidate authentication mechanism as an example for description, which is not a limitation of the embodiments of the present application.
- the above process of determining the target mechanism according to the candidate authentication mechanism may also be performed for other modules in the UE. The difference is that the other modules above need to finally notify the AC of the target authentication mechanism.
- Step 605 The EEC sends an EAS information providing message to the AC, where the EAS information providing message includes the target authentication mechanism of the EAS corresponding to the AC, or includes the candidate authentication mechanism of the EAS corresponding to the AC.
- Step 606 When the AC initiates a request to the EAS, the AC establishes a communication connection with the EAS according to the candidate authentication mechanism or target authentication mechanism corresponding to the EAS received from the EEC.
- the UE can obtain the candidate authentication mechanism corresponding to the EAS by interacting with the EES.
- the negotiation process of authentication between the EEC and the EAS is no longer required, which reduces the signaling overhead, reduces the delay in establishing communication, and improves the communication experience.
- a flow of a communication method is provided, and the flow can be used for the interaction between EES and EAS to obtain at least one authentication mechanism supported by EAS, and the flow includes:
- step 701 The EAS determines that it needs to be registered with the EES.
- Step 702 The EAS sends an edge application server registration or update request (edge application server registration/update request) message to the EES.
- the registration or update request message includes at least one of the following: an EAS identifier and an EAS configuration.
- the registration or update request message may further include an EAS service area, an EAS type, and the like.
- the above registration or update request message includes at least one authentication mechanism supported by the EAS.
- the EAS provider ID is included in the above registration or update request message.
- the registration or update request message may further include priority information of at least one authentication mechanism supported by the EAS.
- Step 703 After receiving the registration or update request message of the EAS, the EES performs an authorization check on the EAS to verify whether the EAS is authorized. If authorized, the information in the above registration or update request message is stored.
- the EES directly stores the at least one authentication mechanism supported by the EAS.
- the EES provider ID is included in the above registration or update request message, the EES may determine at least one authentication mechanism corresponding to the above EAS provider ID according to the correspondence between the provider and the authentication mechanism, which provides The at least one authentication mechanism corresponding to the merchant ID may be considered to be at least one authentication mechanism supported by the EAS.
- Step 704 The EES sends an edge application service registration or update response message to the EAS, where the response message includes an indication of registration/update success or failure.
- the response message may further include an expiration time, where the expiration time is used to indicate the expiration time of the registration or update.
- the response message may also include a registration ID.
- the EES may also store priority information of at least one authentication mechanism supported by the EAS.
- the EES can acquire at least one authentication mechanism supported by the EAS and its corresponding priority information by interacting with the EAS.
- the implementation of this application is introduced by taking the terminal device as UE, the first network element as AMF, the second message as the registration request message of the terminal device, and the first message as the response message of the registration request of the terminal device as an example. program in .
- a flow of a communication method is provided, which at least includes the following steps:
- step 800 for a UE subscribed to use edge services, the access and mobility management user subscription information of the UDM includes ECS information that the UE can use, and the ECS information includes at least one of the following: an ECS identifier and an ECS supported by the ECS. at least one authentication mechanism.
- the ECS information may further include priority information of at least one authentication mechanism supported by the ECS.
- Step 801 The UE sends a registration request message to the AMF through the access network node, where the registration request message includes the UE identifier.
- the registration request message may also include at least one of the following: at least one authentication mechanism supported by the UE, indication information of whether the UE supports edge-enabled clients, and priority information of at least one authentication mechanism supported by the UE .
- the above-mentioned registration request message includes the UE identity and the UE capability
- the UE's identity may be a user concealed identifier (subscription concealed identifier, SUCI) or a globally unique temporary identity (globally unique temporary identity, 5G-GUTI) or mapped 5G-GUTI, etc.
- the UE capability includes at least one of the following: at least one authentication mechanism supported by the UE, indication information of whether the UE supports an edge-enabled client, and priority information of the at least one authentication mechanism supported by the UE.
- Step 802 After receiving the registration request message of the UE, when the AMF needs to acquire the subscription information, the AMF can send a subscription data management acquisition request (Nudm_subscriber data management get, Nudm_SDM_Get) request message to the UDM, and the request message contains the identifier of the UE.
- the request message may further include capability information of the UE.
- the identifier of the UE is determined according to the identifier of the UE in step 801, and may be a subscription permanent identifier (SUPI).
- Step 803 The UDM obtains the subscription information of the UE according to the identifier of the UE included in the Nudm_SDM_Get request message, and sends a Nudm_SDM_Get response message to the AMF, the response message includes ECS information, and the ECS information includes at least one of the following: ECS identification Candidate certification information associated with ECS. How the UDM obtains the candidate authentication information corresponding to the ECS will be described in detail in the following embodiments.
- Step 804 The AMF receives the Nudm_SDM_Get response message sent by the UDM, obtains the ECS information in the response message, and sends the ECS information to the UE.
- the AMF may send the ECS information to the UE through a registration response message, as shown in step 804a; alternatively, the AMF may send the ECS information to the UE through a UE configuration update (UE configuration update, UCU) process, which is an independent configuration process , see step 804b.
- UE configuration update UE configuration update, UCU
- Step 805 The NAS layer of the UE sends the received ECS information to the corresponding EEC.
- the NAS layer can directly send the received ECS information to the EEC, or indirectly send the ECS information to the EEC through the upper layer.
- Step 806 The EEC establishes a communication connection with the ECS according to the candidate authentication mechanism included in the ECS information.
- the authentication mechanism used in the communication between the UE and the ECS determined by the AMF is called the first authentication mechanism; the authentication mechanism supported by the UE can be called the first authentication mechanism.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the ECS.
- the Nudm_SDM_Get response message includes at least one third authentication mechanism supported by the ECS.
- the Nudm_SDM_Get response message may further include priority information of at least one third authentication mechanism supported by the ECS.
- the AMF obtains at least one third authentication mechanism supported by the ECS.
- the AMF may also acquire priority information of at least one third authentication mechanism supported by the ECS.
- the AMF sends a registration response message or a UCU process to the UE, where the registration response message or the UCU process carries at least one third authentication mechanism supported by the ECS.
- the response message or the UCU process may further include priority information in at least one third authentication mechanism supported by the ECS.
- the UE determines a target authentication mechanism according to at least one third authentication mechanism supported by the ECS and auxiliary information, where the auxiliary information at least includes: at least one second authentication mechanism supported by the UE and a network type used by the UE to access the ECS.
- the auxiliary information may further include at least one of the following items: priority information of at least one authentication mechanism supported by the UE, and priority information of at least one authentication mechanism supported by the ECS.
- the UE establishes a communication connection with the ECS according to the target authentication mechanism.
- the process of establishing a communication connection between the UE and the ECS is similar to the process of establishing a communication process between the EEC and the EES, and can refer to each other.
- the foregoing establishment of a communication connection between the UE and the ECS may also be described as establishing a communication connection between the EEC and the ECS.
- the NAS layer in the UE can perform the above process of "determining the target authentication mechanism according to at least one authentication mechanism and auxiliary information supported by the ECS", and then the NAS layer sends the above target authentication mechanism to the EEC, and the EEC uses the target authentication mechanism according to the target authentication mechanism. Establish a communication connection with the ECS.
- the candidate authentication mechanism is at least one first authentication mechanism used when the EEC communicates with the ECS.
- the above registration request message may carry the capability information of the UE, and the capability information of the UE includes at least one second authentication mechanism supported by the UE, the network type used by the UE to access the ECS, and the priority information of the at least one second authentication mechanism supported by the UE. .
- the AMF receives the registration request message and obtains the capabilities of the UE. When the AMF needs to obtain the subscription information, it sends a Nudm_SDM_Get request message to the UDM.
- the AMF receives a Nudm_SDM_Get response message from the UDM, where the Nudm_SDM_Get response message includes at least one third authentication mechanism supported by the ECS.
- the response message may further include priority information of at least one third authentication mechanism supported by the ECS.
- the AMF determines a candidate authentication mechanism according to at least one third authentication mechanism supported by the ECS and auxiliary information.
- the auxiliary information includes at least one of the following: at least one second authentication mechanism supported by the UE, and a network type used by the UE to access the ECS.
- the above auxiliary information may further include: priority information of at least one second authentication mechanism supported and used by the UE, and priority information of at least one authentication mechanism supported and used by the ECS.
- the AMF sends a registration response message or UCU process to the UE, and the registration response message or UCU process includes a candidate authentication mechanism.
- the UE obtains the registration response message or the candidate authentication mechanism in the UCU process, and determines the target authentication mechanism according to the candidate authentication mechanism.
- the candidate authentication mechanisms may include multiple first authentication mechanisms, and the UE may select one authentication mechanism as the target authentication mechanism.
- the NAS layer of the UE may send the target authentication mechanism to the EEC, and the EEC establishes a communication connection with the ECS according to the target authentication mechanism.
- the UE may directly send the candidate authentication mechanism to the EEC, and the EEC determines the target authentication mechanism according to the candidate authentication mechanism.
- the candidate authentication mechanism is at least one fourth authentication mechanism used when the EEC communicates with the ECS.
- the above registration request message may carry the capability information of the UE, and the capability information of the UE includes at least one second authentication mechanism supported by the UE, the network type used by the UE to access the ECS, and the priority information of the at least one second authentication mechanism supported by the UE. .
- the AMF receives the registration request message and obtains the capabilities of the UE. When the AMF needs to acquire subscription information, it sends a Nudm_SDM_Get request message to the UDM, and the UDM sends a Nudm_SDM_Get request message that carries the capability information of the UE.
- the UDM determines candidate authentication mechanisms according to at least one authentication mechanism supported by the ECS and auxiliary information, where the auxiliary information at least includes at least one second authentication mechanism supported by the UE and the network type used by the UE to access the ECS.
- the auxiliary information may further include at least one of the following: priority information of at least one authentication mechanism supported by the UE, priority information of at least one authentication mechanism supported by the ECS, and the like.
- the UDM sends a Nudm_SDM_Get response message to the AMF, and the response message includes a candidate authentication mechanism. Subsequent AMF sends the candidate authentication mechanism to the UE through the registration response message or the UCU process. The process is similar to the above solution and will not be repeated here.
- the UE interacts with the AMF to obtain the candidate authentication mechanism corresponding to the ECS.
- the AMF performs the authentication negotiation process between the UE and the ECS, which reduces signaling overhead, reduces the delay in establishing communication, and improves communication experience.
- the solution in the embodiment of the present application is introduced by taking the terminal device as the UE, the first network element as the SMF, the second message as the PDU session request message, and the first message as the PDU session response message as an example.
- a flow of a communication method which at least includes the following steps:
- step 900 for a UE supporting the use of edge services, the session management user subscription information of the UDM includes ECS information that the UE can use, and the ECS information includes at least one of the following: an ECS identifier and at least one authentication supported by the ECS. mechanism, etc.
- the ECS information may further include: priority information of at least one authentication mechanism supported by the ECS.
- Step 901 When the UE determines to establish a PDU session, the UE sends a PDU session request message to the SMF through the radio access network node and the AMF node, and the message includes the PDU session ID.
- the message may further include at least one of the following: indication information of whether the UE supports edge-enabled clients, at least one authentication mechanism supported by the UE, and priority information of the at least one authentication mechanism supported by the UE.
- the above-mentioned PDU session request message may include the capabilities of the UE.
- the capabilities of the UE include at least one of the following: at least one authentication mechanism supported by the UE, indication information of whether the UE supports edge-enabled clients, and priority information of the at least one authentication mechanism supported by the UE.
- the capability of the above UE may be sent separately, that is, the UE sends the PDU session request message and the capability of the UE to the SMF through the radio access network node and the AMF node.
- Step 902 After the SMF receives the PDU session request message sent by the UE, when it needs to obtain the subscription information of the UE, the SMF sends a Nudm_SDM_Get request message to the UDM, where the request message includes the identifier of the UE.
- the identifier of the UE may be SUPI.
- Step 903 The UDM obtains the subscription information of the UE according to the identifier of the UE contained in the above request message, and sends a Nudm_SDM_Get response message to the AMF, where the response message includes the ECS information.
- the ECS information includes at least one of the following: an ECS identifier and a candidate authentication mechanism corresponding to the ECS.
- Step 904 The SMF receives the Nudm_SDM_Get response message sent by the UDM, and sends a PDU session response message to the UE, where the PDU session response message includes ECS information.
- the above-mentioned ECS information may be included in a protocol configuration option (protocol configuration option, PCO) of the PDU session response message.
- PCO protocol configuration option
- Step 905 The NAS layer of the UE sends the received ECS information to the corresponding EEC.
- the NAS layer may directly send the received ECS information to the EEC, or indirectly send the ECS information to the EEC through the upper layer.
- Step 906 The EEC establishes a communication connection with the ECS according to the candidate authentication mechanism included in the received ECS information.
- the authentication mechanism used for communication between the UE and the ECS determined by the SMF is called the first authentication mechanism; the authentication mechanism supported by the UE can be called the first authentication mechanism.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the ECS.
- the ECS information in the Nudm_SDM_Get response message includes at least one third authentication mechanism supported by the ECS.
- the message further includes priority information of at least one third authentication mechanism supported by the ECS.
- the SMF receives the Nudm_SDM_Get response message, and obtains at least one third authentication mechanism supported by the ECS contained in the Nudm_SDM_Get response message.
- the SMF may also acquire priority information in at least one third authentication mechanism supported by the ECS contained in the response message.
- the SMF sends a PDU session response message to the UE, where the PDU session response message includes at least one third authentication mechanism supported by the ECS.
- the PDU session response message may further include priority information of at least one third authentication mechanism supported by the ECS.
- the UE determines a target authentication mechanism according to at least one third authentication mechanism supported by the ECS and auxiliary information, where the auxiliary information at least includes at least one second authentication mechanism supported by the UE and the network type used by the UE to access the ECS.
- the auxiliary information may further include: priority information of at least one authentication mechanism supported by the UE, priority information of at least one authentication mechanism supported by the ECS, and the like.
- the NAS layer of the UE sends the target authentication mechanism to the EEC, and the EEC establishes a communication connection with the ECS according to the target authentication mechanism.
- the process of establishing a communication connection between the EEC and the ECS is similar to the process of establishing a communication connection between the EES and the EES, and can refer to each other.
- the NAS layer in the UE can specifically perform the above-mentioned process of “determining the target authentication mechanism according to at least one third authentication mechanism and auxiliary information supported by the ECS”, and then the NAS layer uses the above-mentioned target authentication mechanism It is sent to the EEC, and the EEC establishes a communication connection with the ECS according to the target authentication mechanism.
- the candidate authentication mechanism is at least one fourth authentication mechanism used when the UE communicates with the ECS.
- the above-mentioned PDU session request carries the capability information of the UE, and the capability information of the UE includes at least one of the following: at least one second authentication mechanism supported by the UE, the network type used by the UE to access the ECS, and at least one supported by the UE. Priority information of the second authentication mechanism.
- the SMF needs to acquire the subscription information of the UE, the SMF sends a Nudm_SDM_Get request message to the UDM, where the request message includes the UE identifier.
- the above Nudm_SDM_Get request message includes the capabilities of the UE, and the UDM determines a candidate authentication mechanism according to at least one third authentication mechanism supported by the ECS and auxiliary information.
- the auxiliary information may include at least one of the following: at least one second authentication mechanism supported by the UE and a network type used by the ECS accessed by the UE.
- the auxiliary information may further include at least one of the following items: priority information of at least one authentication mechanism supported by the UE, and priority information of at least one authentication mechanism supported by the ECS.
- the UDM sends a Nudm_SDM_Get response message to the SMF, and the response message includes a candidate authentication mechanism.
- the SMF sends a PDU session response message to the UE, and the PDU session response message includes the candidate authentication mechanism; the UE obtains the candidate authentication mechanism in the PDU session response message, and the NAS layer of the UE sends the candidate authentication mechanism to the EEC; the EEC, according to the candidate authentication mechanism, Establish a communication connection with the ECS, etc.
- the candidate authentication mechanism is at least one fourth authentication mechanism used when the UE communicates with the ECS.
- the above-mentioned PDU session request carries the capability information of the UE.
- the SMF needs to acquire the subscription information of the UE, the SMF sends a Nudm_SDM_Get request message to the UDM, where the request message includes the UE identifier.
- the above Nudm_SDM_Get response message includes at least one third authentication mechanism supported by the ECS.
- the SMF determines a candidate authentication mechanism according to at least one third authentication mechanism supported by the ECS and auxiliary information.
- the SMF sends a PDU Session Response message to the UE, and the PDU Session Response message includes a candidate authentication mechanism.
- the NAS layer of the UE sends the candidate authentication mechanism to the EEC.
- the EEC establishes a communication connection with the ECS according to the candidate authentication mechanism.
- the UE interacts with the SMF to obtain the candidate authentication mechanism corresponding to the ECS, and the authentication negotiation process between the UE and the ECS is no longer required, which reduces signaling overhead, reduces the delay in establishing communication, and improves communication experience.
- the process of establishing a communication connection between the terminal device and the first network element using the AKMA authentication mechanism is introduced. As shown in FIG. 10 , the process at least includes:
- Step 1000a The UE registers with the operator's network, and performs the main authentication process.
- an authentication key K AUSF is generated between the UE and the AUSF, respectively. If the UE can use the AKMA authentication mechanism (for example, the AUSF can determine that the UE can use the AKMA authentication mechanism according to the AKMA indication received from the UDM), then the AUSF generates an AKMA key (K AKMA ) and the identifier A-KID corresponding to the AKMA key.
- Step 1000b After generating the AKMA key, the AUSF sends an AKMA authentication key registration request to the AAnF, where the request includes the UE's permanent identity SUPI, A-KID and K AKMA.
- Step 1001 At any moment after the UE accesses the network, when the UE needs to obtain the edge service, the UE sends a first message to the first network element.
- Step 1002 The first network element sends a second message to the UE according to the first message sent by the UE, where the second message includes the identifier of the second network element and the AKMA capability.
- the AKMA capability indicates that the second network element supports the use of the AMKA authentication mechanism.
- Step 1003 when the UE determines to communicate with the second network element, if the UE supports AKMA and the second network element also supports AKMA (optionally, it can be determined whether the second network element supports AKMA according to the instruction in the above step 2), Then the UE deduces the AKMA key and the A-KID according to the definition in TS33.535, and further deduces the K AF corresponding to the second network element according to the AKMA key.
- the described deduction refers to the deduction method of K AF in TS33.535. It should be noted that the subscript AF of the above K AF represents the second network element, and if the above-mentioned second network element is EES, the above K AF represents K EES and so on.
- the derivation of the AKMA key and the A-KID can be performed at any time after the main authentication process and before determining to use AKMA with the second network element.
- Another possible implementation manner is: before determining to communicate with the second network element, the UE has deduced the AKMA key and the A-KID. At this time, the UE obtains the locally stored A-KID according to the second network element supporting the AKMA authentication mechanism, and includes the A-KID in step 1004 . Further, the K AF corresponding to the second network element is generated according to the locally stored AKMA key.
- Step 1004 The UE uses the K AF and all or part of the information in the communication connection establishment request message to generate a MAC-I, and sends the MAC-I carried in the communication connection establishment request message to the second network element including the A-KID and MAC -I communication connection establishment request.
- Step 1005 After the second network element receives the communication connection establishment request, the second network element discovers an AKMA Anchor Function (AKMA Anchor Function, AAnF) or NEF.
- AKMA Anchor Function AAnF
- NEF AKMA Anchor Function
- Step 1006 The second network element obtains the K AF key corresponding to the UE.
- the second network element sends an AKMA authentication key acquisition request to the AAnF, and the AAnF sends an AKMA authentication key acquisition response to the second network element, where the response includes the K AF key Wait.
- Step 1007 If the UE is authorized to perform the operation, the second network element verifies the MAC-I using the K AF ; the second network element sends a response message of the communication connection establishment request to the UE.
- the above method further includes: the second network element receives the communication connection establishment request, obtains the A-KID and the MAC-I therein, the second network element sends the A-KID to the AAnF, and if the K AF can be obtained, then It is illustrated that the second network element determines that the UE is legal, that is, the second network element completes the authentication of the UE.
- the above method further includes: the response message of the communication connection establishment request returned by the second network element to the UE may also include a second MAC; the second MAC is generated by using K AF or using a key generated based on K AF .
- the UE receives the response message of the communication connection establishment request, obtains the second MAC, and verifies the second MAC. After the verification is successful, the UE confirms that the second network element is legal, that is, the UE completes the authentication of the second network element.
- the second MAC is generated using K AF or a key generated based on K AF and some or all of the information in the response message.
- the first network element may be an ECS
- the second network element may be an EES
- the first network element may be an EES
- the second network element may be an EES
- the element may be EAS, or, in the third embodiment, the first network element is AMF, and the second network element is ECS, or, in the fourth embodiment, the first network element may be SMF, and the second network element Can be ECS.
- the embodiments of the present application further provide an apparatus for executing the method executed by the terminal device in the foregoing method embodiments.
- the apparatus may include a communication unit 1101 and a processing unit 1102:
- the communication unit 1101 is configured to receive a first message from a first network element, where the first message includes an identifier of the second network element and first indication information, where the first indication information is used to indicate that the second network element is associated with A candidate authentication mechanism; the processing unit 1102 is configured to establish a communication connection with the second network element based on the candidate authentication mechanism.
- the communication unit 1101 is further configured to send a second message to the first network element, where the first message is a response message of the second message.
- the candidate authentication mechanism is at least one first authentication mechanism used when establishing a communication connection between the terminal device and the second network element.
- the second message includes a network type used by the terminal device to access the second network element; wherein the at least one first authentication mechanism is an authentication mechanism corresponding to the network type.
- the second message includes at least one second authentication mechanism supported by the terminal device; wherein, the at least one first authentication mechanism is included in the at least one second authentication mechanism.
- the second message further includes priority information in at least one second authentication mechanism; the at least one second authentication mechanism is used for the selection of the at least one first authentication mechanism.
- establishing a communication connection with the second network element based on the candidate authentication mechanism includes:
- the target authentication mechanism is one of the at least one authentication mechanism; sending a communication connection establishment request to the second network element , the first key identifier is included in the communication connection establishment request.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the second network element.
- the establishing a communication connection with the second network element based on the candidate authentication mechanism includes: determining a target authentication mechanism based on the at least one third authentication mechanism and auxiliary information, the auxiliary information including at least one of the following: at least one second authentication mechanism supported by the terminal device, and the network type used by the terminal device to access the second network element; generating a first authentication mechanism corresponding to the target authentication mechanism a key and a first key identifier; sending a communication connection establishment request to the second network element, where the communication connection establishment request includes the first key identifier.
- the auxiliary information further includes at least one of the following items: priority information in the at least one second authentication mechanism, and priority information in the at least one third authentication mechanism.
- the first message further includes priority information in the at least one third authentication mechanism.
- processing unit 1102 is further configured to: generate a second key according to the first key and the identifier of the second network element.
- the processing unit 1102 is further configured to: use the second key to perform security protection on the communication connection establishment request to generate a first message authentication code MAC; wherein the communication connection establishment request further includes the Describe the first MAC.
- the first network element is an edge configuration server ECS
- the second network element is an edge enabling server EES, or the first network element is an EES, and the second network element is an edge Application Server EAS.
- the first network element is an access and mobility management function AMF or a session management function SMF
- the second network element is an edge configuration server ECS.
- the first message is a non-access stratum NAS message.
- the first message is a response message for requesting registration by the terminal device, or a response message for requesting establishment of a protocol data unit PDU session by the terminal device.
- the candidate authentication mechanism includes at least one of the following: an application authentication and password management AKMA service, a general bootstrap architecture GBA service, and a certificate mechanism.
- the embodiments of the present application further provide an apparatus for executing the method performed by the first network element in the foregoing method embodiments.
- the apparatus includes a communication unit 1101 and a processing unit 1102:
- the processing unit 1102 is configured to determine a candidate authentication mechanism; the communication unit 1101 is configured to send a first message to the terminal device, where the first message includes the identifier of the second network element and first indication information, the first indication information
- the candidate authentication mechanism used to indicate the association of the second network element, where the candidate authentication mechanism is used for establishing a communication connection between the terminal device and the second network element.
- the communication unit 1101 is further configured to receive a second message from the terminal device, where the first message is a response message to the second message.
- the candidate authentication mechanism is at least one first authentication mechanism used when establishing a communication connection between the terminal device and the second network element, and the determining the candidate authentication mechanism includes:
- a candidate authentication mechanism is determined according to at least one third authentication mechanism supported by the second network element and auxiliary information, where the auxiliary information includes at least one of the following: at least one second authentication mechanism supported by the terminal device, and The network type used by the terminal device to access the second network element.
- the second message includes a network type used by the terminal device to access the second network element.
- the second message includes at least one second authentication mechanism supported by the terminal device.
- the auxiliary information further includes at least one of the following items: priority information in the at least one second authentication mechanism, and priority information in the at least one third authentication mechanism.
- the second message further includes priority information in at least one second authentication mechanism.
- the candidate authentication mechanism is at least one third authentication mechanism supported by the second network element.
- the first message further includes priority information in the at least one third authentication mechanism.
- the first network element is an ECS and the second network element is an EES, or the first network element is an EES and the second network element is an EAS.
- the first network element is an AMF or SMF
- the second network element is an ECS
- the first message is a NAS message.
- the first message is a response message for requesting registration by the terminal device, or a response message for requesting establishment of a PDU session by the terminal device.
- the candidate authentication mechanism includes at least one of the following: AKMA service, GBA service, and certificate mechanism.
- the division of units in the embodiments of the present application is schematic, and is only a logical function division. In actual implementation, there may be other division methods.
- the functional units in the various embodiments of the present application may be integrated into one processing unit. In the device, it can also exist physically alone, or two or more units can be integrated into one module.
- the above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of software function modules.
- the integrated unit if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium.
- the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions to make a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method in each embodiment of the present application.
- the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .
- both the base station and the terminal device may be presented in the form of dividing each functional module in an integrated manner.
- Module herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above.
- the terminal device and the first network element may take the form shown in FIG. 12 .
- the communication apparatus 1200 shown in FIG. 12 includes at least one processor 1201 , a memory 1202 , and optionally, a communication interface 1203 .
- the memory 1202 can be volatile memory, such as random access memory; the memory can also be non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD), or memory 1202 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory 1202 may be a combination of the foregoing memories.
- the specific connection medium between the above-mentioned processor 1201 and the memory 1202 is not limited in this embodiment of the present application.
- the memory 1202 and the processor 1201 are connected through a bus 1204 in the figure, and the bus 1204 is represented by a thick line in the figure. limited.
- the bus 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 12, but it does not mean that there is only one bus or one type of bus.
- the processor 1201 may have a data transceiver function and be able to communicate with other devices.
- an independent data transceiver module such as a communication interface 1203, can also be set to send and receive data; the processor 1201 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1203 .
- the processor 1201 in FIG. 12 can execute the instructions by calling the computer stored in the memory 1202 , so that the terminal device can perform the functions of the terminal device described in any of the above method embodiments.
- the processor 1201 in FIG. 12 can execute the instructions by calling the computer stored in the memory 1202, so that the first network element can execute any of the above method embodiments. Describe the function of the first network element.
- the function/implementation of the communication unit 1101 and the processing unit 1102 in FIG. 11 may be implemented by the processor 1201 in FIG. 12 calling computer program instructions stored in the memory 1202 .
- the function/implementation process of the processing unit 1102 in FIG. 11 can be implemented by the processor 1201 in FIG. 12 calling the computer-executed instructions stored in the memory 1202, and the function/implementation of the communication unit 1101 in FIG. It is implemented by the communication interface 1203 in .
- the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
- computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
- These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
- the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Communication Control (AREA)
Abstract
Description
Claims (35)
- 一种建立安全通信方法,其特征在于,包括:终端设备接收来自第一网元的第一消息,所述第一消息包括第二网元的标识以及第一指示信息,所述第一指示信息用于指示与所述第二网元关联的候选认证机制;所述终端设备基于所述候选认证机制,与所述第二网元之间建立通信连接。
- 如权利要求1所述的方法,其特征在于,还包括:所述终端设备向所述第一网元发送第二消息,所述第一消息为所述第二消息的响应消息。
- 如权利要求1或2所述的方法,其特征在于,所述候选认证机制为所述终端设备与所述第二网元之间建立通信连接时使用的至少一个第一认证机制。
- 如权利要求3所述的方法,其特征在于,所述第二消息中包括所述终端设备接入所述第二网元所使用的网络类型;其中,所述至少一个第一认证机制是与所述网络类型对应的认证机制。
- 如权利要求3或4所述的方法,其特征在于,所述第二消息中包括所述终端设备所支持的至少一个第二认证机制;其中,所述至少一个第一认证机制包括在所述至少一个第二认证机制中。
- 如权利要求5所述的方法,其特征在于,所述第二消息中还包括至少一个第二认证机制的优先级信息;所述至少一个第二认证机制用于所述至少一个第一认证机制的选择。
- 如权利要求3至6中任一项所述的方法,其特征在于,所述终端设备基于所述候选认证机制,与所述第二网元之间建立通信连接,包括:所述终端设备生成与目标认证机制对应的第一密钥以及第一密钥标识;其中,所述目标认证机制为所述至少一个第一认证机制中的一个;所述终端设备向所述第二网元发送通信连接建立请求,所述通信连接建立请求中包括所述第一密钥标识。
- 如权利要求1或2所述的方法,其特征在于,所述候选认证机制为所述第二网元所支持的至少一个第三认证机制。
- 如权利要求8所述的方法,其特征在于,所述终端设备基于所述候选认证机制,与所述第二网元之间建立通信连接,包括:所述终端设备基于所述至少一个第三认证机制和辅助信息,确定目标认证机制,所述辅助信息中包括以下至少一项:所述终端设备所支持的至少一个第二认证机制,和所述终端设备接入所述第二网元所使用的网络类型;所述终端设备生成与所述目标认证机制对应的第一密钥以及第一密钥标识;所述终端设备向所述第二网元发送通信连接建立请求,所述通信连接建立请求包括所述第一密钥标识。
- 如权利要求9所述的方法,其特征在于,所述辅助信息还包括以下至少一项:所述至少一个第二认证机制的优先级信息,和所述至少一个第三认证机制的优先级信息。
- 如权利要求10所述的方法,其特征在于,所述第一消息中还包括所述至少一个第三认证机制的优先级信息。
- 如权利要求7或9所述的方法,其特征在于,所述方法还包括:所述终端设备根据所述第一密钥以及所述第二网元的标识,生成第二密钥。
- 如权利要求12所述的方法,其特征在于,所述方法还包括:所述终端设备使用所述第二密钥对所述通信连接建立请求进行安全保护,以生成第一消息认证码MAC;其中,所述通信连接建立请求还包括所述第一MAC。
- 如权利要求1至13中任一项所述的方法,其特征在于,所述第一网元为边缘配置服务器ECS,所述第二网元为边缘使能服务器EES,或者,所述第一网元为EES,所述第二网元为边缘应用服务器EAS。
- 如权利要求1至13中任一项所述的方法,其特征在于,所述第一网元为接入和移动性管理功能AMF或者会话管理功能SMF,所述第二网元为边缘配置服务器ECS。
- 如权利要求15所述的方法,其特征在于,所述第一消息为非接入层NAS消息。
- 如权利要求16所述的方法,其特征在于,所述第一消息为所述终端设备请求注册的响应消息,或者所述终端设备请求建立协议数据单元PDU会话的响应消息。
- 如权利要求1至17中任一项所述的方法,其特征在于,所述候选认证机制包括以下至少一项:应用的认证和密码管理AKMA服务,通用引导架构GBA服务,和证书机制。
- 一种建立安全通信方法,其特征在于,包括:第一网元确定候选认证机制;所述第一网元向终端设备发送第一消息,所述第一消息中包括第二网元的标识以及第一指示信息,所述第一指示信息用于指示与所述第二网元关联的候选认证机制,所述候选认证机制用于所述终端设备与所述第二网元间建立通信连接。
- 如权利要求19所述的方法,其特征在于,还包括:所述第一网元接收来自所述终设备的第二消息,所述第一消息为所述第二消息的响应消息。
- 如权利要求19或20所述的方法,其特征在于,所述候选认证机制为所述终端设备与所述第二网元之间建立通信连接时使用的至少一个第一认证机制,所述第一网元确定候选认证机制,包括:所述第一网元根据所述第二网元所支持的至少一个第三认证机制和辅助信息,确定候选认证机制,所述辅助信息包括以下至少一项:终端设备所支持的至少一个第二认证机制,和所述终端设备接入所述第二网元所使用的网络类型。
- 如权利要求21所述的方法,其特征在于,所述第二消息中包括所述终端设备接入所述第二网元所使用的网络类型;其中,所述至少一个第一认证机制是与所述网络类型对应的认证机制。
- 如权利要求21或22所述的方法,其特征在于,所述第二消息中包括所述终端设备所支持的至少一个第二认证机制;;其中,所述至少一个第一认证机制包括在所述至少一个第二认证机制中。
- 如权利要求21至23中任一项所述的方法,其特征在于,所述辅助信息还包括以下至少一项:所述至少一个第二认证机制的优先级信息,和所述至少一个第三认证机制的优先级信息;所述至少一个第二认证机制用于所述至少一个第一认证机制的选择。
- 如权利要求24所述的方法,其特征在于,所述第二消息中还包括至少一个第二认证机制的优先级信息。
- 如权利要求19或20所述的方法,其特征在于,所述候选认证机制为所述第二网元所支持的至少一个第三认证机制。
- 如权利要求26所述的方法,其特征在于,所述第一消息中还包括所述至少一个第三认证机制的优先级信息。
- 如权利要求19至27中任一项所述的方法,其特征在于,所述第一网元为ECS,所述第二网元为EES,或者,所述第一网元为EES,所述第二网元为EAS。
- 如权利要求19至27中任一项所述的方法,其特征在于,所述第一网元为AMF或SMF,所述第二网元为ECS。
- 如权利要求29所述的方法,其特征在于,所述第一消息为NAS消息。
- 如权利要求30所述的方法,其特征在于,所述第一消息为所述终端设备请求注册的响应消息,或者所述终端设备请求建立PDU会话的响应消息。
- 如权利要求19至31中任一项所述的方法,其特征在于,所述候选认证机制包括以下至少一项:AKMA服务,GBA服务,和证书机制。
- 一种装置,其特征在于,包括用于实现权利要求1至18中任一项所述的方法的单元,或者包括用于实现权利要求19至32中任一项所述的方法的单元。
- 一种装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述通信装置执行权利要求1至18中任一项所述的方法,或者使得通信装置执行权利要求19至32中任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行权利要求1至18中任一项所述的方法,或者使得计算机执行权利要求19至32中任一项所述的方法。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2020470364A AU2020470364B2 (en) | 2020-09-30 | Method and apparatus for establishing secure communication | |
PCT/CN2020/119764 WO2022067831A1 (zh) | 2020-09-30 | 2020-09-30 | 一种建立安全通信方法及装置 |
CN202080105604.6A CN116325843A (zh) | 2020-09-30 | 2020-09-30 | 一种建立安全通信方法及装置 |
EP20955851.9A EP4207676A4 (en) | 2020-09-30 | 2020-09-30 | METHOD AND APPARATUS FOR ESTABLISHING SECURE COMMUNICATION |
US18/191,942 US20230232228A1 (en) | 2020-09-30 | 2023-03-29 | Method and apparatus for establishing secure communication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/119764 WO2022067831A1 (zh) | 2020-09-30 | 2020-09-30 | 一种建立安全通信方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/191,942 Continuation US20230232228A1 (en) | 2020-09-30 | 2023-03-29 | Method and apparatus for establishing secure communication |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022067831A1 true WO2022067831A1 (zh) | 2022-04-07 |
Family
ID=80951173
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/119764 WO2022067831A1 (zh) | 2020-09-30 | 2020-09-30 | 一种建立安全通信方法及装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20230232228A1 (zh) |
EP (1) | EP4207676A4 (zh) |
CN (1) | CN116325843A (zh) |
WO (1) | WO2022067831A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023216934A1 (zh) * | 2022-05-09 | 2023-11-16 | 华为技术有限公司 | 通信方法及装置 |
WO2024098194A1 (en) * | 2022-11-07 | 2024-05-16 | Apple Inc. | Mec-service subscription synchronisation in roaming architecture |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101753533A (zh) * | 2008-12-04 | 2010-06-23 | 华为终端有限公司 | 协商认证方式的方法、装置和*** |
CN107820242A (zh) * | 2016-09-14 | 2018-03-20 | ***通信有限公司研究院 | 一种认证机制的协商方法及装置 |
CN109964453A (zh) * | 2016-09-18 | 2019-07-02 | 上海诺基亚贝尔股份有限公司 | 统一安全性架构 |
WO2019222604A1 (en) * | 2018-05-18 | 2019-11-21 | Convida Wireless, Llc | Identity layer for iot devices |
-
2020
- 2020-09-30 CN CN202080105604.6A patent/CN116325843A/zh active Pending
- 2020-09-30 WO PCT/CN2020/119764 patent/WO2022067831A1/zh unknown
- 2020-09-30 EP EP20955851.9A patent/EP4207676A4/en active Pending
-
2023
- 2023-03-29 US US18/191,942 patent/US20230232228A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101753533A (zh) * | 2008-12-04 | 2010-06-23 | 华为终端有限公司 | 协商认证方式的方法、装置和*** |
CN107820242A (zh) * | 2016-09-14 | 2018-03-20 | ***通信有限公司研究院 | 一种认证机制的协商方法及装置 |
CN109964453A (zh) * | 2016-09-18 | 2019-07-02 | 上海诺基亚贝尔股份有限公司 | 统一安全性架构 |
WO2019222604A1 (en) * | 2018-05-18 | 2019-11-21 | Convida Wireless, Llc | Identity layer for iot devices |
Non-Patent Citations (2)
Title |
---|
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Security Aspects of Enhancement of Support for Edge Computing in 5GC (Release 17)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.839, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.1.0, 29 August 2020 (2020-08-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 24, XP051925933 * |
SAMSUNG: "EEC authentication and authorization", 3GPP DRAFT; S6-200731, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG6, no. Online Meeting ;20200514 - 20200526, 8 May 2020 (2020-05-08), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051882217 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023216934A1 (zh) * | 2022-05-09 | 2023-11-16 | 华为技术有限公司 | 通信方法及装置 |
WO2024098194A1 (en) * | 2022-11-07 | 2024-05-16 | Apple Inc. | Mec-service subscription synchronisation in roaming architecture |
Also Published As
Publication number | Publication date |
---|---|
US20230232228A1 (en) | 2023-07-20 |
EP4207676A4 (en) | 2023-11-01 |
CN116325843A (zh) | 2023-06-23 |
EP4207676A1 (en) | 2023-07-05 |
AU2020470364A1 (en) | 2023-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11451950B2 (en) | Indirect registration method and apparatus | |
KR102224248B1 (ko) | 통신 시스템에서 PDU(Protocol Data Unit) 세션을 설립하는 방법 | |
US11812496B2 (en) | User group session management method and apparatus | |
US20200128614A1 (en) | Session processing method and device | |
US20200296142A1 (en) | User Group Establishment Method and Apparatus | |
WO2022012310A1 (zh) | 一种通信方法及装置 | |
WO2021037175A1 (zh) | 一种网络切片的管理方法及相关装置 | |
JP7412593B2 (ja) | マルチキャストブロードキャストサービスの通信方法、装置、電子機器及びコンピュータプログラム | |
WO2020029729A1 (zh) | 一种通信方法和装置 | |
WO2020020096A1 (zh) | 一种群组创建方法、装置及*** | |
US20230232228A1 (en) | Method and apparatus for establishing secure communication | |
WO2018045983A1 (zh) | 信息处理方法、装置以及网络*** | |
EP2534889A1 (en) | Method and apparatus for redirecting data traffic | |
WO2022002244A1 (zh) | 在线签约方法、装置及*** | |
US20230396602A1 (en) | Service authorization method and system, and communication apparatus | |
WO2019144719A1 (zh) | 一种远端设备的动态接入方法及装置 | |
WO2019196963A1 (zh) | 接入网络切片的方法及装置、存储介质、电子装置 | |
JP2023527193A (ja) | サービス取得方法、装置、通信機器及び可読記憶媒体 | |
WO2023016255A1 (zh) | 一种网络功能服务授权方法及装置 | |
WO2022032692A1 (zh) | 通信方法、装置及*** | |
AU2020470364B2 (en) | Method and apparatus for establishing secure communication | |
KR20230156685A (ko) | 무선 네트워크에서의 코어 네트워크 디바이스 재할당을 위한 방법, 디바이스 및 시스템 | |
CN114629627A (zh) | 一种认证方法及装置 | |
WO2024032554A1 (zh) | 终端设备认证方法、***及相关设备 | |
WO2024037215A1 (zh) | 通信方法及装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20955851 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020955851 Country of ref document: EP Effective date: 20230331 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020470364 Country of ref document: AU Date of ref document: 20200930 Kind code of ref document: A |