WO2023227057A1 - Service authorization method, apparatus, network function, and storage medium - Google Patents

Service authorization method, apparatus, network function, and storage medium Download PDF

Info

Publication number
WO2023227057A1
WO2023227057A1 PCT/CN2023/096270 CN2023096270W WO2023227057A1 WO 2023227057 A1 WO2023227057 A1 WO 2023227057A1 CN 2023096270 W CN2023096270 W CN 2023096270W WO 2023227057 A1 WO2023227057 A1 WO 2023227057A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
service
authorization
terminal
gba
Prior art date
Application number
PCT/CN2023/096270
Other languages
French (fr)
Chinese (zh)
Inventor
田野
粟栗
Original Assignee
***通信有限公司研究院
***通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ***通信有限公司研究院, ***通信集团有限公司 filed Critical ***通信有限公司研究院
Publication of WO2023227057A1 publication Critical patent/WO2023227057A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]

Definitions

  • the present disclosure relates to the field of information technology, and in particular, to a service authorization method, device, network function and storage medium.
  • GBA Generic Bootstrapping Architecture
  • embodiments of the present disclosure provide a service authorization method, device, network function and storage medium.
  • Embodiments of the present disclosure provide a service authorization method, which includes:
  • the first message is used to apply for authorization of the first service request of the first terminal.
  • the first message carries at least one of the following information:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of services and/or operations requested by the first service request is a type information of services and/or operations requested by the first service request.
  • the method before sending the first message to the service authorization system, the method further includes:
  • the third message carries one or more of the following:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of the service/or operation requested by the first service request
  • B-TID Bootstrapping Transaction Identifier
  • the method also includes:
  • the fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
  • the method also includes:
  • the fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
  • An embodiment of the present disclosure also provides a service authorization device, which includes:
  • the first sending unit is used to send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
  • the first receiving unit is configured to receive a second message from the service authorization system; the second message is used to indicate the authorization result.
  • Embodiments of the present disclosure also provide a first network function, which includes: a first processor and a first communication interface; wherein,
  • the first communication interface is used to send a first message to the business authorization system and receive a second message from the business authorization system;
  • the first message is used to apply for authorization for the first service request; the second message is used to indicate the authorization result.
  • Embodiments of the present disclosure also provide a first network function, including: a first processor and a first memory for storing a computer program capable of running on the processor,
  • the first processor is used to execute the steps of any of the above methods when running the computer program.
  • Embodiments of the present disclosure also provide a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any of the above methods are implemented.
  • the first network function sends a first message to the service authorization system and receives a second message from the service authorization system.
  • the first message is used to apply for authorization of the first service request, and the second message is used to indicate the authorization result.
  • FIG 1 shows the system architecture of GBA in related technologies
  • Figure 2 is a system architecture of a GBA according to an embodiment of the present disclosure
  • Figure 3 is a schematic flow chart of a service authorization method according to an embodiment of the present disclosure
  • Figure 4 is a schematic diagram of entity relationships in the application scenario of Internet of Vehicles authentication and authorization in related technologies
  • Figure 5 is a schematic diagram of the system architecture of GBA service authorization in the Internet of Vehicles applicable to the embodiment of the present disclosure
  • Figure 6 is a schematic diagram of the operation flow of the first application embodiment of the present disclosure.
  • Figure 7 is a schematic diagram of the operation flow of the second application embodiment of the present disclosure.
  • Figure 8 is a schematic diagram of the operation flow of solution three of the application embodiment of the present disclosure.
  • Figure 9 is a schematic diagram of the device authentication and service authorization process based on GBA according to the application embodiment of the present disclosure.
  • Figure 10 is a system architecture of another GBA according to an embodiment of the present disclosure.
  • Figure 11 is a schematic diagram of the service authorization processing flow implemented based on BSF according to an embodiment of the present disclosure
  • Figure 12 is a schematic diagram of the AKMA system architecture according to an embodiment of the present disclosure.
  • Figure 13 is a schematic structural diagram of a service authorization device according to an embodiment of the present disclosure.
  • Figure 14 is a schematic diagram of the first network functional structure according to an embodiment of the present disclosure.
  • GBA is defined by the 3rd Generation Partnership Project (3GPP) organization and is a method of identity authentication and secure communication based on cellular mobile communication networks and Universal Subscriber Identity Module (USIM).
  • 3GPP 3rd Generation Partnership Project
  • USIM Universal Subscriber Identity Module
  • GBA can perform two-way identity authentication between the Bootstrapping Server Function (BSF) and the terminal based on the Authentication and Key Agreement (AKA) mechanism of the 3GPP network standard, and negotiate to generate a session Key to complete business authorization to meet the application needs of end-to-end secure communication between the terminal and the application server.
  • BSF Bootstrapping Server Function
  • AKA Authentication and Key Agreement
  • FIG. 1 shows the system architecture of GBA in the related art.
  • the core system of GBA mainly includes BSF and Network Application Function/Authentication Proxy (NAF/AP).
  • the BSF connects with the Home Subscriber Server (HSS) through the Zh interface to obtain the AKA five-tuple authentication vector.
  • HSS Home Subscriber Server
  • BSF generates a GBA session key and provides the GBA session key to NAF/AP.
  • NAF/AP represents the application server, whereby end-to-end secure communication can be achieved between the application server and the terminal based on the GBA session key provided by the BSF.
  • the standard GBA system architecture and enhanced GBA system architecture shown in Figure 1 can be constructed to form a GBA authentication and authorization system to authenticate the identity of the terminal and authorize and control the business services accessed by the terminal.
  • BSF or NAF/AP Based on the user subscription information obtained from the HSS, BSF or NAF/AP can determine whether the current service request of the terminal meets the conditions specified in the subscription information. If the judgment result is that the conditions specified in the subscription information are not met, BSF or NAF/AP The AP can reject the terminal's service request to the application server.
  • the user subscription information belongs to the category of network services and is usually determined when the user signs the operator's network service, it cannot be dynamically updated as the business status of the application layer changes. Therefore, when the business status of the application layer changes, GBA cannot implement the Authorization of the terminal’s service request.
  • the first network function sends a first message to the service authorization system and receives a second message from the service authorization system.
  • the first message is used to apply for authorization of the first service request, and the second message is used to indicate the authorization result.
  • authorization management of service requests initiated by the terminal can be implemented.
  • the embodiment of the present disclosure supports information interaction between the first network function and the business authorization system by adding a Zx interface on the basis of standard GBA or enhanced GBA, so that when the terminal accesses the application server, Meet the needs of business supervisors, regulators, service providers or other third parties for authorization and control of terminal business requests.
  • the Zx interface can be implemented based on various protocols and interface methods, including the Hyper Text Transfer Protocol (HTTP) protocol method, or other customized protocol methods.
  • HTTP Hyper Text Transfer Protocol
  • a service authorization method can be applied to the first system.
  • the first system can be the GBA certification authority.
  • the service authorization method can be specifically implemented by the first network function in the GBA certification and authorization agency.
  • a network function may also be called a network element, an entity, a network device, a network-side device, etc.
  • the service authorization method includes:
  • Step 301 Send the first message to the service authorization system.
  • the first message is used to apply for authorization of the first service request.
  • Step 302 Receive the second message from the service authorization system.
  • the second message is used to indicate the authorization result.
  • the service authorization system may also be called a business authorization entity or a service authorization entity.
  • Business requests can also be called service requests.
  • Applying for authorization of a service request may also be referred to as applying for authorization review of the service request.
  • the service authorization system determines whether to allow the first system or the first network function to perform the first service based on the first service request.
  • the first message is used to apply for authorization of the first service request of the first terminal, That is to say, the first service request is initiated by the first terminal.
  • the first network function receives the first service request from the first terminal for the first service, it determines the corresponding service authorization system according to the first service to be accessed by the first terminal, and sends the request to the service authorization system.
  • the first message is used to apply for authorization of the first service request.
  • the first message may adopt the HTTP message format.
  • the first message carries at least one of the following information:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of services and/or operations requested by the first service request is a type information of services and/or operations requested by the first service request.
  • the identification of the first terminal includes the terminal's International Mobile Subscriber Identity (IMSI) and/or service layer identification.
  • the application service entity may also be called an application server, and may be an application service entity or application server that provides services for the first service requested by the first service request, for example, a vehicle wireless communication technology (Vehicle to X, V2X) server or V2X service entity.
  • the identifier of the application service entity can be the domain name of the application service entity or the application server, such as the fully qualified domain name (Fully Qualified Domain Name, FQDN) of the application server.
  • the type information of the service and/or operation requested by the first service request may be a type identifier of the service and/or operation, etc.
  • the application service entity here can be understood as an application server that provides services for the first business.
  • the application server may be a V2X server, or may also be called a V2X service entity.
  • the business authorization system makes an authorization decision based on the first message and in combination with the business management and control policy, and determines whether to allow the first terminal to perform related services and/or operations, or whether to allow the first terminal to obtain related business services from the application service entity. Afterwards, the service authorization system returns a second message to the first network function for indicating the authorization result. For example, if authorized, the service authorization system returns an HTTP 200 OK message to the first network function; if not authorized, the service authorization system returns an HTTP 403 forbidden message to the first network function. Among them, OK represents passing, and forbidden represents prohibition.
  • the first network function determines whether to allow the first terminal to continue related processing of the first service. If the authorization result indicates authorization, then the first terminal continues to execute the GBA mechanism and related processing of the first service; if the authorization result indicates unauthorized, then the first terminal terminates the GBA mechanism and related processing of the first service. In actual application, after obtaining the authorization result, the first network function returns a response message of the first service request to the first terminal. If the authorization result is unauthorized, then the first network function returns the first service request to the first terminal. Rejection message, such as HTTP 403 forbidden message.
  • FIG 4 shows the entity relationship in the application scenario of Internet of Vehicles authentication and authorization.
  • the V2X device accesses the V2X service entity in an attempt to obtain a certain service.
  • the V2X device is equivalent to the terminal, and the V2X service entity is equivalent to the application service entity.
  • the V2X device authentication service function, V2X device authentication entity and V2X service authorization entity can be implemented by the Authentication and Authorization Authority (AAA).
  • AAA Authentication and Authorization Authority
  • the on-board unit (OBU) (terminal) accesses the V2X certificate issuing authority (application server) in an attempt to apply for a V2X digital certificate
  • the V2X certificate issuing authority application server
  • the authority responsible for business supervision can decide whether to allow the OBU to access the V2X certificate issuing authority based on the legality of the vehicle status.
  • business status information as the legality of the vehicle status will not be written into the user contract information of the HSS. Therefore, the authorization and control requirements for V2X digital certificate access by the above-mentioned authorities responsible for business supervision cannot be met through the GBA mechanism.
  • the system architecture of GBA service authorization in the Internet of Vehicles applicable to the solution of the embodiment of the present disclosure is as shown in Figure 5.
  • the certification authority AAA
  • the V2X service entity is the application service entity in the GBA system
  • the V2X device is the terminal in the GBA system
  • the V2X service authorization entity is the business authorization system in the GBA system.
  • Add a Zx interface between the GBA core network element NAF/AP and the V2X service authorization entity Realize business authorization information exchange.
  • Steps 1 to 2 correspond to the business process of the standard GBA mechanism, in which the HTTP message in step 2 is a business request, and the HTTP message in step 5 is a response to the business request.
  • Step 3 After receiving the service request from the V2X device to the V2X service entity, the NAF/AP (standard or enhanced) sends a service authorization request message to the V2X service authorization entity to apply for authorization of the service request.
  • the service authorization request message may carry the FQDN of the V2X service entity, indicating the V2X service entity to be accessed by the V2X device.
  • the type information of the service and/or operation requested by the V2X device can also be carried as needed.
  • the V2X service authorization entity determines whether to authorize. If authorized, return the business authorization response message HTTP 200 OK. After that, NAF/AP can continue to perform the standard GBA business process, that is, complete steps 5 to 19. For the enhanced GBA mechanism, NAF/AP will continue to complete steps 20 to 29.
  • Steps 1 to 13 correspond to the business process of the standard GBA mechanism, where the HTTP message in step 13 is a business request, and the HTTP message in step 19 is a response to the business request.
  • Step 14 After receiving the service request from the V2X device to the V2X service entity, the NAF/AP (standard or enhanced) sends a service authorization request message to the V2X service authorization entity to apply for authorization of the service request.
  • the service authorization request message may carry the FQDN of the V2X service entity, indicating the V2X service entity to be accessed by the V2X device.
  • the type information of the service and/or operation requested by the V2X device can also be carried as needed.
  • the V2X service authorization entity determines whether to authorize. If authorized, return the business authorization response message HTTP 200 OK. After that, NAF/AP can continue to perform the standard GBA business process, that is, complete steps 16 to 19. for enhancement GBA mechanism, NAF/AP will continue to complete steps 20 to 29.
  • Steps 1 to 17 correspond to the standard GBA mechanism business process, and from step 18 onwards, they correspond to the enhanced GBA system business process.
  • the HTTP message in step 21 is a service request
  • the HTTP message in step 25 is a response to the service request.
  • Step 22 After receiving the service request from the V2X device to the V2X service entity, the enhanced NAF/AP sends a service authorization request message to the V2X service authorization entity to apply for authorization of the service request.
  • the service authorization request message may carry the FQDN of the V2X service entity, indicating the V2X service entity to be accessed by the V2X device.
  • the type information of the service and/or operation requested by the V2X device can also be carried as needed.
  • the V2X service authorization entity determines whether to authorize. If authorized, return the business authorization response message HTTP 200 OK. Afterwards, the NAF/AP network element can continue to perform the enhanced GBA business process, that is, complete steps 24 to 29 to establish an end-to-end secure communication channel between the V2X device and the V2X service entity.
  • GBA needs to perform two-way identity authentication between BSF and the terminal based on the AKA mechanism, and negotiate to generate a session key to complete business authorization. Based on this, in one embodiment, before sending the first message to the service authorization system, the method further includes:
  • the application service entity applies to the first network function to obtain the GBA shared session key and/or user-related information in order to prepare to provide business services for the first terminal.
  • the third message carries one or more of the following:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of the service/or operation requested by the first service request
  • the first network function After receiving the third message, the first network function queries the context information of the first terminal according to the B-TID carried in the third message, and obtains the identity of the first terminal, so that it can provide the identity of the first terminal based on the identity of the first terminal.
  • Business request application authorization In actual application, the first terminal can be understood as a subscriber of the operator's network, and the operator's network provides GBA security services to the first terminal.
  • the user-related information of the first terminal may include the contract signed by the first terminal when it signed the operator's network. information.
  • the method further includes:
  • the fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
  • the method further includes:
  • the fifth message is used to return an execution result of the first service request, or to return a result that the first service request is refused execution.
  • Step 1 When the V2X device needs to access the V2X service entity to obtain services, for example, when the V2X device accesses the V2X certificate issuing authority to apply for a cellular V2X (Cellular V2X, C-V2X) digital certificate, if the V2X device does not have a valid GBA shared session key Key, the V2X device accesses the GBA certification authority through the cellular network and initiates a certification authorization request.
  • cellular V2X Cellular V2X, C-V2X
  • Step 2 The GBA certification authority and the V2X device perform identity authentication and negotiate keys based on the GBA mechanism. After successful negotiation, the GBA certification authority returns an authentication and authorization response to the V2X device. At this point, the standard GBA mechanism operation process has been completed. From step 3 onwards, it is the processing operation of enhanced GBA.
  • step 2 the BSF in the GBA authentication and authorization system is responsible for authenticating the V2X device based on the AKA mechanism and providing the GBA shared session key Ks_(int)_NAF to the NAF. NAF will subsequently generate the GBA application layer session key K* based on the GBA shared session key for use by the V2X service entity.
  • the method for generating GBA application layer session key K* is implemented in compliance with the relevant requirements of existing standards and will not be described again here.
  • Step 3 The V2X device sends a service request to the V2X service entity through the GBA certification authority, such as a C-V2X certificate application request.
  • the service request is carried by an HTTP message and can carry B-TID, domain name of the V2X service entity and other information.
  • the sensitive data content requested by the business can be encrypted or protected by integrity security using the GBA application layer session key K* generated by the V2X device USIM.
  • Step 4 The GBA certification authority forwards the service request to the server corresponding to the V2X service entity based on the domain name of the V2X service entity, and carries the B-TID in the service request.
  • Step 5 The V2X service entity sends a user information request to the GBA certification authority through the A3 reference point, applies to obtain the GBA shared session key and user information of the V2X device, and prepares to provide business services for the V2X device.
  • the user information request is in the form of an HTTP message, which carries information such as B-TID, V2X server domain name, etc. It can also carry information such as the type identifier of the service or operation requested by the V2X device as needed.
  • Step 6 After receiving the user information request, the GBA certification authority queries the V2X device context information based on the B-TID, obtains the device identification, such as the IMSI of the V2X device, service layer identification, etc., and authenticates the entity/V2X to the corresponding V2X device
  • the service authorization entity sends a service authorization request message to apply for authorization review for the service request of the V2X device.
  • the service authorization request message carries information such as device identification, V2X server domain name, and type identification of the service or operation requested by the V2X device.
  • Step 7 The V2X device authentication entity/V2X service authorization entity conducts authorization review and decision-making on the service request of the V2X device, and returns the service authorization result.
  • Step 8 The GBA certification authority performs corresponding processing according to the business authorization result, and returns the user information response message to complete the business service response to the business service request in step 6.
  • the GBA certification authority if the authorization is successful, the GBA certification authority generates the GBA application layer session key K*, And returns K* related information to the V2X service entity through the user information response message. If authorization fails, the GBA certification authority returns the result that the service is not authorized to the V2X service entity through the user information response message.
  • Step 9 The V2X service entity performs business processing according to the business authorization result, and returns a business response message to the V2X device through the GBA authentication and authorization system, for example, a C-V2X certificate application response. If the authorization is successful, the V2X service entity performs corresponding business processing, for example, issues a C-V2X digital certificate to the V2X device, and can use the obtained GBA application layer session key K* to securely protect the business response message. If authorization fails, the V2X service entity refuses to execute the corresponding service request, for example, refuses to issue a C-V2X digital certificate to the V2X device, and returns a service rejection result to the V2X device.
  • Step 10 The GBA certification authority forwards the service response message to the V2X device.
  • Step 11 The V2X device locally processes the service response message.
  • services related to C-V2X digital certificate management please refer to existing standards. If the business authorization is successful, the V2X device can perform end-to-end secure communication based on the GBA application layer session key K*.
  • the first network function can be NAF/AP in GBA, or it can also be other network functions that have the same function as NAF/AP.
  • the first network function can also implement other functions. That is to say, the first network function can be a network function that is a combination of NAP/AP and other functions.
  • the first network function can also be BSF.
  • BSF Backbone Service Set
  • Step 1 During the processing of the GBA mechanism (standard or enhanced), after receiving the first service request, such as the Bootstrapping-Info Request (BIR), the BSF will, based on the first service to be accessed by the first terminal, Corresponding business authorization system.
  • the first service request such as the Bootstrapping-Info Request (BIR)
  • BIR Bootstrapping-Info Request
  • Step 2 BSF sends the first message to request the service authorization system to perform authorization review on the first service request.
  • Step 3 The business authorization system makes an authorization decision to determine whether to allow the first terminal to perform related business operations or obtain related business services from the server.
  • Step 4 The service authorization system returns a service authorization response message to the BSF, indicating the authorization result.
  • Step 5 According to the authorization result, the BSF determines whether to allow the first terminal to continue the related processing of the first service. If the authorization result indicates authorization, then the first terminal continues to execute the GBA mechanism and related processing of the first service; if the authorization result indicates unauthorized, then the first terminal terminates the GBA mechanism and related processing of the first service.
  • Step 6 The BSF returns the response message of the first service request to the first terminal. If the authorization result is unauthorized, the BSF returns a rejection message of the first service request to the first terminal, such as a BIA message). If the authorization result is unauthorized, the BSF returns a rejection message of the first service request to the first terminal, such as an HTTP 403forbidden message.
  • AKMA Authentication and Key Management for Applications
  • the application function Application Function, AF
  • the AKMA anchor function Akma Anchor Function, AAnF
  • Zx interface and related processing functions can also be the Network Exposure Function (NEF) in Figure 12.
  • the above network functions may refer to the above embodiments to implement the service authorization method.
  • the embodiment of the present disclosure also provides a service authorization device, which is provided on the first network function.
  • the device includes:
  • the first sending unit 1301 is used to send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
  • the first receiving unit 1302 is configured to receive a second message from the service authorization system; the second message is used to indicate the authorization result.
  • the first message is used to apply for a first service request of the first terminal. Please authorize.
  • the first message carries at least one of the following information:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of services and/or operations requested by the first service request is a type information of services and/or operations requested by the first service request.
  • the device further includes:
  • the second receiving unit is configured to receive the third message sent by the application service entity before sending the first message to the service authorization system; the third message is used to request to obtain the GBA shared session key and/or the first terminal. or user-related information;
  • the obtaining unit is used to obtain the identification of the first terminal.
  • the third message carries one or more of the following:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of the service/or operation requested by the first service request
  • the device further includes:
  • the second sending unit is used to return the fourth message to the application service entity; wherein,
  • the fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
  • the device further includes:
  • the third receiving unit is used to receive the fifth message sent by the application service entity,
  • the fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
  • each of the above units can be implemented by the communication interface in the service authorization device.
  • the service authorization device provided in the above embodiment performs service authorization
  • only the division of the above program modules is used as an example. In actual application, the above can be used as needed.
  • the above-mentioned processing distribution is completed by different program modules, that is, the internal structure of the device is divided into different program modules to complete all or part of the above-described processing.
  • the service authorization device provided by the above embodiments and the service authorization method embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
  • the embodiment of the disclosure also provides a first network function.
  • the first network function 1400 includes:
  • the first communication interface 1401 is capable of information exchange with other network nodes;
  • the first processor 1402 is connected to the first communication interface 1401 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first network function side when running a computer program.
  • the computer program is stored on the first memory 1403 .
  • the first communication interface 1401 is used to send a first message to the service authorization system and receive a second message from the service authorization system;
  • the first message is used to apply for authorization for the first service request; the second message is used to indicate the authorization result.
  • the first message is used to apply for authorization of the first service request of the first terminal.
  • the first message carries at least one of the following information:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of services and/or operations requested by the first service request is a type information of services and/or operations requested by the first service request.
  • the first communication interface 1401 is also used to receive a third message sent by the application service entity before sending the first message to the service authorization system; the third message is used to request to obtain the third message.
  • a terminal s GBA shared session key and/or user-related information;
  • the first communication interface 1401 is also used to obtain the identity of the first terminal.
  • the third message carries one or more of the following:
  • the identification and/or address of the application service entity is the identification and/or address of the application service entity
  • Type information of the service/or operation requested by the first service request
  • the first communication interface 1401 is also used to return a fourth message to the application service entity; wherein,
  • the fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
  • the first communication interface 1401 is also used to receive the fifth message sent by the application service entity,
  • the fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
  • bus system 1404 is used to implement connection communication between these components.
  • bus system 1404 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled bus system 1404 in FIG. 14 .
  • the first memory 1403 in the embodiment of the present disclosure is used to store various types of data to support the operation of the first network function 1400. Examples of such data include: any computer program for operating on the first network function 1400.
  • the methods disclosed in the above embodiments of the present disclosure can be applied to the first processor 1402 or implemented by the first processor 1402 .
  • the first processor 1402 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 1402 .
  • the above-mentioned first processor 1402 may be a general-purpose processor or a digital signal processor (Digital Signal Processor). Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the first processor 1402 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the first memory 1403.
  • the first processor 1402 reads the information in the first memory 1403, and completes the steps of the foregoing method in combination with its hardware.
  • the first network function 1400 may be implemented by one or more application specific integrated circuits (Application Specific Integrated Circuit, ASIC), DSP, programmable logic device (Programmable Logic Device, PLD), complex programmable logic device (Complex Programmable Logic Device, CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller Unit, MCU), microprocessor (Microprocessor), or Other electronic components are implemented for performing the aforementioned methods.
  • ASIC Application Specific Integrated Circuit
  • DSP programmable logic device
  • PLD programmable Logic Device
  • complex programmable logic device Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • controller microcontroller
  • MCU Micro Controller Unit
  • MCU microprocessor
  • Microprocessor Microprocessor
  • the memory (first memory 1403) in the embodiment of the present disclosure may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories.
  • the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory).
  • the magnetic surface memory can be a magnetic disk memory or a magnetic tape memory.
  • the volatile memory may be Random Access Memory (RAM), which is used as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM Direct Memory Bus Random Access Memory
  • DRRAM Direct Rambus Random Access Memory
  • the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 1403 that stores a computer program.
  • the above computer program can be accessed by a first network.
  • the first processor 1402 of the function 1400 executes to complete the steps described in the first network function side method.
  • the computer-readable storage medium can be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM and other memories.
  • a and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.
  • at least one in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the present disclosure are a service authorization method, an apparatus, a network function, and a storage medium, the method comprising: transmitting a first message to a service authorization system, and receiving a second message of the service authorization system, the first message being used for applying for authorization for a first service request, and the second message being used for indicating an authorization result.

Description

业务授权方法、装置、网络功能及存储介质Service authorization method, device, network function and storage medium
相关申请的交叉引用Cross-references to related applications
本申请主张在2022年05月25日在中国提交的中国专利申请No.202210580258.8的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202210580258.8 filed in China on May 25, 2022, the entire content of which is incorporated herein by reference.
技术领域Technical field
本公开涉及信息技术领域,尤其涉及一种业务授权方法、装置、网络功能及存储介质。The present disclosure relates to the field of information technology, and in particular, to a service authorization method, device, network function and storage medium.
背景技术Background technique
通用引导架构(Generic Bootstrapping Architecture,GBA)可以在终端与应用服务器之间进行双向身份认证,完成业务授权,以保障端到端的安全通信。然而,相关技术中,当应用层的业务状态发生变化时,GBA无法实现对终端的业务授权。Generic Bootstrapping Architecture (GBA) can perform two-way identity authentication between the terminal and the application server to complete business authorization to ensure end-to-end secure communication. However, in related technologies, when the service status of the application layer changes, the GBA cannot implement service authorization to the terminal.
发明内容Contents of the invention
为解决相关技术问题,本公开实施例提供一种业务授权方法、装置、网络功能及存储介质。In order to solve related technical problems, embodiments of the present disclosure provide a service authorization method, device, network function and storage medium.
本公开实施例的技术方案是这样实现的:The technical solution of the embodiment of the present disclosure is implemented as follows:
本公开实施例提供了一种业务授权方法,所述方法包括:Embodiments of the present disclosure provide a service authorization method, which includes:
向业务授权***发送第一消息;所述第一消息用于对第一业务请求申请授权;Send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
接收业务授权***的第二消息;所述第二消息用于指示授权结果。Receive a second message from the service authorization system; the second message is used to indicate the authorization result.
其中,上述方案中,所述第一消息用于对第一终端的第一业务请求申请授权。In the above solution, the first message is used to apply for authorization of the first service request of the first terminal.
上述方案中,所述第一消息携带以下信息的至少之一:In the above solution, the first message carries at least one of the following information:
第一终端的标识; The identification of the first terminal;
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务和/或操作的类型信息。Type information of services and/or operations requested by the first service request.
上述方案中,所述向业务授权***发送第一消息之前,所述方法还包括:In the above solution, before sending the first message to the service authorization system, the method further includes:
接收应用服务实体发送的第三消息;所述第三消息用于请求获取第一终端的GBA共享会话密钥和/或用户相关信息;Receive a third message sent by the application service entity; the third message is used to request to obtain the GBA shared session key and/or user-related information of the first terminal;
获取所述第一终端的标识。Obtain the identity of the first terminal.
上述方案中,所述第三消息携带以下一种或几种:In the above solution, the third message carries one or more of the following:
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务/或操作的类型信息;Type information of the service/or operation requested by the first service request;
引导事务标识(Bootstrapping Transaction Identifier,B-TID)。Bootstrapping Transaction Identifier (B-TID).
上述方案中,所述方法还包括:In the above solution, the method also includes:
向应用服务实体返回第四消息;其中,Return the fourth message to the application service entity; wherein,
所述第四消息用于返回所述第一终端的GBA共享会话密钥,或者,用于返回对所述第一终端的第一业务请求的未授权的结果。The fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
上述方案中,所述方法还包括:In the above solution, the method also includes:
接收应用服务实体发送的第五消息,Receive the fifth message sent by the application service entity,
向所述第一终端转发所述第五消息;其中,Forwarding the fifth message to the first terminal; wherein,
所述第五消息用于返回所述第一业务请求的执行结果,或者,用于返回所述第一业务请求被拒绝执行的结果。The fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
本公开实施例还提供了一种业务授权装置,所述装置包括:An embodiment of the present disclosure also provides a service authorization device, which includes:
第一发送单元,用于向业务授权***发送第一消息;所述第一消息用于对第一业务请求申请授权;The first sending unit is used to send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
第一接收单元,用于接收业务授权***的第二消息;所述第二消息用于指示授权结果。The first receiving unit is configured to receive a second message from the service authorization system; the second message is used to indicate the authorization result.
本公开实施例还提供了一种第一网络功能,其中,包括:第一处理器及第一通信接口;其中, Embodiments of the present disclosure also provide a first network function, which includes: a first processor and a first communication interface; wherein,
所述第一通信接口,用于向业务授权***发送第一消息,以及接收业务授权***的第二消息;其中,The first communication interface is used to send a first message to the business authorization system and receive a second message from the business authorization system; wherein,
所述第一消息用于对第一业务请求申请授权;所述第二消息用于指示授权结果。The first message is used to apply for authorization for the first service request; the second message is used to indicate the authorization result.
本公开实施例还提供了一种第一网络功能,包括:第一处理器和用于存储能够在处理器上运行的计算机程序的第一存储器,Embodiments of the present disclosure also provide a first network function, including: a first processor and a first memory for storing a computer program capable of running on the processor,
其中,所述第一处理器用于运行所述计算机程序时,执行上述任一方法的步骤。Wherein, the first processor is used to execute the steps of any of the above methods when running the computer program.
本公开实施例还提供了一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述任一方法的步骤。Embodiments of the present disclosure also provide a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any of the above methods are implemented.
本公开实施例提供的业务授权方法、装置、网络功能及存储介质中,第一网络功能向业务授权***发送第一消息,以及接收业务授权***的第二消息。其中,所述第一消息用于对第一业务请求申请授权,所述第二消息用于指示授权结果。基于上述方案,可以实现对终端发起的业务请求的授权管理。In the service authorization method, device, network function and storage medium provided by the embodiments of the present disclosure, the first network function sends a first message to the service authorization system and receives a second message from the service authorization system. The first message is used to apply for authorization of the first service request, and the second message is used to indicate the authorization result. Based on the above solution, authorization management of service requests initiated by the terminal can be implemented.
附图说明Description of the drawings
图1为相关技术中GBA的***架构;Figure 1 shows the system architecture of GBA in related technologies;
图2为本公开实施例一种GBA的***架构;Figure 2 is a system architecture of a GBA according to an embodiment of the present disclosure;
图3为本公开实施例一种业务授权方法流程示意图;Figure 3 is a schematic flow chart of a service authorization method according to an embodiment of the present disclosure;
图4为相关技术中车联网认证授权的应用场景的实体关系示意图;Figure 4 is a schematic diagram of entity relationships in the application scenario of Internet of Vehicles authentication and authorization in related technologies;
图5为本公开实施例适用的车联网中GBA业务授权的***架构示意图;Figure 5 is a schematic diagram of the system architecture of GBA service authorization in the Internet of Vehicles applicable to the embodiment of the present disclosure;
图6为本公开应用实施例方案一操作流程示意图;Figure 6 is a schematic diagram of the operation flow of the first application embodiment of the present disclosure;
图7为本公开应用实施例方案二操作流程示意图;Figure 7 is a schematic diagram of the operation flow of the second application embodiment of the present disclosure;
图8为本公开应用实施例方案三操作流程示意图;Figure 8 is a schematic diagram of the operation flow of solution three of the application embodiment of the present disclosure;
图9为本公开应用实施例基于GBA的设备认证及业务授权流程示意图;Figure 9 is a schematic diagram of the device authentication and service authorization process based on GBA according to the application embodiment of the present disclosure;
图10为本公开实施例另一种GBA的***架构;Figure 10 is a system architecture of another GBA according to an embodiment of the present disclosure;
图11为本公开实施例基于BSF实现的业务授权处理流程示意图; Figure 11 is a schematic diagram of the service authorization processing flow implemented based on BSF according to an embodiment of the present disclosure;
图12为本公开实施例AKMA***架构示意图;Figure 12 is a schematic diagram of the AKMA system architecture according to an embodiment of the present disclosure;
图13为本公开实施例业务授权装置结构示意图;Figure 13 is a schematic structural diagram of a service authorization device according to an embodiment of the present disclosure;
图14为本公开实施例第一网络功能结构示意图。Figure 14 is a schematic diagram of the first network functional structure according to an embodiment of the present disclosure.
具体实施方式Detailed ways
GBA由第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)组织定义,是一种基于蜂窝移动通信网络和全球用户识别卡(Universal Subscriber Identity Module,USIM)实现的身份认证和安全通信的方法。实际应用时,GBA可以基于3GPP网络标准的认证及密钥协商(Authentication and Key Agreement,AKA)机制,在引导服务功能(Bootstrapping Server Function,BSF)与终端之间进行双向身份认证,并协商生成会话密钥,完成业务授权,以满足终端与应用服务器之间端到端安全通信的应用需要。GBA is defined by the 3rd Generation Partnership Project (3GPP) organization and is a method of identity authentication and secure communication based on cellular mobile communication networks and Universal Subscriber Identity Module (USIM). In actual application, GBA can perform two-way identity authentication between the Bootstrapping Server Function (BSF) and the terminal based on the Authentication and Key Agreement (AKA) mechanism of the 3GPP network standard, and negotiate to generate a session Key to complete business authorization to meet the application needs of end-to-end secure communication between the terminal and the application server.
图1示出了相关技术中GBA的***架构。参见图1,GBA的核心***主要包括BSF和网络应用功能/认证代理(Network Application Function/Authentication Proxy,NAF/AP)。其中,BSF通过Zh接口与归属用户服务器(Home Subscriber Server,HSS)对接,获取AKA五元组认证向量。在AKA认证成功后,BSF生成GBA会话密钥,并将GBA会话密钥提供给NAF/AP。这里,NAF/AP代表应用服务器,由此,可以基于BSF提供的GBA会话密钥在应用服务器与终端之间实现端到端安全通信。图1示出的标准GBA***架构及增强型GBA***架构可构建形成GBA认证及授权***,对终端进行身份认证,并对终端访问的业务服务进行授权管控。根据从HSS获取的用户签约信息,BSF或NAF/AP可以判断出终端当前的业务请求是否满足签约信息中约定的条件要求,如果判断结果为不满足签约信息中约定的条件要求,BSF或NAF/AP可以拒绝终端对应用服务器的业务请求。然而由于用户签约信息属于网络服务范畴,通常在用户签约运营商网络服务时确定,无法随着应用层业务状态的变化而动态更新,因此,当应用层的业务状态发生变化时,GBA无法实现对终端的业务请求的授权。 Figure 1 shows the system architecture of GBA in the related art. Referring to Figure 1, the core system of GBA mainly includes BSF and Network Application Function/Authentication Proxy (NAF/AP). Among them, the BSF connects with the Home Subscriber Server (HSS) through the Zh interface to obtain the AKA five-tuple authentication vector. After AKA authentication is successful, BSF generates a GBA session key and provides the GBA session key to NAF/AP. Here, NAF/AP represents the application server, whereby end-to-end secure communication can be achieved between the application server and the terminal based on the GBA session key provided by the BSF. The standard GBA system architecture and enhanced GBA system architecture shown in Figure 1 can be constructed to form a GBA authentication and authorization system to authenticate the identity of the terminal and authorize and control the business services accessed by the terminal. Based on the user subscription information obtained from the HSS, BSF or NAF/AP can determine whether the current service request of the terminal meets the conditions specified in the subscription information. If the judgment result is that the conditions specified in the subscription information are not met, BSF or NAF/AP The AP can reject the terminal's service request to the application server. However, since the user subscription information belongs to the category of network services and is usually determined when the user signs the operator's network service, it cannot be dynamically updated as the business status of the application layer changes. Therefore, when the business status of the application layer changes, GBA cannot implement the Authorization of the terminal’s service request.
基于此,本公开各实施例中,第一网络功能向业务授权***发送第一消息,以及接收业务授权***的第二消息。其中,所述第一消息用于对第一业务请求申请授权,所述第二消息用于指示授权结果。基于上述方案,可以实现对终端发起的业务请求的授权管理。Based on this, in various embodiments of the present disclosure, the first network function sends a first message to the service authorization system and receives a second message from the service authorization system. The first message is used to apply for authorization of the first service request, and the second message is used to indicate the authorization result. Based on the above solution, authorization management of service requests initiated by the terminal can be implemented.
下面结合附图及实施例对本公开再作进一步详细的描述。The present disclosure will be described in further detail below with reference to the accompanying drawings and embodiments.
首先,参见图2,本公开实施例在标准GBA或增强型GBA的基础上,通过新增Zx接口,支持第一网络功能与业务授权***之间的信息交互,从而在终端访问应用服务器时,满足业务主管方、监管方、服务方或其他第三方等对终端的业务请求的授权管控的需要。实际应用时,Zx接口可以基于各类协议及接口方式实现,包括超文本传输协议(Hyper Text Transfer Protocol,HTTP)的协议方式,或者其他自定义的协议方式。First, referring to Figure 2, the embodiment of the present disclosure supports information interaction between the first network function and the business authorization system by adding a Zx interface on the basis of standard GBA or enhanced GBA, so that when the terminal accesses the application server, Meet the needs of business supervisors, regulators, service providers or other third parties for authorization and control of terminal business requests. In actual application, the Zx interface can be implemented based on various protocols and interface methods, including the Hyper Text Transfer Protocol (HTTP) protocol method, or other customized protocol methods.
基于图2的***架构,本公开实施例提供了一种业务授权方法。实际应用时,该方法可以应用于第一***,这里,第一***可以为GBA认证授权机构。可选地,该业务授权方法可以具体由GBA认证授权机构中的第一网络功能来实现。在本发明实施例中,网络功能(Network Function,NF)也可以被称为是网元,或实体,或网络设备,或网络侧设备等。Based on the system architecture of Figure 2, embodiments of the present disclosure provide a service authorization method. In actual application, this method can be applied to the first system. Here, the first system can be the GBA certification authority. Optionally, the service authorization method can be specifically implemented by the first network function in the GBA certification and authorization agency. In the embodiment of the present invention, a network function (Network Function, NF) may also be called a network element, an entity, a network device, a network-side device, etc.
如图3所示,该业务授权方法包括:As shown in Figure 3, the service authorization method includes:
步骤301:向业务授权***发送第一消息。Step 301: Send the first message to the service authorization system.
其中,所述第一消息用于对第一业务请求申请授权。The first message is used to apply for authorization of the first service request.
步骤302:接收业务授权***的第二消息。Step 302: Receive the second message from the service authorization system.
其中,所述第二消息用于指示授权结果。Wherein, the second message is used to indicate the authorization result.
这里,业务授权***也可以被称为是业务授权实体或者服务授权实体。业务请求也可以被称为是服务请求。对业务请求申请授权,也可以称为对业务请求申请授权审核,例如,业务授权***根据第一业务请求确定是否允许第一***或第一网络功能执行第一业务。Here, the service authorization system may also be called a business authorization entity or a service authorization entity. Business requests can also be called service requests. Applying for authorization of a service request may also be referred to as applying for authorization review of the service request. For example, the service authorization system determines whether to allow the first system or the first network function to perform the first service based on the first service request.
在一实施例中,所述第一消息用于对第一终端的第一业务请求申请授权, 也就是说,第一业务请求由第一终端发起。实际应用时,在第一网络功能接收到第一终端关于第一业务的第一业务请求后,根据第一终端所要访问的第一业务,确定对应的业务授权***,并向该业务授权***发送第一消息,用于对第一业务请求申请授权。In one embodiment, the first message is used to apply for authorization of the first service request of the first terminal, That is to say, the first service request is initiated by the first terminal. In actual application, after the first network function receives the first service request from the first terminal for the first service, it determines the corresponding service authorization system according to the first service to be accessed by the first terminal, and sends the request to the service authorization system. The first message is used to apply for authorization of the first service request.
这里,第一消息可以采用HTTP的消息格式。在一实施例中,所述第一消息携带以下信息的至少之一:Here, the first message may adopt the HTTP message format. In one embodiment, the first message carries at least one of the following information:
第一终端的标识;The identification of the first terminal;
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务和/或操作的类型信息。Type information of services and/or operations requested by the first service request.
其中,第一终端的标识包括终端的国际移动用户识别码(International Mobile Subscriber Identity,IMSI)和/或业务层标识等。应用服务实体也可以称为是应用服务器,可以是为第一业务请求所请求的第一业务提供服务的应用服务实体或应用服务器,例如,车用无线通信技术(Vehicle to X,V2X)服务器或V2X服务实体。应用服务实体的标识可以为应用服务实体或应用服务器的域名,例如应用服务器的全限定域名(Fully Qualified Domain Name,FQDN)。第一业务请求所请求的服务和/或操作的类型信息,可以是服务和/或操作的类型标识等。The identification of the first terminal includes the terminal's International Mobile Subscriber Identity (IMSI) and/or service layer identification. The application service entity may also be called an application server, and may be an application service entity or application server that provides services for the first service requested by the first service request, for example, a vehicle wireless communication technology (Vehicle to X, V2X) server or V2X service entity. The identifier of the application service entity can be the domain name of the application service entity or the application server, such as the fully qualified domain name (Fully Qualified Domain Name, FQDN) of the application server. The type information of the service and/or operation requested by the first service request may be a type identifier of the service and/or operation, etc.
这里的应用服务实体可以理解为为第一业务提供服务的应用服务器。其中,应用服务器可以为V2X服务器,也可以称为V2X服务实体。The application service entity here can be understood as an application server that provides services for the first business. Among them, the application server may be a V2X server, or may also be called a V2X service entity.
业务授权***基于第一消息,结合业务管控策略进行授权决策,确定是否允许第一终端执行相关的服务和/或操作,或者是否允许第一终端从应用服务实体获取相关的业务服务。之后,业务授权***向第一网络功能返回第二消息,用于指示授权结果。示例性地,如果授权,那么业务授权***向第一网络功能返回HTTP 200 OK消息,如果未授权,那么业务授权***向第一网络功能返回HTTP 403 forbidden消息。其中,OK表征通过,forbidden表征禁止。 The business authorization system makes an authorization decision based on the first message and in combination with the business management and control policy, and determines whether to allow the first terminal to perform related services and/or operations, or whether to allow the first terminal to obtain related business services from the application service entity. Afterwards, the service authorization system returns a second message to the first network function for indicating the authorization result. For example, if authorized, the service authorization system returns an HTTP 200 OK message to the first network function; if not authorized, the service authorization system returns an HTTP 403 forbidden message to the first network function. Among them, OK represents passing, and forbidden represents prohibition.
根据业务授权***返回的第二消息中指示的授权结果,第一网络功能确定是否允许第一终端继续第一业务的相关处理。如果授权结果指示授权,那么第一终端继续执行GBA机制及第一业务的相关处理;如果授权结果为未授权,那么第一终端终止GBA机制及第一业务的相关处理。实际应用时,在得到授权结果后,第一网络功能向第一终端返回第一业务请求的响应消息,其中,如果授权结果为未授权,那么第一网络功能向第一终端返回第一业务请求的拒绝消息,例如HTTP 403 forbidden消息。According to the authorization result indicated in the second message returned by the service authorization system, the first network function determines whether to allow the first terminal to continue related processing of the first service. If the authorization result indicates authorization, then the first terminal continues to execute the GBA mechanism and related processing of the first service; if the authorization result indicates unauthorized, then the first terminal terminates the GBA mechanism and related processing of the first service. In actual application, after obtaining the authorization result, the first network function returns a response message of the first service request to the first terminal. If the authorization result is unauthorized, then the first network function returns the first service request to the first terminal. Rejection message, such as HTTP 403 forbidden message.
下面结合应用实施例对本公开的上述方案再作进一步详细的描述。The above solution of the present disclosure will be described in further detail below in conjunction with application examples.
图4示出了车联网认证授权的应用场景中的实体关系,V2X设备访问V2X服务实体以试图获取某种服务,其中,V2X设备相当于终端,V2X服务实体相当于应用服务实体。相关技术中,V2X设备认证服务功能、V2X设备认证实体及V2X服务授权实体可由认证和授权机构(Authentication and Authorization Authority,AAA)实现,GBA为AAA的一种具体实现方式。在该应用场景中,车载单元(On board Unit,OBU)(终端)访问V2X证书签发机构(应用服务器)以试图申请V2X数字证书时,需要通过V2X设备认证服务功能或V2X设备认证实体对V2X设备进行身份认证,并且得到V2X服务授权实体的业务授权,之后方可访问V2X证书签发机构,获取V2X数字证书。此外,负责业务监管的权力机关可根据车辆状态的合法性来决定是否允许该OBU访问V2X证书签发机构,然而车辆状态的合法性这类业务状态信息并不会写入HSS的用户签约信息中,因此,上述负责业务监管的权力机关对V2X数字证书访问的授权管控需求,无法通过GBA机制来满足。Figure 4 shows the entity relationship in the application scenario of Internet of Vehicles authentication and authorization. The V2X device accesses the V2X service entity in an attempt to obtain a certain service. The V2X device is equivalent to the terminal, and the V2X service entity is equivalent to the application service entity. In related technologies, the V2X device authentication service function, V2X device authentication entity and V2X service authorization entity can be implemented by the Authentication and Authorization Authority (AAA). GBA is a specific implementation method of AAA. In this application scenario, when the on-board unit (OBU) (terminal) accesses the V2X certificate issuing authority (application server) in an attempt to apply for a V2X digital certificate, it needs to pass the V2X device authentication service function or the V2X device authentication entity to the V2X device. After performing identity authentication and obtaining business authorization from the V2X service authorization entity, you can access the V2X certificate issuing authority and obtain the V2X digital certificate. In addition, the authority responsible for business supervision can decide whether to allow the OBU to access the V2X certificate issuing authority based on the legality of the vehicle status. However, such business status information as the legality of the vehicle status will not be written into the user contract information of the HSS. Therefore, the authorization and control requirements for V2X digital certificate access by the above-mentioned authorities responsible for business supervision cannot be met through the GBA mechanism.
基于图4示出的车联网认证授权的应用场景,本公开实施例方案适用的车联网中GBA业务授权的***架构如图5所示。其中,此时,认证授权机构(AAA)基于GBA方式实现,V2X服务实体即GBA***中的应用服务实体,V2X设备即GBA***中的终端,V2X服务授权实体即GBA***中的业务授权***。在GBA核心网元NAF/AP与V2X服务授权实体之间增加Zx接口, 实现业务授权信息交互。Based on the application scenario of Internet of Vehicles authentication and authorization shown in Figure 4, the system architecture of GBA service authorization in the Internet of Vehicles applicable to the solution of the embodiment of the present disclosure is as shown in Figure 5. Among them, at this time, the certification authority (AAA) is implemented based on the GBA method, the V2X service entity is the application service entity in the GBA system, the V2X device is the terminal in the GBA system, and the V2X service authorization entity is the business authorization system in the GBA system. Add a Zx interface between the GBA core network element NAF/AP and the V2X service authorization entity, Realize business authorization information exchange.
基于图5示出的本公开实施例适用的车联网中GBA业务授权的***架构,本公开应用实施例方案一对应图6示出的操作流程:Based on the system architecture of GBA service authorization in the Internet of Vehicles applicable to the embodiment of the present disclosure shown in Figure 5, the first solution of the application embodiment of the present disclosure corresponds to the operation process shown in Figure 6:
步骤1~步骤2对应标准GBA机制的业务流程,其中,步骤2的HTTP消息为业务请求,步骤5的HTTP消息是关于业务请求的响应。Steps 1 to 2 correspond to the business process of the standard GBA mechanism, in which the HTTP message in step 2 is a business request, and the HTTP message in step 5 is a response to the business request.
步骤3:在接收到V2X设备对V2X服务实体的业务请求之后,NAF/AP(标准或增强型)向V2X服务授权实体发送业务授权请求消息,对业务请求申请授权。在业务授权请求消息中,可携带V2X服务实体的FQDN,指明V2X设备要访问的V2X服务实体。此外,还可根据需要携带V2X设备所请求的服务和/或操作的类型信息。Step 3: After receiving the service request from the V2X device to the V2X service entity, the NAF/AP (standard or enhanced) sends a service authorization request message to the V2X service authorization entity to apply for authorization of the service request. The service authorization request message may carry the FQDN of the V2X service entity, indicating the V2X service entity to be accessed by the V2X device. In addition, the type information of the service and/or operation requested by the V2X device can also be carried as needed.
根据V2X设备要进行或获取的业务服务,V2X服务授权实体判断是否进行授权。如果授权,返回业务授权响应消息HTTP 200 OK。之后,NAF/AP可继续进行标准GBA业务流程,即完成步骤5~步骤19的操作。对于增强型GBA机制,NAF/AP还将继续完成步骤20~步骤29的操作。According to the business services to be performed or obtained by the V2X device, the V2X service authorization entity determines whether to authorize. If authorized, return the business authorization response message HTTP 200 OK. After that, NAF/AP can continue to perform the standard GBA business process, that is, complete steps 5 to 19. For the enhanced GBA mechanism, NAF/AP will continue to complete steps 20 to 29.
基于图5示出的本公开实施例适用的车联网中GBA业务授权的***架构,本公开应用实施例方案二对应图7示出的操作流程:Based on the system architecture of GBA service authorization in the Internet of Vehicles applicable to the embodiment of the present disclosure shown in Figure 5, the second solution of the application embodiment of the present disclosure corresponds to the operation process shown in Figure 7:
步骤1~步骤13对应标准GBA机制的业务流程,其中,步骤13的HTTP消息为业务请求,步骤19的HTTP消息是关于业务请求的响应。Steps 1 to 13 correspond to the business process of the standard GBA mechanism, where the HTTP message in step 13 is a business request, and the HTTP message in step 19 is a response to the business request.
步骤14:在接收到V2X设备对V2X服务实体的业务请求之后,NAF/AP(标准或增强型)向V2X服务授权实体发送业务授权请求消息,对业务请求申请授权。在业务授权请求消息中,可携带V2X服务实体的FQDN,指明V2X设备要访问的V2X服务实体。此外,还可根据需要携带V2X设备所请求的服务和/或操作的类型信息。Step 14: After receiving the service request from the V2X device to the V2X service entity, the NAF/AP (standard or enhanced) sends a service authorization request message to the V2X service authorization entity to apply for authorization of the service request. The service authorization request message may carry the FQDN of the V2X service entity, indicating the V2X service entity to be accessed by the V2X device. In addition, the type information of the service and/or operation requested by the V2X device can also be carried as needed.
根据V2X设备要进行或获取的业务服务,V2X服务授权实体判断是否进行授权。如果授权,返回业务授权响应消息HTTP 200 OK。之后,NAF/AP可继续进行标准GBA业务流程,即完成步骤16~步骤19的操作。对于增强 型GBA机制,NAF/AP还将继续完成步骤20~步骤29的操作。According to the business services to be performed or obtained by the V2X device, the V2X service authorization entity determines whether to authorize. If authorized, return the business authorization response message HTTP 200 OK. After that, NAF/AP can continue to perform the standard GBA business process, that is, complete steps 16 to 19. for enhancement GBA mechanism, NAF/AP will continue to complete steps 20 to 29.
基于图5示出的本公开实施例适用的车联网中GBA业务授权的***架构,本公开应用实施例方案三对应图8示出的操作流程:Based on the system architecture of GBA service authorization in the Internet of Vehicles applicable to the embodiment of the present disclosure shown in Figure 5, the third solution of the application embodiment of the present disclosure corresponds to the operation process shown in Figure 8:
步骤1~步骤17对应标准GBA机制业务流程,从步骤18起,对应增强型GBA***业务流程。其中,步骤21的HTTP消息为业务请求,步骤25的HTTP消息是关于业务请求的响应。Steps 1 to 17 correspond to the standard GBA mechanism business process, and from step 18 onwards, they correspond to the enhanced GBA system business process. Among them, the HTTP message in step 21 is a service request, and the HTTP message in step 25 is a response to the service request.
步骤22:在接收到V2X设备对V2X服务实体的业务请求之后,增强的NAF/AP向V2X服务授权实体发送业务授权请求消息,对业务请求申请授权。在业务授权请求消息中,可携带V2X服务实体的FQDN,指明V2X设备要访问的V2X服务实体。此外,还可根据需要携带V2X设备所请求的服务和/或操作的类型信息。Step 22: After receiving the service request from the V2X device to the V2X service entity, the enhanced NAF/AP sends a service authorization request message to the V2X service authorization entity to apply for authorization of the service request. The service authorization request message may carry the FQDN of the V2X service entity, indicating the V2X service entity to be accessed by the V2X device. In addition, the type information of the service and/or operation requested by the V2X device can also be carried as needed.
根据V2X设备要进行或获取的业务服务,V2X服务授权实体判断是否进行授权。如果授权,返回业务授权响应消息HTTP 200 OK。之后,NAF/AP网元可继续进行增强GBA业务流程,即完成步骤24~步骤29的操作,在V2X设备及V2X服务实体之间建立端到端安全通信通道。According to the business services to be performed or obtained by the V2X device, the V2X service authorization entity determines whether to authorize. If authorized, return the business authorization response message HTTP 200 OK. Afterwards, the NAF/AP network element can continue to perform the enhanced GBA business process, that is, complete steps 24 to 29 to establish an end-to-end secure communication channel between the V2X device and the V2X service entity.
实际应用时,GBA需要基于AKA机制,在BSF与终端之间进行双向身份认证,并协商生成会话密钥,以完成业务授权。基于此,在一实施例中,所述向业务授权***发送第一消息之前,所述方法还包括:In actual application, GBA needs to perform two-way identity authentication between BSF and the terminal based on the AKA mechanism, and negotiate to generate a session key to complete business authorization. Based on this, in one embodiment, before sending the first message to the service authorization system, the method further includes:
接收应用服务实体发送的第三消息;所述第三消息用于请求获取第一终端的GBA共享会话密钥和/或用户相关信息;Receive a third message sent by the application service entity; the third message is used to request to obtain the GBA shared session key and/or user-related information of the first terminal;
获取所述第一终端的标识。Obtain the identity of the first terminal.
这里,应用服务实体向第一网络功能申请获取GBA共享会话密钥和/或用户相关信息,以准备为第一终端提供业务服务。在一实施例中,所述第三消息携带以下一种或几种:Here, the application service entity applies to the first network function to obtain the GBA shared session key and/or user-related information in order to prepare to provide business services for the first terminal. In one embodiment, the third message carries one or more of the following:
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务/或操作的类型信息; Type information of the service/or operation requested by the first service request;
B-TID。B-TID.
第一网络功能在接收到第三消息之后,根据第三消息中携带的B-TID查询第一终端的上下文信息,获取第一终端的标识,从而能够基于第一终端的标识为第一终端的业务请求申请授权。实际应用时,第一终端可以理解为运营商网络的签约用户,由运营商网络为第一终端提供GBA安全服务,第一终端的用户相关信息,可以包括第一终端签约运营商网络时的签约信息。After receiving the third message, the first network function queries the context information of the first terminal according to the B-TID carried in the third message, and obtains the identity of the first terminal, so that it can provide the identity of the first terminal based on the identity of the first terminal. Business request application authorization. In actual application, the first terminal can be understood as a subscriber of the operator's network, and the operator's network provides GBA security services to the first terminal. The user-related information of the first terminal may include the contract signed by the first terminal when it signed the operator's network. information.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
向应用服务实体返回第四消息。Return the fourth message to the application service entity.
其中,所述第四消息用于返回所述第一终端的GBA共享会话密钥,或者,用于返回对所述第一终端的第一业务请求的未授权的结果。The fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
接收应用服务实体发送的第五消息,Receive the fifth message sent by the application service entity,
向所述第一终端转发所述第五消息。Forward the fifth message to the first terminal.
其中,所述第五消息用于返回所述第一业务请求的执行结果,或者,用于返回所述第一业务请求被拒绝执行的结果。The fifth message is used to return an execution result of the first service request, or to return a result that the first service request is refused execution.
基于图5示出的本公开实施例适用的车联网中GBA业务授权的***架构,给出图9的应用实施例,以对基于GBA的设备认证及业务授权流程进行进一步说明:Based on the system architecture of GBA service authorization in the Internet of Vehicles applicable to the embodiment of the disclosure shown in Figure 5, the application embodiment of Figure 9 is given to further explain the GBA-based device authentication and service authorization process:
步骤1:当V2X设备需要访问V2X服务实体获取服务时,例如,当V2X设备访问V2X证书签发机构申请蜂窝V2X(Cellular V2X,C-V2X)数字证书时,如果V2X设备没有有效的GBA共享会话密钥,V2X设备通过蜂窝网接入GBA认证授权机构,发起认证授权请求。Step 1: When the V2X device needs to access the V2X service entity to obtain services, for example, when the V2X device accesses the V2X certificate issuing authority to apply for a cellular V2X (Cellular V2X, C-V2X) digital certificate, if the V2X device does not have a valid GBA shared session key Key, the V2X device accesses the GBA certification authority through the cellular network and initiates a certification authorization request.
步骤2:GBA认证授权机构与V2X设备基于GBA机制进行身份认证并协商密钥,协商成功后GBA认证授权机构向V2X设备返回认证授权响应。至此,标准GBA机制操作流程执行完毕。步骤3起,为增强型GBA的处理操作。 Step 2: The GBA certification authority and the V2X device perform identity authentication and negotiate keys based on the GBA mechanism. After successful negotiation, the GBA certification authority returns an authentication and authorization response to the V2X device. At this point, the standard GBA mechanism operation process has been completed. From step 3 onwards, it is the processing operation of enhanced GBA.
在步骤2中,GBA认证授权***中的BSF负责对V2X设备基于AKA机制进行身份认证,并向NAF提供GBA共享会话密钥Ks_(int)_NAF。NAF后续将基于GBA共享会话密钥产生GBA应用层会话密钥K*,供V2X服务实体使用。GBA应用层会话密钥K*的生成方法遵照现有标准的相关要求实现,在此不再赘述。In step 2, the BSF in the GBA authentication and authorization system is responsible for authenticating the V2X device based on the AKA mechanism and providing the GBA shared session key Ks_(int)_NAF to the NAF. NAF will subsequently generate the GBA application layer session key K* based on the GBA shared session key for use by the V2X service entity. The method for generating GBA application layer session key K* is implemented in compliance with the relevant requirements of existing standards and will not be described again here.
步骤3:V2X设备通过GBA认证授权机构向V2X服务实体发送业务请求,如,C-V2X证书申请请求。该业务请求由HTTP消息承载,可携带B-TID,V2X服务实体的域名等信息。业务请求的敏感数据内容可使用V2X设备USIM生成的GBA应用层会话密钥K*进行加密或完整性的安全保护。Step 3: The V2X device sends a service request to the V2X service entity through the GBA certification authority, such as a C-V2X certificate application request. The service request is carried by an HTTP message and can carry B-TID, domain name of the V2X service entity and other information. The sensitive data content requested by the business can be encrypted or protected by integrity security using the GBA application layer session key K* generated by the V2X device USIM.
步骤4:GBA认证授权机构根据V2X服务实体的域名,向V2X服务实体对应的服务器转发业务请求,并在业务请求中携带B-TID。Step 4: The GBA certification authority forwards the service request to the server corresponding to the V2X service entity based on the domain name of the V2X service entity, and carries the B-TID in the service request.
步骤5:V2X服务实体通过A3参考点向GBA认证授权机构发送用户信息请求,申请获取V2X设备的GBA共享会话密钥及用户信息,准备为V2X设备提供业务服务。用户信息请求采用HTTP消息形式,其中携带B-TID、V2X服务器域名等信息,还可根据需要携带V2X设备所请求服务或操作的类型标识等信息。Step 5: The V2X service entity sends a user information request to the GBA certification authority through the A3 reference point, applies to obtain the GBA shared session key and user information of the V2X device, and prepares to provide business services for the V2X device. The user information request is in the form of an HTTP message, which carries information such as B-TID, V2X server domain name, etc. It can also carry information such as the type identifier of the service or operation requested by the V2X device as needed.
步骤6:接收到用户信息请求之后,GBA认证授权机构根据B-TID查询V2X设备上下文信息,获取设备标识,例如,V2X设备的IMSI、业务层标识等,并向相应的V2X设备认证实体/V2X服务授权实体发送业务授权请求消息,为V2X设备的业务请求申请授权审核。业务授权请求消息中携带设备标识、V2X服务器域名、V2X设备所请求服务或操作的类型标识等信息。Step 6: After receiving the user information request, the GBA certification authority queries the V2X device context information based on the B-TID, obtains the device identification, such as the IMSI of the V2X device, service layer identification, etc., and authenticates the entity/V2X to the corresponding V2X device The service authorization entity sends a service authorization request message to apply for authorization review for the service request of the V2X device. The service authorization request message carries information such as device identification, V2X server domain name, and type identification of the service or operation requested by the V2X device.
步骤7.:V2X设备认证实体/V2X服务授权实体对V2X设备的业务请求进行授权审核、决策,返回业务授权结果。Step 7.: The V2X device authentication entity/V2X service authorization entity conducts authorization review and decision-making on the service request of the V2X device, and returns the service authorization result.
步骤8:GBA认证授权机构根据业务授权结果做出相应处理,并返回用户信息响应消息,完成对第6步业务服务请求的业务服务响应。Step 8: The GBA certification authority performs corresponding processing according to the business authorization result, and returns the user information response message to complete the business service response to the business service request in step 6.
其中,如果授权成功,GBA认证授权机构生成GBA应用层会话密钥K*, 并通过用户信息响应消息向V2X服务实体返回K*相关信息。如果授权失败,GBA认证授权机构通过用户信息响应消息向V2X服务实体返回业务未被授权的结果。Among them, if the authorization is successful, the GBA certification authority generates the GBA application layer session key K*, And returns K* related information to the V2X service entity through the user information response message. If authorization fails, the GBA certification authority returns the result that the service is not authorized to the V2X service entity through the user information response message.
步骤9:V2X服务实体根据业务授权结果进行业务处理,并通过GBA认证授权***向V2X设备返回业务响应消息,例如,C-V2X证书申请响应。如果授权成功,V2X服务实体执行相应的业务处理,例如,向V2X设备签发C-V2X数字证书,并可使用获取到的GBA应用层会话密钥K*对业务响应消息进行安全保护。如果授权失败,V2X服务实体拒绝执行相应的业务请求,例如,拒绝向V2X设备签发C-V2X数字证书,并向V2X设备返回业务被拒绝的结果。Step 9: The V2X service entity performs business processing according to the business authorization result, and returns a business response message to the V2X device through the GBA authentication and authorization system, for example, a C-V2X certificate application response. If the authorization is successful, the V2X service entity performs corresponding business processing, for example, issues a C-V2X digital certificate to the V2X device, and can use the obtained GBA application layer session key K* to securely protect the business response message. If authorization fails, the V2X service entity refuses to execute the corresponding service request, for example, refuses to issue a C-V2X digital certificate to the V2X device, and returns a service rejection result to the V2X device.
步骤10:GBA认证授权机构向V2X设备转发业务响应消息。Step 10: The GBA certification authority forwards the service response message to the V2X device.
步骤11:V2X设备对业务响应消息进行本地处理,其中,对于C-V2X数字证书管理相关业务可参见现有标准。如果业务授权成功,V2X设备可基于GBA应用层会话密钥K*进行端到端安全通信。Step 11: The V2X device locally processes the service response message. For services related to C-V2X digital certificate management, please refer to existing standards. If the business authorization is successful, the V2X device can perform end-to-end secure communication based on the GBA application layer session key K*.
实际应用时,第一网络功能可以为GBA中的NAF/AP,或者也可以为与NAF/AP功能相同的其他网络功能。当然,可以理解,第一网络功能除了可以实现NAF/AP的功能,还可以实现其他功能,也就是说,第一网络功能可以是NAP/AP与其他功能合设的网络功能。In actual application, the first network function can be NAF/AP in GBA, or it can also be other network functions that have the same function as NAF/AP. Of course, it can be understood that in addition to the functions of NAF/AP, the first network function can also implement other functions. That is to say, the first network function can be a network function that is a combination of NAP/AP and other functions.
此外,第一网络功能还可以为BSF,如图10所示,通过新增Zx接口,支持BSF与业务授权***之间的信息交互。基于BSF实现的业务授权处理流程如图11所示:In addition, the first network function can also be BSF. As shown in Figure 10, through the new Zx interface, information interaction between BSF and the business authorization system is supported. The business authorization processing process implemented based on BSF is shown in Figure 11:
步骤1:在GBA机制(标准或增强型)处理过程中,BSF在接收到第一业务请求,例如引导信息请求(Bootstrapping-Info Request,BIR)后,根据第一终端所要访问的第一业务,对应的业务授权***。Step 1: During the processing of the GBA mechanism (standard or enhanced), after receiving the first service request, such as the Bootstrapping-Info Request (BIR), the BSF will, based on the first service to be accessed by the first terminal, Corresponding business authorization system.
步骤2:BSF发送第一消息,请求业务授权***对第一业务请求进行授权审核。 Step 2: BSF sends the first message to request the service authorization system to perform authorization review on the first service request.
步骤3:业务授权***进行授权决策,确定是否允许第一终端执行相关业务操作或者从服务器获取相关的业务服务。Step 3: The business authorization system makes an authorization decision to determine whether to allow the first terminal to perform related business operations or obtain related business services from the server.
步骤4:业务授权***向BSF返回业务授权响应消息,指示授权结果。Step 4: The service authorization system returns a service authorization response message to the BSF, indicating the authorization result.
步骤5:根据授权结果,BSF确定是否允许第一终端继续第一业务的相关处理。如果授权结果指示授权,那么第一终端继续执行GBA机制及第一业务的相关处理;如果授权结果为未授权,那么第一终端终止GBA机制及第一业务的相关处理。Step 5: According to the authorization result, the BSF determines whether to allow the first terminal to continue the related processing of the first service. If the authorization result indicates authorization, then the first terminal continues to execute the GBA mechanism and related processing of the first service; if the authorization result indicates unauthorized, then the first terminal terminates the GBA mechanism and related processing of the first service.
步骤6:BSF向第一终端返回第一业务请求的响应消息。其中,如果授权结果为未授权,那么BSF向第一终端返回第一业务请求的拒绝消息,例如BIA消息)。如果授权结果为未授权,那么BSF向第一终端返回第一业务请求的拒绝消息,例如HTTP 403forbidden消息。Step 6: The BSF returns the response message of the first service request to the first terminal. If the authorization result is unauthorized, the BSF returns a rejection message of the first service request to the first terminal, such as a BIA message). If the authorization result is unauthorized, the BSF returns a rejection message of the first service request to the first terminal, such as an HTTP 403forbidden message.
本公开实施例虽然是基于GBA安全机制提出的,但是对于GBA技术的后续演进技术,如认证及密钥管理(Authenticationand Key Managementfor Applications,AKMA)也同样适用。参见图12的AKMA***架构,其中的应用功能(Application Function,AF)和AKMA锚功能(Akma Anchor Function,AAnF)可以分别理解为相当于GBA***中NAF和BSF,可用于支持本专利所提出的Zx接口及相关处理功能,此外,第一网络功能还可以为图12中的网络开放功能(Network Exposure Function,NEF)。上述网络功能可参照上文实施例以实现业务授权方法。Although this disclosed embodiment is proposed based on the GBA security mechanism, it is also applicable to subsequent evolution technologies of GBA technology, such as Authentication and Key Management for Applications (AKMA). Referring to the AKMA system architecture in Figure 12, the application function (Application Function, AF) and the AKMA anchor function (Akma Anchor Function, AAnF) can be understood as equivalent to the NAF and BSF in the GBA system respectively, and can be used to support the requirements proposed by this patent. Zx interface and related processing functions. In addition, the first network function can also be the Network Exposure Function (NEF) in Figure 12. The above network functions may refer to the above embodiments to implement the service authorization method.
为了实现本公开实施例的方法,本公开实施例还提供了一种业务授权装置,设置在第一网络功能上,如图13所示,该装置包括:In order to implement the method of the embodiment of the present disclosure, the embodiment of the present disclosure also provides a service authorization device, which is provided on the first network function. As shown in Figure 13, the device includes:
第一发送单元1301,用于向业务授权***发送第一消息;所述第一消息用于对第一业务请求申请授权;The first sending unit 1301 is used to send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
第一接收单元1302,用于接收业务授权***的第二消息;所述第二消息用于指示授权结果。The first receiving unit 1302 is configured to receive a second message from the service authorization system; the second message is used to indicate the authorization result.
其中,在一实施例中,所述第一消息用于对第一终端的第一业务请求申 请授权。In one embodiment, the first message is used to apply for a first service request of the first terminal. Please authorize.
在一实施例中所述第一消息携带以下信息的至少之一:In one embodiment, the first message carries at least one of the following information:
第一终端的标识;The identification of the first terminal;
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务和/或操作的类型信息。Type information of services and/or operations requested by the first service request.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第二接收单元,用于在所述向业务授权***发送第一消息之前,接收应用服务实体发送的第三消息;所述第三消息用于请求获取第一终端的GBA共享会话密钥和/或用户相关信息;The second receiving unit is configured to receive the third message sent by the application service entity before sending the first message to the service authorization system; the third message is used to request to obtain the GBA shared session key and/or the first terminal. or user-related information;
获取单元,用于获取所述第一终端的标识。The obtaining unit is used to obtain the identification of the first terminal.
在一实施例中,所述第三消息携带以下一种或几种:In one embodiment, the third message carries one or more of the following:
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务/或操作的类型信息;Type information of the service/or operation requested by the first service request;
B-TID。B-TID.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第二发送单元,用于向应用服务实体返回第四消息;其中,The second sending unit is used to return the fourth message to the application service entity; wherein,
所述第四消息用于返回所述第一终端的GBA共享会话密钥,或者,用于返回对所述第一终端的第一业务请求的未授权的结果。The fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第三接收单元,用于接收应用服务实体发送的第五消息,The third receiving unit is used to receive the fifth message sent by the application service entity,
向所述第一终端转发所述第五消息;其中,Forwarding the fifth message to the first terminal; wherein,
所述第五消息用于返回所述第一业务请求的执行结果,或者,用于返回所述第一业务请求被拒绝执行的结果。The fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
实际应用时,上述各单元可由业务授权装置中的通信接口实现。In actual application, each of the above units can be implemented by the communication interface in the service authorization device.
需要说明的是:上述实施例提供的业务授权装置在进行业务授权时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上 述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的业务授权装置与业务授权方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the service authorization device provided in the above embodiment performs service authorization, only the division of the above program modules is used as an example. In actual application, the above can be used as needed. The above-mentioned processing distribution is completed by different program modules, that is, the internal structure of the device is divided into different program modules to complete all or part of the above-described processing. In addition, the service authorization device provided by the above embodiments and the service authorization method embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
基于上述程序模块的硬件实现,且为了实现本公开实施例第一网络功能侧的方法,本公开实施例还提供了一种第一网络功能,如图14所示,第一网络功能1400包括:Based on the hardware implementation of the above program module, and in order to implement the method on the first network function side of the embodiment of the disclosure, the embodiment of the disclosure also provides a first network function. As shown in Figure 14, the first network function 1400 includes:
第一通信接口1401,能够与其他网络节点进行信息交互;The first communication interface 1401 is capable of information exchange with other network nodes;
第一处理器1402,与所述第一通信接口1401连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第一网络功能侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器1403上。The first processor 1402 is connected to the first communication interface 1401 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first network function side when running a computer program. The computer program is stored on the first memory 1403 .
具体地,所述第一通信接口1401,用于向业务授权***发送第一消息,以及接收业务授权***的第二消息;其中,Specifically, the first communication interface 1401 is used to send a first message to the service authorization system and receive a second message from the service authorization system; wherein,
所述第一消息用于对第一业务请求申请授权;所述第二消息用于指示授权结果。The first message is used to apply for authorization for the first service request; the second message is used to indicate the authorization result.
其中,在一实施例中,所述第一消息用于对第一终端的第一业务请求申请授权。In one embodiment, the first message is used to apply for authorization of the first service request of the first terminal.
在一实施例中,所述第一消息携带以下信息的至少之一:In one embodiment, the first message carries at least one of the following information:
第一终端的标识;The identification of the first terminal;
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务和/或操作的类型信息。Type information of services and/or operations requested by the first service request.
在一实施例中,所述第一通信接口1401,还用于在所述向业务授权***发送第一消息之前,接收应用服务实体发送的第三消息;所述第三消息用于请求获取第一终端的GBA共享会话密钥和/或用户相关信息;In an embodiment, the first communication interface 1401 is also used to receive a third message sent by the application service entity before sending the first message to the service authorization system; the third message is used to request to obtain the third message. A terminal’s GBA shared session key and/or user-related information;
所述第一通信接口1401,还用于获取所述第一终端的标识。The first communication interface 1401 is also used to obtain the identity of the first terminal.
在一实施例中,所述第三消息携带以下一种或几种: In one embodiment, the third message carries one or more of the following:
应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
所述第一业务请求所请求的服务/或操作的类型信息;Type information of the service/or operation requested by the first service request;
B-TID。B-TID.
在一实施例中,所述第一通信接口1401,还用于向应用服务实体返回第四消息;其中,In one embodiment, the first communication interface 1401 is also used to return a fourth message to the application service entity; wherein,
所述第四消息用于返回所述第一终端的GBA共享会话密钥,或者,用于返回对所述第一终端的第一业务请求的未授权的结果。The fourth message is used to return the GBA shared session key of the first terminal, or to return an unauthorized result of the first service request to the first terminal.
在一实施例中,所述第一通信接口1401,还用于接收应用服务实体发送的第五消息,In one embodiment, the first communication interface 1401 is also used to receive the fifth message sent by the application service entity,
向所述第一终端转发所述第五消息;其中,Forwarding the fifth message to the first terminal; wherein,
所述第五消息用于返回所述第一业务请求的执行结果,或者,用于返回所述第一业务请求被拒绝执行的结果。The fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
需要说明的是:第一处理器1402和第一通信接口1401的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the first processor 1402 and the first communication interface 1401 can be understood with reference to the above method.
当然,实际应用时,第一网络功能1400中的各个组件通过总线***1404耦合在一起。可理解,总线***1404用于实现这些组件之间的连接通信。总线***1404除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图14中将各种总线都标为总线***1404。Of course, in actual application, various components in the first network function 1400 are coupled together through the bus system 1404. It can be understood that the bus system 1404 is used to implement connection communication between these components. In addition to the data bus, the bus system 1404 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are labeled bus system 1404 in FIG. 14 .
本公开实施例中的第一存储器1403用于存储各种类型的数据以支持第一网络功能1400的操作。这些数据的示例包括:用于在第一网络功能1400上操作的任何计算机程序。The first memory 1403 in the embodiment of the present disclosure is used to store various types of data to support the operation of the first network function 1400. Examples of such data include: any computer program for operating on the first network function 1400.
上述本公开实施例揭示的方法可以应用于所述第一处理器1402中,或者由所述第一处理器1402实现。所述第一处理器1402可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器1402中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器1402可以是通用处理器、数字信号处理器(Digital Signal  Processor,DSP),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器1402可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器1403,所述第一处理器1402读取第一存储器1403中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present disclosure can be applied to the first processor 1402 or implemented by the first processor 1402 . The first processor 1402 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 1402 . The above-mentioned first processor 1402 may be a general-purpose processor or a digital signal processor (Digital Signal Processor). Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The first processor 1402 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 1403. The first processor 1402 reads the information in the first memory 1403, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,第一网络功能1400可以被一个或多个应用专用集成电路(Application Specific Integrated Circuit,ASIC)、DSP、可编程逻辑器件(Programmable Logic Device,PLD)、复杂可编程逻辑器件(Complex Programmable Logic Device,CPLD)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)、通用处理器、控制器、微控制器(Micro Controller Unit,MCU)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the first network function 1400 may be implemented by one or more application specific integrated circuits (Application Specific Integrated Circuit, ASIC), DSP, programmable logic device (Programmable Logic Device, PLD), complex programmable logic device (Complex Programmable Logic Device, CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller Unit, MCU), microprocessor (Microprocessor), or Other electronic components are implemented for performing the aforementioned methods.
可以理解,本公开实施例的存储器(第一存储器1403)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read Only Memory,ROM)、可编程只读存储器(Programmable Read-Only Memory,PROM)、可擦除可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性随机存取存储器(ferromagnetic random access memory,FRAM)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(Compact Disc Read-Only Memory,CD-ROM);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许 多形式的RAM可用,例如静态随机存取存储器(Static Random Access Memory,SRAM)、同步静态随机存取存储器(Synchronous Static Random Access Memory,SSRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)、同步动态随机存取存储器(Synchronous Dynamic Random Access Memory,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate Synchronous Dynamic Random Access Memory,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced Synchronous Dynamic Random Access Memory,ESDRAM)、同步连接动态随机存取存储器(SyncLink Dynamic Random Access Memory,)SLDRAM、直接内存总线随机存取存储器(Direct Rambus Random Access Memory,DRRAM)。本公开实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (first memory 1403) in the embodiment of the present disclosure may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory). , EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Random Access Memory (ferromagnetic random access memory, FRAM), Flash Memory, Magnetic Surface Memory , optical disk, or compact disc (Compact Disc Read-Only Memory, CD-ROM); the magnetic surface memory can be a magnetic disk memory or a magnetic tape memory. The volatile memory may be Random Access Memory (RAM), which is used as an external cache. By way of illustration, but not limitation, Xu Various forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), and Dynamic Random Access Memory (DRAM). , Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), SyncLink Dynamic Random Access Memory (SyncLink Dynamic Random Access Memory,) SLDRAM, Direct Memory Bus Random Access Memory (Direct Rambus Random Access Memory, DRRAM). Memories described in embodiments of the present disclosure are intended to include, but are not limited to, these and any other suitable types of memory.
在示例性实施例中,本公开实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器1403,上述计算机程序可由第一网络功能1400的第一处理器1402执行,以完成前述第一网络功能侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 1403 that stores a computer program. The above computer program can be accessed by a first network. The first processor 1402 of the function 1400 executes to complete the steps described in the first network function side method. The computer-readable storage medium can be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM and other memories.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that "first", "second", etc. are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多个中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations. In addition, the term "at least one" in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.
另外,本公开实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present disclosure may be combined arbitrarily as long as there is no conflict.
以上所述,仅为本公开的较佳实施例而已,并非用于限定本公开的保护范围。 The above descriptions are only preferred embodiments of the present disclosure and are not intended to limit the scope of the present disclosure.

Claims (11)

  1. 一种业务授权方法,所述方法包括:A service authorization method, the method includes:
    向业务授权***发送第一消息;所述第一消息用于对第一业务请求申请授权;Send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
    接收业务授权***的第二消息;所述第二消息用于指示授权结果。Receive a second message from the service authorization system; the second message is used to indicate the authorization result.
  2. 根据权利要求1所述的方法,其中,所述第一消息用于对第一终端的第一业务请求申请授权。The method according to claim 1, wherein the first message is used to apply for authorization of the first service request of the first terminal.
  3. 根据权利要求1或2所述的方法,其中,所述第一消息携带以下信息的至少之一:The method according to claim 1 or 2, wherein the first message carries at least one of the following information:
    第一终端的标识;The identification of the first terminal;
    应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
    所述第一业务请求所请求的服务和/或操作的类型信息。Type information of services and/or operations requested by the first service request.
  4. 根据权利要求1至3任一所述的方法,其中,所述向业务授权***发送第一消息之前,所述方法还包括:The method according to any one of claims 1 to 3, wherein before sending the first message to the service authorization system, the method further includes:
    接收应用服务实体发送的第三消息;所述第三消息用于请求获取第一终端的通用引导架构GBA共享会话密钥和/或用户相关信息;Receive a third message sent by the application service entity; the third message is used to request to obtain the first terminal's general guidance architecture GBA shared session key and/or user-related information;
    获取所述第一终端的标识。Obtain the identity of the first terminal.
  5. 根据权利要求4所述的方法,其中,所述第三消息携带以下一种或几种:The method according to claim 4, wherein the third message carries one or more of the following:
    应用服务实体的标识和/或地址;The identification and/or address of the application service entity;
    所述第一业务请求所请求的服务/或操作的类型信息;Type information of the service/or operation requested by the first service request;
    引导事务标识B-TID。Boot transaction identifier B-TID.
  6. 根据权利要求5所述的方法,所述方法还包括:The method of claim 5, further comprising:
    向应用服务实体返回第四消息;其中,Return the fourth message to the application service entity; wherein,
    所述第四消息用于返回所述第一终端的GBA共享会话密钥,或者,用于 返回对所述第一终端的第一业务请求的未授权的结果。The fourth message is used to return the GBA shared session key of the first terminal, or to An unauthorized result of the first service request to the first terminal is returned.
  7. 根据权利要求6所述的方法,所述方法还包括:The method of claim 6, further comprising:
    接收应用服务实体发送的第五消息,Receive the fifth message sent by the application service entity,
    向所述第一终端转发所述第五消息;其中,Forwarding the fifth message to the first terminal; wherein,
    所述第五消息用于返回所述第一业务请求的执行结果,或者,用于返回所述第一业务请求被拒绝执行的结果。The fifth message is used to return the execution result of the first service request, or to return the result that the first service request is refused execution.
  8. 一种业务授权装置,所述装置包括:A service authorization device, the device includes:
    第一发送单元,用于向业务授权***发送第一消息;所述第一消息用于对第一业务请求申请授权;The first sending unit is used to send a first message to the service authorization system; the first message is used to apply for authorization of the first service request;
    第一接收单元,用于接收业务授权***的第二消息;所述第二消息用于指示授权结果。The first receiving unit is configured to receive a second message from the service authorization system; the second message is used to indicate the authorization result.
  9. 一种第一网络功能,包括:第一处理器及第一通信接口;其中,A first network function includes: a first processor and a first communication interface; wherein,
    所述第一通信接口,用于向业务授权***发送第一消息,以及接收业务授权***的第二消息;其中,The first communication interface is used to send a first message to the business authorization system and receive a second message from the business authorization system; wherein,
    所述第一消息用于对第一业务请求申请授权;所述第二消息用于指示授权结果。The first message is used to apply for authorization for the first service request; the second message is used to indicate the authorization result.
  10. 一种第一网络功能,包括:第一处理器和用于存储能够在处理器上运行的计算机程序的第一存储器,A first network function comprising: a first processor and a first memory for storing a computer program capable of running on the processor,
    其中,所述第一处理器用于运行所述计算机程序时,执行权利要求1至7任一项所述方法的步骤。Wherein, the first processor is configured to perform the steps of the method described in any one of claims 1 to 7 when running the computer program.
  11. 一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1至7任一项所述方法的步骤。 A storage medium on which a computer program is stored, which implements the steps of the method of any one of claims 1 to 7 when executed by a processor.
PCT/CN2023/096270 2022-05-25 2023-05-25 Service authorization method, apparatus, network function, and storage medium WO2023227057A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210580258.8 2022-05-25
CN202210580258.8A CN117177205A (en) 2022-05-25 2022-05-25 Service authorization method, device, network function and storage medium

Publications (1)

Publication Number Publication Date
WO2023227057A1 true WO2023227057A1 (en) 2023-11-30

Family

ID=88918574

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/096270 WO2023227057A1 (en) 2022-05-25 2023-05-25 Service authorization method, apparatus, network function, and storage medium

Country Status (2)

Country Link
CN (1) CN117177205A (en)
WO (1) WO2023227057A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102191A (en) * 2006-07-04 2008-01-09 华为技术有限公司 Method for identifying the style of secret key request service in general authentication framework
US20190098498A1 (en) * 2016-03-09 2019-03-28 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for using gba for services used by multiple functions on the same device
CN113518349A (en) * 2020-10-23 2021-10-19 ***通信有限公司研究院 Service management method, device, system and storage medium
CN114095919A (en) * 2020-06-30 2022-02-25 ***通信有限公司研究院 Certificate authorization processing method based on Internet of vehicles and related equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102191A (en) * 2006-07-04 2008-01-09 华为技术有限公司 Method for identifying the style of secret key request service in general authentication framework
US20190098498A1 (en) * 2016-03-09 2019-03-28 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for using gba for services used by multiple functions on the same device
CN114095919A (en) * 2020-06-30 2022-02-25 ***通信有限公司研究院 Certificate authorization processing method based on Internet of vehicles and related equipment
CN113518349A (en) * 2020-10-23 2021-10-19 ***通信有限公司研究院 Service management method, device, system and storage medium

Also Published As

Publication number Publication date
CN117177205A (en) 2023-12-05

Similar Documents

Publication Publication Date Title
JP5199405B2 (en) Authentication in communication systems
EP3668042B1 (en) Registration method and apparatus based on service-oriented architecture
CN113438196B (en) Service authorization method, device and system
US20040073786A1 (en) Method and apparatus for providing authentication, authorization and accounting to roaming nodes
US20080294891A1 (en) Method for Authenticating a Mobile Node in a Communication Network
JP2008506139A (en) System and method for managing user authentication and service authorization, realizing single sign-on, and accessing multiple network interfaces
KR20140127303A (en) Multi-factor certificate authority
JP7100153B2 (en) Service API call method and related devices
JP2023544529A (en) Authentication methods and systems
WO2009129753A1 (en) A method and apparatus for enhancing the security of the network identity authentication
WO2019056971A1 (en) Authentication method and device
JP2021510984A (en) How to determine the key to secure communication between the user device and the application server
WO2023115913A1 (en) Authentication method and system, and electronic device and computer-readable storage medium
US20160285843A1 (en) System and method for scoping a user identity assertion to collaborative devices
Edris et al. The case for federated identity management in 5G communications
WO2022170821A1 (en) Service certificate management method and apparatus, system, and electronic device
US11595215B1 (en) Transparently using macaroons with caveats to delegate authorization for access
WO2023134557A1 (en) Processing method and apparatus based on industrial internet identifier
WO2023227057A1 (en) Service authorization method, apparatus, network function, and storage medium
CN116782212A (en) Terminal broadcasting method and device based on Sidelink, electronic equipment and medium
TWI820696B (en) Communication method,apparatus and computer readable storage medium
CN114978698A (en) Network access method, target terminal, certificate management network element and verification network element
CN115865384A (en) Middle-station micro-service authorization method and device, electronic equipment and storage medium
CN114640992A (en) Method and device for updating user identity
WO2019141135A1 (en) Trusted service management method and apparatus capable of supporting wireless network switching

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23811127

Country of ref document: EP

Kind code of ref document: A1