技术领域Technical Field
本发明涉及通信技术领域,尤其涉及一种认证方法、装置、会话管理功能实体、服务器及终端。The present invention relates to the field of communication technology, and in particular to an authentication method, device, session management function entity, server and terminal.
背景技术Background Art
二次认证是接入5G网络执行首次认证之后执行的认证,主要提供了终端(UE)与外部数据网络(如,业务提供方)之间的业务认证以及相关密钥管理功能。二次认证实现5G网络与业务侧平台的配合,由业务侧平台执行认证,由5G网络承载认证消息并根据认证结果控制UE可否接入外部数据网络。与UE接入运营商网络时进行首次认证所使用的存储于USIM(全球用户识别模块)的信任状不同,二次认证需要通过额外的信任状(如证书)来实现,且认证服务器位于外部数据网络。Secondary authentication is performed after the initial authentication when accessing the 5G network. It mainly provides service authentication and related key management functions between the terminal (UE) and the external data network (such as the service provider). Secondary authentication realizes the cooperation between the 5G network and the service-side platform. The service-side platform performs the authentication, and the 5G network carries the authentication message and controls whether the UE can access the external data network based on the authentication result. Unlike the credentials stored in the USIM (Universal Subscriber Identity Module) used for the initial authentication when the UE accesses the operator's network, secondary authentication requires additional credentials (such as certificates) to implement, and the authentication server is located in the external data network.
初始二次认证之后,认证服务器或authenticator(认证方)视情况重新发起对UE的二次认证,包括以下情况:①服务器down掉(出故障、掉线、关掉等无法提供服务的情况);②管理员在认证服务器上修改了某一用户的访问权限、授权属性等参数,此时如果用户已经在线,则需要及时对该用户进行重认证以确保用户的合法性;③在线超时重认证;④authenticator配置了定期的重认证;⑤认证失败。二次认证之后,如果用户下线、发现虚假登陆、认证授权改变或用户数过多,可发起二次认证状态撤销。其中:重认证的说法也可以用于遗留3GPP系统(例如,全球移动通信系统GSM、通用无线分组业务GPRS、通用移动通信系统UMTS、长期演进LTE(或系统架构演进SAE))中,和当前的5G系统接入中。After the initial secondary authentication, the authentication server or authenticator (authenticator) re-initiates secondary authentication for the UE as appropriate, including the following situations: ① The server is down (failed, disconnected, turned off, etc. and unable to provide services); ② The administrator modifies the access rights, authorization attributes and other parameters of a user on the authentication server. At this time, if the user is already online, it is necessary to re-authenticate the user in time to ensure the legitimacy of the user; ③ Online timeout re-authentication; ④ The authenticator is configured with regular re-authentication; ⑤ Authentication failed. After the secondary authentication, if the user goes offline, a false login is found, the authentication authorization is changed, or the number of users is too large, the secondary authentication status revocation can be initiated. Among them: The term re-authentication can also be used in legacy 3GPP systems (for example, Global System for Mobile Communications GSM, General Radio Packet Service GPRS, Universal Mobile Telecommunications System UMTS, Long Term Evolution LTE (or System Architecture Evolution SAE)), and in current 5G system access.
对于外部数据网络来说,相比应用层的认证,二次认证使得对外部数据网络的访问控制发生在会话建立之前,避免恶意终端建立和外部数据网络之间的数据通道;使用二次认证也可以避免机卡分离,当终端尤其是物联网设备的卡被插到其他终端上时,由于攻击者所使用的终端不具备二次认证所使用的信任状,当攻击者在尝试接入某网络时,会因为无法通过二次认证而被拒绝,以保证数据网络的安全。对于5G网络来说,二次认证给运营商使能了为垂直行业提供安全服务的能力。For external data networks, compared with application layer authentication, secondary authentication allows access control to external data networks to occur before a session is established, preventing malicious terminals from establishing data channels with external data networks; using secondary authentication can also prevent machine-card separation. When a terminal, especially an IoT device card, is inserted into another terminal, the terminal used by the attacker does not have the credentials used for secondary authentication. When the attacker attempts to access a network, he will be rejected because he cannot pass secondary authentication, thus ensuring the security of the data network. For 5G networks, secondary authentication enables operators to provide security services for vertical industries.
现有技术中,二次认证时SMF(会话管理功能)向外发送GPSI(通用公开订阅标识),GPSI是UE的标识,存放在UDM(统一数据管理设备)中,SMF可根据GPSI识别到UE。当AAA服务器决定向某个UE发起重认证及撤销二次认证时,向网络发送GPSI以便网络识别到UE,更新UE二次认证的状态,以及告知UE重新进行认证。In the prior art, during secondary authentication, the SMF (session management function) sends out the GPSI (general public subscription identifier), which is the identifier of the UE and is stored in the UDM (unified data management device). The SMF can identify the UE based on the GPSI. When the AAA server decides to initiate re-authentication and revoke secondary authentication for a certain UE, it sends the GPSI to the network so that the network can identify the UE, update the status of the UE secondary authentication, and inform the UE to re-authenticate.
具体的,现有方案中,二次认证时SMF向AAA服务器发送GPSI,当AAA服务器发起重认证及撤销二次认证时,会向网络发送该GPSI供网络识别UE来用,但该方案需要对已有AAA服务器做较大改造:传统AAA服务器只有EAP ID作为EAP认证的用户标识,无法识别GPSI,因此应用该方案需AAA服务器增加存放UE的网络标识GPSI,并在重认证及撤销流程发起时需向SMF发送GPSI。Specifically, in the existing solution, the SMF sends the GPSI to the AAA server during the secondary authentication. When the AAA server initiates re-authentication and revokes the secondary authentication, it will send the GPSI to the network for the network to identify the UE. However, this solution requires a major modification of the existing AAA server: the traditional AAA server only has the EAP ID as the user identifier for EAP authentication and cannot identify the GPSI. Therefore, the application of this solution requires the AAA server to add a network identifier GPSI for storing the UE, and send the GPSI to the SMF when the re-authentication and revocation processes are initiated.
由上可知,现有的认证方案存在暴露UE信息、需要服务器维护额外信息、改变服务器原有账号管理系统、实现成本高的问题。As can be seen from the above, the existing authentication schemes have the problems of exposing UE information, requiring the server to maintain additional information, changing the original account management system of the server, and having high implementation costs.
发明内容Summary of the invention
本发明的目的在于提供一种认证方法、装置、会话管理功能实体、服务器及终端,以解决现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The purpose of the present invention is to provide an authentication method, device, session management function entity, server and terminal to solve the problems of UE information exposure, high implementation and maintenance costs in the authentication scheme in the prior art.
为了解决上述技术问题,本发明实施例提供一种认证方法,应用于会话管理功能SMF实体,包括:In order to solve the above technical problems, an embodiment of the present invention provides an authentication method, which is applied to a session management function SMF entity, including:
接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;Receiving a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID;
根据所述服务器的地址,得到目标数据网络的标识;Obtaining an identification of a target data network according to the address of the server;
根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;Obtaining a terminal identification UE ID according to the EAP ID, an identification of a target data network and a first mapping relationship;
根据所述UE ID,触发对应终端与所述服务器进行重认证操作;According to the UE ID, trigger the corresponding terminal to perform a re-authentication operation with the server;
其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系。The first mapping relationship includes a mapping relationship between an EAP ID, an identifier of a target data network, and a UE ID.
可选的,所述根据所述UE ID,触发对应终端与所述服务器进行重认证操作,包括:Optionally, triggering, according to the UE ID, the corresponding terminal to perform a re-authentication operation with the server includes:
根据所述UE ID,向对应终端发送可扩展认证协议EAP重认证身份请求;Sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID;
接收所述终端根据所述EAP重认证身份请求反馈的EAP重认证身份响应;receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证;Sending the EAP re-authentication identity response to the server to trigger the terminal to perform EAP re-authentication with the server;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request.
可选的,在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,还包括:Optionally, after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, the method further includes:
根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系。The first mapping relationship is updated according to the EAP ID carried in the EAP re-authentication identity response.
可选的,所述根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系,包括:Optionally, updating the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response includes:
将所述第一映射关系中的EAP ID更新为所述EAP重认证身份响应中携带的EAPID。The EAP ID in the first mapping relationship is updated to the EAPID carried in the EAP re-authentication identity response.
可选的,所述第一映射关系包括至少一个所述映射关系,每一所述映射关系对应一个二次认证状态信息;Optionally, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to a secondary authentication status information;
所述根据所述UE ID,触发对应终端与所述服务器进行重认证操作,还包括:The triggering, according to the UE ID, of a corresponding terminal to perform a re-authentication operation with the server further includes:
在将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证之后,接收所述服务器发送的EAP重认证结果信息;After sending the EAP re-authentication identity response to the server to trigger the terminal to perform EAP re-authentication with the server, receiving EAP re-authentication result information sent by the server;
在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,还包括:After triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, the method further includes:
根据所述EAP重认证结果信息,更新所述第一映射关系中的二次认证状态信息。According to the EAP re-authentication result information, the secondary authentication state information in the first mapping relationship is updated.
可选的,在接收服务器发送的重认证请求之前,还包括:Optionally, before receiving the re-authentication request sent by the server, the following is also included:
在所述重认证操作对应的二次认证操作的过程中,获取UE ID、目标数据网络的标识以及EAP ID;并根据获取的UE ID、目标数据网络的标识以及EAP ID,得到所述映射关系。During the secondary authentication operation corresponding to the re-authentication operation, the UE ID, the identifier of the target data network and the EAP ID are acquired; and the mapping relationship is obtained according to the acquired UE ID, the identifier of the target data network and the EAP ID.
可选的,在接收服务器发送的重认证请求之前,还包括:Optionally, before receiving the re-authentication request sent by the server, the following is also included:
获取所述二次认证操作的认证结果信息,作为得到的所述映射关系的二次认证状态信息。Acquire authentication result information of the secondary authentication operation as the obtained secondary authentication state information of the mapping relationship.
可选的,所述获取UE ID、目标数据网络的标识以及EAP ID,包括:Optionally, the acquiring the UE ID, the identifier of the target data network, and the EAP ID includes:
接收所述终端发送的协议数据单元PDU会话建立请求;Receiving a protocol data unit (PDU) session establishment request sent by the terminal;
从所述PDU会话建立请求中获取UE ID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,Acquire the UE ID, the identifier of the target data network, and the EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or,
接收所述终端发送的PDU会话建立请求;Receiving a PDU session establishment request sent by the terminal;
从所述PDU会话建立请求中获取UE ID和目标数据网络的标识,并根据所述PDU会话建立请求向所述终端发送可扩展认证协议EAP身份请求;Acquire the UE ID and the identifier of the target data network from the PDU session establishment request, and send an Extensible Authentication Protocol EAP identity request to the terminal according to the PDU session establishment request;
接收所述终端根据所述EAP身份请求反馈的EAP身份响应;receiving an EAP identity response fed back by the terminal according to the EAP identity request;
从所述EAP身份响应中获取EAP ID;Obtaining an EAP ID from the EAP identity response;
其中,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。The EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
可选的,所述第一映射关系及二次认证状态信息均存储在本地或者统一数据管理设备UDM中。Optionally, the first mapping relationship and the secondary authentication status information are both stored locally or in a unified data management device UDM.
本发明实施例还提供了一种认证方法,应用于服务器,包括:The embodiment of the present invention further provides an authentication method, which is applied to a server and includes:
向会话管理功能SMF实体发送重认证请求;Send a re-authentication request to the session management function SMF entity;
其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID。The re-authentication request carries an extensible authentication protocol identity identifier EAP ID.
可选的,在向会话管理功能SMF实体发送重认证请求之后,还包括:Optionally, after sending the re-authentication request to the session management function SMF entity, the method further includes:
接收所述SMF实体发送的可扩展认证协议EAP重认证身份响应;Receiving an Extensible Authentication Protocol (EAP) re-authentication identity response sent by the SMF entity;
根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证。According to the EAP re-authentication identity response, EAP re-authentication is performed with the corresponding terminal.
可选的,在根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证之后,还包括:Optionally, after performing EAP re-authentication with a corresponding terminal according to the EAP re-authentication identity response, the method further includes:
将EAP重认证结果信息发送给所述SMF实体。Send the EAP re-authentication result information to the SMF entity.
本发明实施例还提供了一种认证方法,应用于终端,包括:The embodiment of the present invention further provides an authentication method, which is applied to a terminal and includes:
接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;Receiving an Extensible Authentication Protocol (EAP) re-authentication identity request sent by a session management function (SMF) entity;
根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;Feedback an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity.
可选的,所述根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应,包括:Optionally, feeding back an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request includes:
确定EAP ID;Determine the EAP ID;
生成包含所述EAP ID的EAP重认证身份响应;generating an EAP re-authentication identity response including the EAP ID;
将生成的所述EAP重认证身份响应反馈给所述SMF实体。The generated EAP re-authentication identity response is fed back to the SMF entity.
可选的,在接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求之前,还包括:Optionally, before receiving the extensible authentication protocol EAP re-authentication identity request sent by the session management function SMF entity, the method further includes:
在所述重认证请求相对应的重认证操作所对应的二次认证操作的过程中,向所述SMF实体发送协议数据单元PDU会话建立请求;所述PDU会话建立请求中携带有UE ID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,During the secondary authentication operation corresponding to the re-authentication operation corresponding to the re-authentication request, a protocol data unit PDU session establishment request is sent to the SMF entity; the PDU session establishment request carries the UE ID, the identifier of the target data network and the EAP ID, and the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or,
在所述重认证请求相对应的重认证操作所对应的二次认证操作的过程中,向所述SMF实体发送协议数据单元PDU会话建立请求;所述PDU会话建立请求中携带有UE ID和目标数据网络的标识;During the secondary authentication operation corresponding to the re-authentication operation corresponding to the re-authentication request, a protocol data unit PDU session establishment request is sent to the SMF entity; the PDU session establishment request carries the UE ID and the identifier of the target data network;
接收所述SMF实体根据所述PDU会话建立请求发送的可扩展认证协议EAP身份请求;Receiving an Extensible Authentication Protocol EAP identity request sent by the SMF entity according to the PDU session establishment request;
根据所述EAP身份请求向所述SMF实体反馈EAP身份响应;Feedback an EAP identity response to the SMF entity according to the EAP identity request;
其中,所述EAP身份响应中携带有EAP ID,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。The EAP identity response carries an EAP ID, and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
本发明实施例还提供了一种认证装置,应用于会话管理功能SMF实体,包括:The embodiment of the present invention further provides an authentication device, which is applied to a session management function SMF entity, including:
第一接收模块,用于接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;A first receiving module is used to receive a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID;
第一处理模块,用于根据所述服务器的地址,得到目标数据网络的标识;A first processing module, configured to obtain an identifier of a target data network according to an address of the server;
第二处理模块,用于根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;A second processing module, configured to obtain a terminal identifier UE ID according to the EAP ID, an identifier of a target data network and a first mapping relationship;
第一触发模块,用于根据所述UE ID,触发对应终端与所述服务器进行重认证操作;A first triggering module, configured to trigger the corresponding terminal to perform a re-authentication operation with the server according to the UE ID;
其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系。The first mapping relationship includes a mapping relationship between an EAP ID, an identifier of a target data network, and a UE ID.
可选的,所述第一触发模块,包括:Optionally, the first trigger module includes:
第一发送子模块,用于根据所述UE ID,向对应终端发送可扩展认证协议EAP重认证身份请求;A first sending submodule, configured to send an extensible authentication protocol EAP re-authentication identity request to a corresponding terminal according to the UE ID;
第一接收子模块,用于接收所述终端根据所述EAP重认证身份请求反馈的EAP重认证身份响应;A first receiving submodule, configured to receive an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
第一触发子模块,用于将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证;A first triggering submodule, configured to send the EAP re-authentication identity response to the server, triggering the terminal to perform EAP re-authentication with the server;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request.
可选的,还包括:Optionally, also include:
第一更新模块,用于在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系。The first updating module is configured to update the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID.
可选的,所述第一更新模块,包括:Optionally, the first update module includes:
第一更新子模块,用于将所述第一映射关系中的EAP ID更新为所述EAP重认证身份响应中携带的EAP ID。The first updating submodule is configured to update the EAP ID in the first mapping relationship to the EAP ID carried in the EAP re-authentication identity response.
可选的,所述第一映射关系包括至少一个所述映射关系,每一所述映射关系对应一个二次认证状态信息;Optionally, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to a secondary authentication status information;
所述第一触发模块,还包括:The first trigger module further includes:
第二接收子模块,用于在将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证之后,接收所述服务器发送的EAP重认证结果信息;A second receiving submodule is used to receive EAP re-authentication result information sent by the server after sending the EAP re-authentication identity response to the server to trigger the terminal to perform EAP re-authentication with the server;
所述认证装置还包括:The authentication device also includes:
第二更新模块,用于在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证结果信息,更新所述第一映射关系中的二次认证状态信息。The second updating module is used to update the secondary authentication state information in the first mapping relationship according to the EAP re-authentication result information after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID.
可选的,还包括:Optionally, also include:
第三处理模块,用于在接收服务器发送的重认证请求之前,在所述重认证操作对应的二次认证操作的过程中,获取UE ID、目标数据网络的标识以及EAP ID;并根据获取的UE ID、目标数据网络的标识以及EAP ID,得到所述映射关系。The third processing module is used to obtain the UE ID, the identifier of the target data network and the EAP ID during the secondary authentication operation corresponding to the re-authentication operation before receiving the re-authentication request sent by the server; and obtain the mapping relationship based on the obtained UE ID, the identifier of the target data network and the EAP ID.
可选的,还包括:Optionally, also include:
第一获取模块,用于在接收服务器发送的重认证请求之前,获取所述二次认证操作的认证结果信息,作为得到的所述映射关系的二次认证状态信息。The first acquisition module is used to obtain the authentication result information of the secondary authentication operation before receiving the re-authentication request sent by the server as the secondary authentication state information of the obtained mapping relationship.
可选的,所述第三处理模块,包括:Optionally, the third processing module includes:
第三接收子模块,用于接收所述终端发送的协议数据单元PDU会话建立请求;A third receiving submodule is used to receive a protocol data unit PDU session establishment request sent by the terminal;
第一获取子模块,用于从所述PDU会话建立请求中获取UE ID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,A first acquisition submodule is configured to acquire a UE ID, an identifier of a target data network, and an EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or
第四接收子模块,用于接收所述终端发送的PDU会话建立请求;A fourth receiving submodule, configured to receive a PDU session establishment request sent by the terminal;
第一处理子模块,用于从所述PDU会话建立请求中获取UE ID和目标数据网络的标识,并根据所述PDU会话建立请求向所述终端发送可扩展认证协议EAP身份请求;A first processing submodule, configured to obtain a UE ID and an identifier of a target data network from the PDU session establishment request, and send an Extensible Authentication Protocol EAP identity request to the terminal according to the PDU session establishment request;
第五接收子模块,用于接收所述终端根据所述EAP身份请求反馈的EAP身份响应;A fifth receiving submodule, configured to receive an EAP identity response fed back by the terminal according to the EAP identity request;
第二获取子模块,用于从所述EAP身份响应中获取EAP ID;A second acquisition submodule, configured to acquire an EAP ID from the EAP identity response;
其中,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。The EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
可选的,所述第一映射关系及二次认证状态信息均存储在本地或者统一数据管理设备UDM中。Optionally, the first mapping relationship and the secondary authentication status information are both stored locally or in a unified data management device UDM.
本发明实施例还提供了一种认证装置,应用于服务器,包括:The embodiment of the present invention further provides an authentication device, which is applied to a server and includes:
第一发送模块,用于向会话管理功能SMF实体发送重认证请求;A first sending module, used to send a re-authentication request to a session management function SMF entity;
其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID。The re-authentication request carries an extensible authentication protocol identity identifier EAP ID.
可选的,还包括:Optionally, also include:
第二接收模块,用于在向会话管理功能SMF实体发送重认证请求之后,接收所述SMF实体发送的可扩展认证协议EAP重认证身份响应;A second receiving module is used to receive an Extensible Authentication Protocol EAP re-authentication identity response sent by the SMF entity after sending a re-authentication request to the SMF entity;
第一认证模块,用于根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证。The first authentication module is used to perform EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
可选的,还包括:Optionally, also include:
第二发送模块,用于在根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证之后,将EAP重认证结果信息发送给所述SMF实体。The second sending module is used to send EAP re-authentication result information to the SMF entity after performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
本发明实施例还提供了一种认证装置,应用于终端,包括:The embodiment of the present invention further provides an authentication device, applied to a terminal, comprising:
第三接收模块,用于接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;The third receiving module is used to receive an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
第一反馈模块,用于根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;A first feedback module, configured to feed back an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity.
可选的,所述第一反馈模块,包括:Optionally, the first feedback module includes:
第一确定子模块,用于确定EAP ID;A first determination submodule, configured to determine an EAP ID;
第一生成子模块,用于生成包含所述EAP ID的EAP重认证身份响应;A first generating submodule, configured to generate an EAP re-authentication identity response including the EAP ID;
第一反馈子模块,用于将生成的所述EAP重认证身份响应反馈给所述SMF实体。The first feedback submodule is used to feed back the generated EAP re-authentication identity response to the SMF entity.
本发明实施例还提供了一种会话管理功能实体,包括:处理器和收发机;The embodiment of the present invention also provides a session management function entity, including: a processor and a transceiver;
所述处理器,用于利用所述收发机接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;The processor is configured to receive, by using the transceiver, a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID;
根据所述服务器的地址,得到目标数据网络的标识;Obtaining an identification of a target data network according to the address of the server;
根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;Obtaining a terminal identification UE ID according to the EAP ID, an identification of a target data network and a first mapping relationship;
根据所述UE ID,触发对应终端与所述服务器进行重认证操作;According to the UE ID, trigger the corresponding terminal to perform a re-authentication operation with the server;
其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系。The first mapping relationship includes a mapping relationship between an EAP ID, an identifier of a target data network, and a UE ID.
可选的,所述处理器具体用于:Optionally, the processor is specifically configured to:
根据所述UE ID,利用所述收发机向对应终端发送可扩展认证协议EAP重认证身份请求;According to the UE ID, using the transceiver, sending an Extensible Authentication Protocol (EAP) re-authentication identity request to the corresponding terminal;
利用所述收发机接收所述终端根据所述EAP重认证身份请求反馈的EAP重认证身份响应;Receiving, by the transceiver, an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
利用所述收发机将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证;Using the transceiver to send the EAP re-authentication identity response to the server, triggering the terminal to perform EAP re-authentication with the server;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request.
可选的,处理器还用于:Optionally, the processor is further configured to:
在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系。After triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, the first mapping relationship is updated according to the EAP ID carried in the EAP re-authentication identity response.
可选的,所述处理器具体用于:Optionally, the processor is specifically configured to:
将所述第一映射关系中的EAP ID更新为所述EAP重认证身份响应中携带的EAPID。The EAP ID in the first mapping relationship is updated to the EAPID carried in the EAP re-authentication identity response.
可选的,所述第一映射关系包括至少一个所述映射关系,每一所述映射关系对应一个二次认证状态信息;Optionally, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to a secondary authentication status information;
所述处理器还用于:The processor is further configured to:
在将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证之后,利用所述收发机接收所述服务器发送的EAP重认证结果信息;After sending the EAP re-authentication identity response to the server to trigger the terminal to perform EAP re-authentication with the server, using the transceiver to receive EAP re-authentication result information sent by the server;
所述处理器还用于:The processor is further configured to:
在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证结果信息,更新所述第一映射关系中的二次认证状态信息。After triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, the secondary authentication state information in the first mapping relationship is updated according to the EAP re-authentication result information.
可选的,所述处理器还用于:Optionally, the processor is further configured to:
在接收服务器发送的重认证请求之前,在所述重认证操作对应的二次认证操作的过程中,获取UE ID、目标数据网络的标识以及EAP ID;并根据获取的UE ID、目标数据网络的标识以及EAP ID,得到所述映射关系。Before receiving the re-authentication request sent by the server, during the secondary authentication operation corresponding to the re-authentication operation, the UE ID, the identifier of the target data network and the EAP ID are obtained; and the mapping relationship is obtained according to the obtained UE ID, the identifier of the target data network and the EAP ID.
可选的,所述处理器还用于:Optionally, the processor is further configured to:
在接收服务器发送的重认证请求之前,获取所述二次认证操作的认证结果信息,作为得到的所述映射关系的二次认证状态信息。Before receiving the re-authentication request sent by the server, authentication result information of the secondary authentication operation is obtained as the secondary authentication state information of the obtained mapping relationship.
可选的,所述处理器具体用于:Optionally, the processor is specifically configured to:
利用所述收发机接收所述终端发送的协议数据单元PDU会话建立请求;Receiving, by the transceiver, a protocol data unit (PDU) session establishment request sent by the terminal;
从所述PDU会话建立请求中获取UE ID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,Acquire the UE ID, the identifier of the target data network, and the EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or,
利用所述收发机接收所述终端发送的PDU会话建立请求;Receiving, by the transceiver, a PDU session establishment request sent by the terminal;
从所述PDU会话建立请求中获取UE ID和目标数据网络的标识,并根据所述PDU会话建立请求利用所述收发机向所述终端发送可扩展认证协议EAP身份请求;Acquire the UE ID and the identifier of the target data network from the PDU session establishment request, and send an Extensible Authentication Protocol EAP identity request to the terminal using the transceiver according to the PDU session establishment request;
利用所述收发机接收所述终端根据所述EAP身份请求反馈的EAP身份响应;Receiving, by the transceiver, an EAP identity response fed back by the terminal according to the EAP identity request;
从所述EAP身份响应中获取EAP ID;Obtaining an EAP ID from the EAP identity response;
其中,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。The EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
可选的,所述第一映射关系及二次认证状态信息均存储在本地或者统一数据管理设备UDM中。Optionally, the first mapping relationship and the secondary authentication status information are both stored locally or in a unified data management device UDM.
本发明实施例还提供了一种服务器,包括:处理器和收发机;An embodiment of the present invention further provides a server, comprising: a processor and a transceiver;
所述处理器,用于利用所述收发机向会话管理功能SMF实体发送重认证请求;The processor is used to send a re-authentication request to a session management function SMF entity using the transceiver;
其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID。The re-authentication request carries an extensible authentication protocol identity identifier EAP ID.
可选的,所述处理器还用于:Optionally, the processor is further configured to:
在向会话管理功能SMF实体发送重认证请求之后,利用所述收发机接收所述SMF实体发送的可扩展认证协议EAP重认证身份响应;After sending a re-authentication request to a session management function SMF entity, using the transceiver to receive an extensible authentication protocol EAP re-authentication identity response sent by the SMF entity;
根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证。According to the EAP re-authentication identity response, EAP re-authentication is performed with the corresponding terminal.
可选的,所述处理器还用于:Optionally, the processor is further configured to:
在根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证之后,利用所述收发机将EAP重认证结果信息发送给所述SMF实体。After performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response, the EAP re-authentication result information is sent to the SMF entity using the transceiver.
本发明实施例还提供了一种终端,包括:处理器和收发机;An embodiment of the present invention further provides a terminal, comprising: a processor and a transceiver;
所述处理器,用于利用所述收发机接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;The processor is used to receive, by using the transceiver, an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
根据所述EAP重认证身份请求,利用所述收发机向所述SMF实体反馈EAP重认证身份响应;Feedback an EAP re-authentication identity response to the SMF entity using the transceiver according to the EAP re-authentication identity request;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity.
可选的,所述处理器具体用于:Optionally, the processor is specifically configured to:
确定EAP ID;Determine the EAP ID;
生成包含所述EAP ID的EAP重认证身份响应;generating an EAP re-authentication identity response including the EAP ID;
利用所述收发机将生成的所述EAP重认证身份响应反馈给所述SMF实体。The transceiver is used to feed back the generated EAP re-authentication identity response to the SMF entity.
本发明实施例还提供了一种会话管理功能实体,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;所述处理器执行所述程序时实现上述会话管理功能实体侧的认证方法。An embodiment of the present invention also provides a session management function entity, including a memory, a processor, and a program stored in the memory and executable on the processor; when the processor executes the program, the authentication method on the session management function entity side is implemented.
本发明实施例还提供了一种服务器,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;所述处理器执行所述程序时实现上述服务器侧的认证方法。An embodiment of the present invention further provides a server, comprising a memory, a processor, and a program stored in the memory and executable on the processor; when the processor executes the program, the above-mentioned server-side authentication method is implemented.
本发明实施例还提供了一种终端,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;所述处理器执行所述程序时实现上述终端侧的认证方法。An embodiment of the present invention further provides a terminal, comprising a memory, a processor, and a program stored in the memory and executable on the processor; when the processor executes the program, the above-mentioned terminal-side authentication method is implemented.
本发明实施例还提供了一种可读存储介质,其上存储有程序,该程序被处理器执行时实现上述会话管理功能实体侧、服务器侧或终端侧的认证方法中的步骤。An embodiment of the present invention further provides a readable storage medium on which a program is stored. When the program is executed by a processor, the steps in the authentication method on the session management function entity side, server side or terminal side are implemented.
本发明的上述技术方案的有益效果如下:The beneficial effects of the above technical solution of the present invention are as follows:
上述方案中,通过接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;根据所述服务器的地址,得到目标数据网络的标识;根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;根据所述UE ID,触发对应终端与所述服务器进行重认证操作;其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系;能够实现在核心网网元(SMF)中维护并使用EAPID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。In the above scheme, a re-authentication request sent by a server is received, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; an identifier of a target data network is obtained according to the address of the server; a terminal identifier UE ID is obtained according to the EAP ID, the identifier of the target data network and a first mapping relationship; and a corresponding terminal is triggered to perform a re-authentication operation with the server according to the UE ID; wherein the first mapping relationship includes a mapping relationship between the EAP ID, the identifier of the target data network and the UE ID; and the mapping relationship between the EAPID, the identifier of the target data network and the UE ID can be maintained and used in a core network element (SMF); during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, and there is no need to obtain the GPSI, nor is there a need for the server to maintain the GPSI, and the original account management system of the server will not be changed, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; and the problem of exposing UE information and high implementation and maintenance costs in the authentication scheme in the prior art is well solved.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明实施例的认证方法流程示意图一;FIG1 is a schematic diagram of a first flow chart of an authentication method according to an embodiment of the present invention;
图2为本发明实施例的认证方法流程示意图二;FIG2 is a second flow chart of an authentication method according to an embodiment of the present invention;
图3为本发明实施例的认证方法流程示意图三;FIG3 is a schematic diagram of a third flow chart of an authentication method according to an embodiment of the present invention;
图4为本发明实施例的UE ID、EAP ID以及DNN对应关系示意图;FIG4 is a schematic diagram of the corresponding relationship between UE ID, EAP ID and DNN according to an embodiment of the present invention;
图5为本发明实施例的二次认证流程示意图;FIG5 is a schematic diagram of a secondary authentication process according to an embodiment of the present invention;
图6为本发明实施例的重认证流程示意图;FIG6 is a schematic diagram of a re-authentication process according to an embodiment of the present invention;
图7为本发明实施例的认证装置结构示意图一;FIG7 is a schematic diagram of the structure of an authentication device according to an embodiment of the present invention;
图8为本发明实施例的认证装置结构示意图二;FIG8 is a second structural diagram of an authentication device according to an embodiment of the present invention;
图9为本发明实施例的认证装置结构示意图三;FIG9 is a third structural diagram of an authentication device according to an embodiment of the present invention;
图10为本发明实施例的会话管理功能实体结构示意图;10 is a schematic diagram of the structure of a session management function entity according to an embodiment of the present invention;
图11为本发明实施例的服务器结构示意图;FIG11 is a schematic diagram of a server structure according to an embodiment of the present invention;
图12为本发明实施例的终端结构示意图。FIG. 12 is a schematic diagram of the terminal structure of an embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
为使本发明要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。In order to make the technical problems, technical solutions and advantages to be solved by the present invention more clear, a detailed description will be given below with reference to the accompanying drawings and specific embodiments.
本发明针对现有的技术中认证方案存在暴露UE信息、实现和维护成本高的问题,提供一种认证方法,应用于会话管理功能SMF实体,如图1所示,包括:The present invention aims at the problem that the authentication scheme in the prior art exposes UE information and has high implementation and maintenance costs, and provides an authentication method applied to a session management function SMF entity, as shown in FIG1 , including:
步骤11:接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;Step 11: receiving a re-authentication request sent by the server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID;
步骤12:根据所述服务器的地址,得到目标数据网络的标识;Step 12: Obtaining the identifier of the target data network according to the address of the server;
步骤13:根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;Step 13: Obtain a terminal identifier UE ID according to the EAP ID, the identifier of the target data network and the first mapping relationship;
步骤14:根据所述UE ID,触发对应终端与所述服务器进行重认证操作;Step 14: triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID;
其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系。The first mapping relationship includes a mapping relationship between an EAP ID, an identifier of a target data network, and a UE ID.
目标数据网络的标识可以是数据网络名称DNN,但并不以此为限。The identifier of the target data network may be a data network name DNN, but is not limited thereto.
本发明实施例提供的所述认证方法通过接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;根据所述服务器的地址,得到目标数据网络的标识;根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UEID;根据所述UE ID,触发对应终端与所述服务器进行重认证操作;其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系;能够实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The authentication method provided by the embodiment of the present invention receives a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; obtains an identifier of a target data network according to the address of the server; obtains a terminal identifier UEID according to the EAP ID, the identifier of the target data network and a first mapping relationship; triggers a corresponding terminal to perform a re-authentication operation with the server according to the UE ID; wherein the first mapping relationship includes a mapping relationship between the EAP ID, the identifier of the target data network and the UE ID; and can realize maintaining and using the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in a core network element (SMF): during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, without requiring the server to maintain the GPSI, and without changing the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; and well solves the problems of the authentication scheme in the prior art in exposing UE information and high implementation and maintenance costs.
具体的,所述根据所述UE ID,触发对应终端与所述服务器进行重认证操作,包括:根据所述UE ID,向对应终端发送可扩展认证协议EAP重认证身份请求;接收所述终端根据所述EAP重认证身份请求反馈的EAP重认证身份响应;将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证;其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同或不同。Specifically, triggering the corresponding terminal to perform re-authentication with the server according to the UE ID includes: sending an Extensible Authentication Protocol (EAP) re-authentication identity request to the corresponding terminal according to the UE ID; receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request; sending the EAP re-authentication identity response to the server, triggering the terminal to perform EAP re-authentication with the server; wherein the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request.
进一步的,在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,还包括:根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系。Further, after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, the method further includes: updating the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response.
具体的,所述根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系,包括:将所述第一映射关系中的EAP ID更新为所述EAP重认证身份响应中携带的EAPID。Specifically, updating the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response includes: updating the EAP ID in the first mapping relationship to the EAPID carried in the EAP re-authentication identity response.
本发明实施例中,所述第一映射关系包括至少一个所述映射关系,每一所述映射关系对应一个二次认证状态信息;所述根据所述UE ID,触发对应终端与所述服务器进行重认证操作,还包括:在将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证之后,接收所述服务器发送的EAP重认证结果信息;在根据所述UEID,触发对应终端与所述服务器进行重认证操作之后,还包括:根据所述EAP重认证结果信息,更新所述第一映射关系中的二次认证状态信息。In an embodiment of the present invention, the first mapping relationship includes at least one mapping relationship, each mapping relationship corresponds to a secondary authentication status information; the triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID also includes: after sending the EAP re-authentication identity response to the server to trigger the terminal to perform EAP re-authentication with the server, receiving the EAP re-authentication result information sent by the server; after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UEID, it also includes: updating the secondary authentication status information in the first mapping relationship according to the EAP re-authentication result information.
其中,一旦开启了重认证流程,也可理解为SMF实体接收到服务器发送的重认证请求,那么就表示二次认证的结果不被认可,因此,二次认证得到的上述二次认证状态信息也就是不被认可的,不可以根据二次认证状态信息执行后续操作;但是,具体实现中,如果重认证流程未正常完成(比如中断),而无法得到上述EAP重认证结果信息以获取最终的二次认证状态信息,那么就可能造成SMF执行存在风险的操作,比如:Among them, once the re-authentication process is started, it can also be understood that the SMF entity receives the re-authentication request sent by the server, which means that the result of the secondary authentication is not recognized. Therefore, the secondary authentication status information obtained by the secondary authentication is not recognized, and subsequent operations cannot be performed according to the secondary authentication status information; however, in the specific implementation, if the re-authentication process is not completed normally (such as interruption), and the above-mentioned EAP re-authentication result information cannot be obtained to obtain the final secondary authentication status information, then it may cause SMF to perform risky operations, such as:
二次认证得到的上述二次认证状态信息为成功,在重认证的过程中由于某些原因导致了认证中断,这时由于重认证流程未完成,故也无法得到EAP重认证结果信息,无法更新二次认证状态信息,所以,二次认证状态信息仍然标记为成功;后续SMF就会认为认证结果是成功,执行操作是安全的,从而执行了与该次重认证流程对应的操作(比如建立终端与目标数据网络之间的链接);但实际上重认证并未完成,而且由于启动了重认证,所以与该次重认证流程对应的操作可能是存在风险的,一旦SMF执行了该次重认证流程对应的操作就可能存在安全风险;The above secondary authentication status information obtained by the secondary authentication is successful. During the re-authentication process, the authentication is interrupted due to some reasons. At this time, since the re-authentication process is not completed, the EAP re-authentication result information cannot be obtained, and the secondary authentication status information cannot be updated. Therefore, the secondary authentication status information is still marked as successful; the subsequent SMF will consider that the authentication result is successful and it is safe to execute the operation, thereby executing the operation corresponding to the re-authentication process (such as establishing a link between the terminal and the target data network); but in fact the re-authentication is not completed, and since the re-authentication is started, the operation corresponding to the re-authentication process may be risky. Once the SMF executes the operation corresponding to the re-authentication process, there may be security risks;
故,为了避免上述这种类似的情况,本发明实施例中,在接收服务器发送的重认证请求,以及根据所述服务器的地址,得到目标数据网络的标识之后,根据所述UE ID,触发对应终端与所述服务器进行重认证操作之前,还可以包括:(先)将重认证请求中携带的EAPID和目标数据网络的标识所对应的映射关系对应的二次认证状态信息设置为失败。Therefore, in order to avoid similar situations such as the above, in an embodiment of the present invention, after receiving the re-authentication request sent by the server and obtaining the identifier of the target data network according to the address of the server, before triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, it may also include: (first) setting the secondary authentication status information corresponding to the mapping relationship between the EAPID carried in the re-authentication request and the identifier of the target data network to failure.
这样可以防止重认证流程未正常结束的情况下,SMF根据二次认证状态信息(信息为成功)执行存在风险的操作。This can prevent SMF from performing risky operations based on the secondary authentication status information (the information is successful) when the re-authentication process does not end normally.
进一步的,在接收服务器发送的重认证请求之前,还包括:在所述重认证操作对应的二次认证操作的过程中,获取UE ID、目标数据网络的标识以及EAP ID;并根据获取的UEID、目标数据网络的标识以及EAP ID,得到所述映射关系。Furthermore, before receiving the re-authentication request sent by the server, it also includes: in the process of the secondary authentication operation corresponding to the re-authentication operation, obtaining the UE ID, the identifier of the target data network and the EAP ID; and obtaining the mapping relationship according to the obtained UEID, the identifier of the target data network and the EAP ID.
具体的,可以理解为:重认证操作与二次认证操作之间存在对应关系,重认证操作是针对二次认证操作之后的再次认证操作。Specifically, it can be understood that: there is a corresponding relationship between the re-authentication operation and the secondary authentication operation, and the re-authentication operation is a re-authentication operation after the secondary authentication operation.
更进一步的,在接收服务器发送的重认证请求之前,还包括:获取所述二次认证操作的认证结果信息,作为得到的所述映射关系的二次认证状态信息。Furthermore, before receiving the re-authentication request sent by the server, it also includes: obtaining authentication result information of the secondary authentication operation as the secondary authentication state information of the obtained mapping relationship.
具体的,所述获取UE ID、目标数据网络的标识以及EAP ID,包括:接收所述终端发送的协议数据单元PDU会话建立请求;从所述PDU会话建立请求中获取UE ID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAPID相同;或者,接收所述终端发送的PDU会话建立请求;从所述PDU会话建立请求中获取UEID和目标数据网络的标识,并根据所述PDU会话建立请求向所述终端发送可扩展认证协议EAP身份请求;接收所述终端根据所述EAP身份请求反馈的EAP身份响应;从所述EAP身份响应中获取EAP ID;其中,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAPID相同。Specifically, the obtaining of UE ID, target data network identifier and EAP ID includes: receiving a protocol data unit PDU session establishment request sent by the terminal; obtaining UE ID, target data network identifier and EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAPID carried in the re-authentication request; or, receiving a PDU session establishment request sent by the terminal; obtaining UEID and target data network identifier from the PDU session establishment request, and sending an Extensible Authentication Protocol EAP identity request to the terminal according to the PDU session establishment request; receiving an EAP identity response fed back by the terminal according to the EAP identity request; obtaining EAP ID from the EAP identity response; wherein the EAP ID carried in the EAP identity response is the same as the EAPID carried in the re-authentication request.
本发明实施例中,所述第一映射关系及二次认证状态信息均存储在本地或者统一数据管理设备UDM中。In the embodiment of the present invention, the first mapping relationship and the secondary authentication status information are both stored locally or in a unified data management device UDM.
本发明实施例还提供了一种认证方法,应用于服务器,如图2所示,包括:The embodiment of the present invention further provides an authentication method, which is applied to a server, as shown in FIG2 , and includes:
步骤21:向会话管理功能SMF实体发送重认证请求;Step 21: Send a re-authentication request to the session management function SMF entity;
其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID。The re-authentication request carries an extensible authentication protocol identity identifier EAP ID.
本发明实施例提供的所述认证方法通过向会话管理功能SMF实体发送重认证请求;其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;能够实现支撑实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The authentication method provided in the embodiment of the present invention sends a re-authentication request to a session management function SMF entity; wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; and can support the maintenance and use of a mapping relationship among the EAP ID, the identifier of the target data network, and the UE ID in a core network element (SMF); during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, triggering re-authentication, without the need to obtain the GPSI, nor the need for the server to maintain the GPSI, and will not change the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; and well solves the problem of the authentication scheme in the prior art exposing UE information and high implementation and maintenance costs.
进一步的,在向会话管理功能SMF实体发送重认证请求之后,还包括:接收所述SMF实体发送的可扩展认证协议EAP重认证身份响应;根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证。Furthermore, after sending a re-authentication request to a session management function SMF entity, the method further includes: receiving an extensible authentication protocol EAP re-authentication identity response sent by the SMF entity; and performing EAP re-authentication with a corresponding terminal according to the EAP re-authentication identity response.
更进一步的,在根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证之后,还包括:将EAP重认证结果信息发送给所述SMF实体。Furthermore, after performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response, it also includes: sending EAP re-authentication result information to the SMF entity.
这样可以支撑SMF针对映射关系对应的认证状态的更新。This can support SMF to update the authentication status corresponding to the mapping relationship.
本发明实施例还提供了一种认证方法,应用于终端,如图3所述,包括:The embodiment of the present invention further provides an authentication method, which is applied to a terminal, as shown in FIG3 , and includes:
步骤31:接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;Step 31: receiving an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
步骤32:根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;Step 32: Feedback an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity.
本发明实施例提供的所述认证方法通过接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同;能够实现支撑实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The authentication method provided by the embodiment of the present invention receives an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity; according to the EAP re-authentication identity request, an EAP re-authentication identity response is fed back to the SMF entity; wherein the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity; it can support the maintenance and use of the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in the core network element (SMF): during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, nor requiring the server to maintain the GPSI, and will not change the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; it well solves the problem of exposing UE information and high implementation and maintenance costs in the authentication scheme in the prior art.
具体的,所述根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应,包括:确定EAP ID;生成包含所述EAP ID的EAP重认证身份响应;将生成的所述EAP重认证身份响应反馈给所述SMF实体。Specifically, feeding back an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request includes: determining an EAP ID; generating an EAP re-authentication identity response including the EAP ID; and feeding back the generated EAP re-authentication identity response to the SMF entity.
这样可以实现允许对于EAP ID进行重新设置。This allows the EAP ID to be reset.
进一步的,在接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求之前,还包括:在所述重认证请求相对应的重认证操作所对应的二次认证操作的过程中,向所述SMF实体发送协议数据单元PDU会话建立请求;所述PDU会话建立请求中携带有UEID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,在所述重认证请求相对应的重认证操作所对应的二次认证操作的过程中,向所述SMF实体发送协议数据单元PDU会话建立请求;所述PDU会话建立请求中携带有UE ID和目标数据网络的标识;接收所述SMF实体根据所述PDU会话建立请求发送的可扩展认证协议EAP身份请求;根据所述EAP身份请求向所述SMF实体反馈EAP身份响应;其中,所述EAP身份响应中携带有EAP ID,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。Furthermore, before receiving the Extensible Authentication Protocol EAP re-authentication identity request sent by the session management function SMF entity, it also includes: sending a protocol data unit PDU session establishment request to the SMF entity during the secondary authentication operation corresponding to the re-authentication operation corresponding to the re-authentication request; the PDU session establishment request carries the UEID, the identifier of the target data network and the EAP ID, and the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, during the secondary authentication operation corresponding to the re-authentication operation corresponding to the re-authentication request, sending a protocol data unit PDU session establishment request to the SMF entity; the PDU session establishment request carries the UE ID and the identifier of the target data network; receiving the Extensible Authentication Protocol EAP identity request sent by the SMF entity according to the PDU session establishment request; and feeding back an EAP identity response to the SMF entity according to the EAP identity request; wherein the EAP identity response carries the EAP ID, and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
这样可以支撑SMF得到映射关系并维护。This can support SMF to obtain and maintain mapping relationships.
下面结合SMF实体、服务器以及终端等多侧对本发明实施例提供的所述认证方法进行进一步说明,其中,目标数据网络的标识以DNN为例,服务器以AAA(验证、授权和记账)服务器为例。The authentication method provided in the embodiment of the present invention is further described below in combination with multiple sides such as SMF entities, servers and terminals, wherein the identifier of the target data network takes DNN as an example, and the server takes AAA (authentication, authorization and accounting) server as an example.
针对上述技术问题,考虑到:(1)二次认证可基于EAP(可扩展认证协议)实现,由5G网元SMF(会话管理功能)充当EAP认证中的authenticator(认证方),由5G网络的信令通道(非接入层NAS信令+N4接口(SMF和用户面功能UPF之间的接口))承载认证授权消息交换,由5G网络的网元来触发二次认证及根据AAA(验证、授权和记账)服务器的认证结果决定是否为访问该数据网络建立PDU(协议数据单元)会话,即是否允许UE接入外部数据网络;In view of the above technical problems, it is considered that: (1) secondary authentication can be implemented based on EAP (Extensible Authentication Protocol), with the 5G network element SMF (session management function) acting as the authenticator in EAP authentication, and the 5G network signaling channel (non-access layer NAS signaling + N4 interface (interface between SMF and user plane function UPF)) carrying the authentication and authorization message exchange, and the 5G network element triggering the secondary authentication and deciding whether to establish a PDU (protocol data unit) session for accessing the data network based on the authentication result of the AAA (authentication, authorization and accounting) server, that is, whether to allow the UE to access the external data network;
(2)用户通过UE接入运营商网络,并访问外部数据网络;UE有多个身份标识ID,其中,作为外部数据网络的访问用户,终端设备在外部数据网络的签约ID为user ID for DN(数据网络DN的用户身份标识),针对不同DN可能有多个user ID;作为运营商网络的访问用户,其与SIM(用户识别模块)卡绑定用于入网的身份标识,即终端设备在运营商网络的签约ID为UE ID;外部数据网络标识为DNN(数据网络名称);User ID for DN也即对应的外部数据网络DNN执行EAP认证时使用的EAP ID;具体的,UE ID,EAP ID以及DNN对应的关系如图4所示;(2) The user accesses the operator network through the UE and accesses the external data network; the UE has multiple identity IDs, among which, as an access user of the external data network, the contract ID of the terminal device in the external data network is user ID for DN (user identity of data network DN), and there may be multiple user IDs for different DNs; as an access user of the operator network, it is bound to the SIM (subscriber identity module) card for network access, that is, the contract ID of the terminal device in the operator network is UE ID; the external data network identifier is DNN (data network name); User ID for DN is also the EAP ID used by the corresponding external data network DNN when performing EAP authentication; specifically, the corresponding relationship between UE ID, EAP ID and DNN is shown in Figure 4;
本发明实施例提供了一种认证方法,涉及:在核心网网元中维护并使用EAP ID-UEID-DNN三者的映射关系:在二次认证时增加映射条目,在重认证时(利用映射关系)使用EAPID作为键值取得UE ID定位终端,并更新映射条目,不需发送GPSI,也不需要AAA服务器维护GPSI。An embodiment of the present invention provides an authentication method, which involves: maintaining and using a mapping relationship between EAP ID, UEID and DNN in a core network element: adding a mapping entry during secondary authentication, using EAPID as a key value to obtain a UE ID to locate a terminal during re-authentication (using the mapping relationship), and updating the mapping entry, without sending a GPSI, and without requiring an AAA server to maintain the GPSI.
本方案具体可实现为一种5G网络二次认证重认证的方法:This solution can be specifically implemented as a 5G network secondary authentication and re-authentication method:
1.架构概述1. Architecture Overview
AAA server(即AAA服务器)位于外部数据网络,负责执行对该外部数据网络访问的认证授权。核心网网元SMF负责启动二次认证,在UE和AAA server之间传递EAP消息,保存二次认证的状态和UE多身份的关系(以EAP ID–UE ID-DNN的映射表形式),保存EAP ID的认证授权关系。The AAA server is located in the external data network and is responsible for performing authentication and authorization for access to the external data network. The core network element SMF is responsible for starting secondary authentication, transmitting EAP messages between the UE and the AAA server, saving the status of secondary authentication and the relationship between UE multiple identities (in the form of a mapping table of EAP ID-UE ID-DNN), and saving the authentication and authorization relationship of the EAP ID.
映射表为四元组:UE ID,DNN,EAP ID,认证状态(成功、失败)其中UE ID-DNN为主键。The mapping table is a four-tuple: UE ID, DNN, EAP ID, authentication status (success, failure), where UE ID-DNN is the primary key.
2.实现流程2. Implementation process
(1)关于二次认证流程具体可如图5所示,包括:(1) The secondary authentication process is shown in FIG5 , including:
步骤51:终端向SMF(authenticator,认证方)发送PDU会话建立请求(携带UE ID,DNN,PDU会话ID);Step 51: The terminal sends a PDU session establishment request (carrying UE ID, DNN, PDU session ID) to SMF (authenticator);
具体的,终端开机注册,基于运营商网络接入凭证对UE ID(即订阅永久标识符SUPI)执行首次认证,并建立和网络的NAS(非接入层)安全上下文。Specifically, the terminal is powered on and registered, and the UE ID (ie, subscription permanent identifier SUPI) is authenticated for the first time based on the operator's network access credentials, and a NAS (non-access stratum) security context is established with the network.
终端启动应用,触发对(UE要访问的)DN的PDU会话建立请求,具体可发送网络切片标识(即单个-网络切片选择辅助信息S-NSSAI)、数据网络名字DNN、PDU会话ID以及请求类型。AMF(接入和移动管理功能,图中未体现)选择SMF并向其发送SUPI、PDU会话ID、S-NSSAI以及DNN。The terminal starts the application, triggering a PDU session establishment request for the DN (to be accessed by the UE), and specifically sends a network slice identifier (i.e., single-network slice selection auxiliary information S-NSSAI), data network name DNN, PDU session ID, and request type. AMF (access and mobility management function, not shown in the figure) selects SMF and sends it SUPI, PDU session ID, S-NSSAI, and DNN.
步骤52:SMF获取订阅信息及本地策略,验证UE请求,判断是否允许UE请求,是否需执行二次认证,该DN是否已认证过该UE;Step 52: SMF obtains subscription information and local policies, verifies UE request, determines whether UE request is allowed, whether secondary authentication is required, and whether the DN has authenticated the UE;
具体的,SMF根据SUPI从UDM(图中未体现)中获取订阅数据,SMF检查UE请求中的数据是否符合用户订阅;检查与DN相关的SMF策略是否要求二次认证授权;检查UE是否已被该DN或者同一个AAA服务器认证和/或授权(认证授权成功的消息可能存在SMF或UDM中),如果需要则进行二次认证,进入步骤53。Specifically, SMF obtains subscription data from UDM (not shown in the figure) according to SUPI, and SMF checks whether the data in the UE request complies with the user subscription; checks whether the SMF policy related to the DN requires secondary authentication and authorization; checks whether the UE has been authenticated and/or authorized by the DN or the same AAA server (the message of successful authentication and authorization may exist in SMF or UDM), and performs secondary authentication if necessary, and enters step 53.
步骤53:SMF启动EAP认证;Step 53: SMF starts EAP authentication;
具体的,SMF启动与AAA服务器之间的EAP认证。Specifically, SMF initiates EAP authentication with the AAA server.
步骤54:SMF向终端发送EAP-Request/Identity(EAP身份请求);Step 54: SMF sends EAP-Request/Identity (EAP identity request) to the terminal;
也就是,SMF发送EAP Request/Identity给UE(终端)。在此说明,EAP Request/Identity表示EAP Request(EAP请求)+Identity(请求分类为身份),具体是指EAP请求中的身份请求,也就是上述EAP身份请求;同理的,以下的EAP-Response/Identity是指EAP响应中的身份响应,也就是上述EAP身份响应。That is, SMF sends EAP Request/Identity to UE (terminal). Here, EAP Request/Identity means EAP Request (EAP request) + Identity (the request is classified as identity), specifically referring to the identity request in the EAP request, that is, the above-mentioned EAP identity request; similarly, the following EAP-Response/Identity refers to the identity response in the EAP response, that is, the above-mentioned EAP identity response.
步骤55:终端向SMF反馈EAP-Response/Identity;Step 55: The terminal feeds back EAP-Response/Identity to SMF;
具体的,UE以EAP Response/Identity协议包发送针对该DN的用户标识EAP ID,该内容也可以在步骤51发送,在此不作限定。Specifically, the UE sends the user identity EAP ID for the DN in an EAP Response/Identity protocol packet. The content may also be sent in step 51 and is not limited here.
步骤56:SMF获取EAP ID;Step 56: SMF obtains EAP ID;
步骤57:SMF建立N4会话,根据UE请求和本地策略识别AAA服务器;Step 57: SMF establishes N4 session and identifies AAA server based on UE request and local policy;
具体的,SMF选择UPF,建立N4会话,根据UE请求的DNN和本地策略识别AAA服务器;Specifically, SMF selects UPF, establishes N4 session, and identifies AAA server based on DNN and local policy requested by UE;
步骤58:SMF借由UPF向AAA服务器发送EAP-Response/Identity;Step 58: SMF sends EAP-Response/Identity to the AAA server via UPF;
具体的,SMF将EAP Request/Identity通过N4会话经UPF转发给AAA服务器;Specifically, SMF forwards the EAP Request/Identity to the AAA server via the UPF through the N4 session;
步骤59:终端与AAA服务器之间交互EAP-Request/EAP-Response messages(即EAP请求和EAP应答消息,via N4 and NAS(通过N4和NAS));Step 59: The terminal exchanges EAP-Request/EAP-Response messages (i.e., EAP request and EAP response messages, via N4 and NAS) with the AAA server.
具体的,AAA服务器和终端按照EAP方法要求通过NAS信令和N4会话交换EAP信息,执行EAP认证;Specifically, the AAA server and the terminal exchange EAP information through NAS signaling and N4 session according to the EAP method requirements and perform EAP authentication;
步骤510:AAA服务器借由UPF向SMF发送EAP-Success(EAP成功),OR(或者),步骤510a:AAA服务器借由UPF向SMF发送EAP-Failure(EAP失败);Step 510: The AAA server sends EAP-Success (EAP success) to SMF via UPF, OR (or), Step 510a: The AAA server sends EAP-Failure (EAP failure) to SMF via UPF;
具体的,如果认证成功,AAA服务器发送EAP Success消息给SMF;如果认证失败,AAA服务器发送EAP Failure消息给SMF。Specifically, if the authentication succeeds, the AAA server sends an EAP Success message to the SMF; if the authentication fails, the AAA server sends an EAP Failure message to the SMF.
步骤511:SMF建立EAP ID、DNN和UE ID的映射关系;Step 511: SMF establishes a mapping relationship between EAP ID, DNN and UE ID;
具体的,SMF建立EAP ID、DNN和UE ID(即SUPI)之间的映射条目(即上述第一映射关系),也可以存在UDM中,其中,如果接到EAP Success,则条目的认证状态位设置为成功(即上述二次认证状态信息为成功),如果接到EAP Failure,则条目的认证状态位设置为失败(即上述二次认证状态信息为失败)。Specifically, SMF establishes a mapping entry (i.e., the first mapping relationship) between EAP ID, DNN and UE ID (i.e., SUPI), which may also be stored in UDM, wherein if EAP Success is received, the authentication status bit of the entry is set to success (i.e., the secondary authentication status information is successful); if EAP Failure is received, the authentication status bit of the entry is set to failure (i.e., the secondary authentication status information is failed).
步骤512:SMF向终端发送EAP-Success(与步骤510对应);OR,步骤512a:SMF向终端发送EAP-Failure(与步骤510a对应);Step 512: SMF sends EAP-Success to the terminal (corresponding to step 510); OR, step 512a: SMF sends EAP-Failure to the terminal (corresponding to step 510a);
具体的,SMF将认证成功或失败消息发送给终端。Specifically, SMF sends an authentication success or failure message to the terminal.
(2)关于重认证流程具体可如图6所示,包括:(2) The re-authentication process is shown in FIG6 , including:
步骤60:二次认证,SMF存下EAP ID-DNN-UE ID的映射关系;Step 60: Secondary authentication, SMF stores the mapping relationship between EAP ID-DNN-UE ID;
具体的,在之前的二次认证中,SMF已存下EAPID、DNN和UEID的映射关系;Specifically, in the previous secondary authentication, SMF has stored the mapping relationship between EAPID, DNN and UEID;
步骤61:SMF决定并发起重认证;OR,步骤61a:AAA服务器决定并发起重认证;步骤61b:AAA服务器借由UPF向SMF发送重认证请求(携带EAP ID);Step 61: SMF decides and initiates re-authentication; OR, Step 61a: AAA server decides and initiates re-authentication; Step 61b: AAA server sends a re-authentication request (carrying EAP ID) to SMF via UPF;
具体的,SMF或AAA服务器均可以按照策略在特定情况下发起重认证,如果AAA服务器发起,重认证请求将从AAA服务器发送给SMF,且携带要执行重认证的用户的EAP ID;Specifically, the SMF or AAA server can initiate re-authentication under certain circumstances according to the policy. If the AAA server initiates, the re-authentication request will be sent from the AAA server to the SMF and carry the EAP ID of the user to be re-authenticated;
步骤62:SMF根据EAP ID和DNN映射得到UE ID,以识别UE;Step 62: SMF obtains UE ID according to EAP ID and DNN mapping to identify UE;
具体的,SMF根据AAA服务器的地址得到DNN,根据EAP ID和DNN从映射表中得到UEID,用于识别UE;并将EAP ID-DNN的映射条目的状态设置为失败。Specifically, the SMF obtains the DNN according to the address of the AAA server, obtains the UEID from the mapping table according to the EAP ID and the DNN, for identifying the UE; and sets the status of the EAP ID-DNN mapping entry to failure.
步骤63:SMF向终端发送EAP-Request/Re-Auth Identity(EAP重认证身份请求);Step 63: SMF sends EAP-Request/Re-Auth Identity (EAP re-authentication identity request) to the terminal;
具体的,SMF启动与AAA服务器之间的EAP认证,SMF发送EAPRequest/Re-AuthIdentity给识别到的UE(s)。在此说明,EAP Request/Re-Auth Identity表示EAP Request(EAP请求)+Re-Auth Identity(请求分类为重认证身份),具体是指EAP请求中的重认证身份请求,也就是上述EAP重认证身份请求;同理的,以下的EAP-Response/Re-Auth Identity是指EAP响应中的重认证身份响应,也就是上述EAP重认证身份响应。Specifically, SMF initiates EAP authentication with the AAA server, and SMF sends EAPRequest/Re-AuthIdentity to the identified UE(s). Here, EAP Request/Re-Auth Identity means EAP Request (EAP request) + Re-Auth Identity (request is classified as re-authentication identity), specifically refers to the re-authentication identity request in the EAP request, that is, the above-mentioned EAP re-authentication identity request; similarly, the following EAP-Response/Re-Auth Identity refers to the re-authentication identity response in the EAP response, that is, the above-mentioned EAP re-authentication identity response.
步骤64:终端向SMF反馈EAP-Response/Re-Auth Identity(EAP重认证身份响应);Step 64: The terminal feeds back EAP-Response/Re-Auth Identity (EAP re-authentication identity response) to the SMF;
具体的,UE以EAP Response/Re-Auth Identity协议包发送针对该DN的用户标识EAP ID(可能与步骤61b中的不同,可以是重新输入的);Specifically, the UE sends a user identity EAP ID for the DN in an EAP Response/Re-Auth Identity protocol packet (which may be different from that in step 61b and may be re-entered);
步骤65:SMF获取EAP ID;Step 65: SMF obtains EAP ID;
步骤66:SMF借由UPF向AAA服务器发送EAP-Response/Re-Auth Identity;Step 66: SMF sends EAP-Response/Re-Auth Identity to the AAA server via UPF;
也就是,SMF将EAP Response/Re-Auth Identity发给AAA服务器;That is, SMF sends the EAP Response/Re-Auth Identity to the AAA server;
步骤67:终端与AAA服务器之间交互EAP-Request/EAP-Response messages(viaN4 and NAS);Step 67: The terminal exchanges EAP-Request/EAP-Response messages with the AAA server (via N4 and NAS);
具体的,AAA服务器和终端按照EAP方法要求通过NAS信令和N4会话交换EAP信息,执行EAP认证;Specifically, the AAA server and the terminal exchange EAP information through NAS signaling and N4 session according to the EAP method requirements and perform EAP authentication;
步骤68:AAA服务器借由UPF向SMF发送EAP-Success,OR,步骤68a:AAA服务器借由UPF向SMF发送EAP-Failure;Step 68: The AAA server sends EAP-Success to SMF via UPF, OR, Step 68a: The AAA server sends EAP-Failure to SMF via UPF;
具体的,如果认证成功,AAA服务器发送EAP Success消息给SMF;如果认证失败,AAA服务器发送EAP Failure消息给SMF。Specifically, if the authentication succeeds, the AAA server sends an EAP Success message to the SMF; if the authentication fails, the AAA server sends an EAP Failure message to the SMF.
步骤69:SMF更新UE ID、DNN和EAP ID的映射关系;Step 69: SMF updates the mapping relationship between UE ID, DNN and EAP ID;
具体的,更新EAP ID、DNN和UE ID(即SUPI)之间的映射条目(覆盖旧信息),且,如果接到EAP Success,则条目的认证状态位更新为成功,如果接到EAP Failure,则条目的认证状态位仍为失败。Specifically, the mapping entry between EAP ID, DNN and UE ID (ie, SUPI) is updated (overwriting old information), and if EAP Success is received, the authentication status bit of the entry is updated to success, and if EAP Failure is received, the authentication status bit of the entry remains to failure.
步骤610:SMF向终端发送EAP-Success(与步骤68对应);OR,步骤610a:SMF向终端发送EAP-Failure(与步骤68a对应);Step 610: SMF sends EAP-Success to the terminal (corresponding to step 68); OR, step 610a: SMF sends EAP-Failure to the terminal (corresponding to step 68a);
具体的,SMF将认证成功或失败消息发送给终端。Specifically, SMF sends an authentication success or failure message to the terminal.
由上可知,本发明实施例提供的方案主要涉及:As can be seen from the above, the solution provided by the embodiment of the present invention mainly involves:
(1)在5G网络中触发二次认证重认证的方法:二次认证时,在SMF或UDM中建立EAPID、DNN和UE ID(即SUPI)之间的映射条目及二次认证状态;当二次认证(的)重认证时,AAA服务器发送需重认证的EAP ID给SMF,SMF根据收到的EAP ID及映射表寻找UE ID以定位UE并触发二次认证重认证,二次认证重认证后更新EAP ID、DNN和UE ID(即SUPI)之间的映射条目及二次认证状态。(1) A method for triggering secondary authentication and re-authentication in a 5G network: During secondary authentication, a mapping entry between EAPID, DNN and UE ID (i.e., SUPI) and a secondary authentication status are established in SMF or UDM; when secondary authentication (or re-authentication) is performed, the AAA server sends the EAP ID to be re-authenticated to the SMF, and the SMF searches for the UE ID based on the received EAP ID and the mapping table to locate the UE and trigger secondary authentication and re-authentication. After the secondary authentication and re-authentication, the mapping entry between the EAP ID, DNN and UE ID (i.e., SUPI) and the secondary authentication status are updated.
(2)对SMF的新增功能:1)二次认证时,SMF中建立EAP ID、DNN和UE ID(即SUPI)之间的映射条目,并根据二次认证的结果设置条目的认证状态位为成功或失败;2)二次认证重认证时,根据收到的EAP ID及映射表寻找UE ID,二次认证重认证后更新EAP ID、DNN和UEID(即SUPI)之间的映射条目,并根据二次认证重认证的结果设置条目的认证状态位为成功或失败。关于映射条目以及条目的认证状态可以均存储在SMF或者UDM,在此不作限定。(2) New functions of SMF: 1) During secondary authentication, a mapping entry between EAP ID, DNN and UE ID (i.e. SUPI) is established in SMF, and the authentication status bit of the entry is set to success or failure according to the result of the secondary authentication; 2) During secondary authentication and re-authentication, the UE ID is searched according to the received EAP ID and the mapping table, and the mapping entry between EAP ID, DNN and UEID (i.e. SUPI) is updated after secondary authentication and re-authentication, and the authentication status bit of the entry is set to success or failure according to the result of the secondary authentication and re-authentication. The mapping entry and the authentication status of the entry can be stored in SMF or UDM, which is not limited here.
综上,本发明实施例提供的方案:In summary, the solution provided by the embodiment of the present invention is:
1.不需向外部数据网络暴露UE信息,传递的是EAP ID而不是GPSI;1. No need to expose UE information to external data networks, EAP ID is transmitted instead of GPSI;
2.不需要AAA服务器维护GPSI,不改变AAA服务器原有账号管理系统。2. The AAA server does not need to maintain GPSI, and the original account management system of the AAA server does not need to be changed.
在此说明,本发明实施例中上述涉及的重认证具体可以是指外部数据网络二次认证的重认证,但并不以此为限。It is to be noted that the re-authentication mentioned above in the embodiment of the present invention may specifically refer to the re-authentication of the external data network secondary authentication, but is not limited thereto.
本发明实施例还提供了一种认证装置,应用于会话管理功能SMF实体,如图7所示,包括:The embodiment of the present invention further provides an authentication device, which is applied to a session management function SMF entity, as shown in FIG7 , including:
第一接收模块71,用于接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;A first receiving module 71 is configured to receive a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID;
第一处理模块72,用于根据所述服务器的地址,得到目标数据网络的标识;A first processing module 72, configured to obtain an identifier of a target data network according to the address of the server;
第二处理模块73,用于根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;A second processing module 73 is used to obtain a terminal identifier UE ID according to the EAP ID, the identifier of the target data network and the first mapping relationship;
第一触发模块74,用于根据所述UE ID,触发对应终端与所述服务器进行重认证操作;A first trigger module 74, configured to trigger the corresponding terminal to perform a re-authentication operation with the server according to the UE ID;
其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系。The first mapping relationship includes a mapping relationship between an EAP ID, an identifier of a target data network, and a UE ID.
本发明实施例提供的所述认证装置通过接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;根据所述服务器的地址,得到目标数据网络的标识;根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UEID;根据所述UE ID,触发对应终端与所述服务器进行重认证操作;其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系;能够实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The authentication device provided in the embodiment of the present invention receives a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; obtains an identifier of a target data network according to the address of the server; obtains a terminal identifier UEID according to the EAP ID, the identifier of the target data network and a first mapping relationship; triggers a corresponding terminal to perform a re-authentication operation with the server according to the UE ID; wherein the first mapping relationship includes a mapping relationship between the EAP ID, the identifier of the target data network and the UE ID; and can maintain and use the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in a core network element (SMF): during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, without requiring the server to maintain the GPSI, and without changing the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; and well solves the problems of the authentication scheme in the prior art in exposing UE information and high implementation and maintenance costs.
具体的,所述第一触发模块,包括:第一发送子模块,用于根据所述UE ID,向对应终端发送可扩展认证协议EAP重认证身份请求;第一接收子模块,用于接收所述终端根据所述EAP重认证身份请求反馈的EAP重认证身份响应;第一触发子模块,用于将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证;其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同或不同。Specifically, the first trigger module includes: a first sending submodule, used to send an extensible authentication protocol EAP re-authentication identity request to the corresponding terminal according to the UE ID; a first receiving submodule, used to receive an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request; a first triggering submodule, used to send the EAP re-authentication identity response to the server, triggering the terminal to perform EAP re-authentication with the server; wherein the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request.
进一步的所述的认证装置,还包括:第一更新模块,用于在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系。Further, the authentication device further includes: a first updating module, which is used to update the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID.
具体的,所述第一更新模块,包括:第一更新子模块,用于将所述第一映射关系中的EAP ID更新为所述EAP重认证身份响应中携带的EAP ID。Specifically, the first updating module includes: a first updating submodule, configured to update the EAP ID in the first mapping relationship to the EAP ID carried in the EAP re-authentication identity response.
本发明实施例中,所述第一映射关系包括至少一个所述映射关系,每一所述映射关系对应一个二次认证状态信息;所述第一触发模块,还包括:第二接收子模块,用于在将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证之后,接收所述服务器发送的EAP重认证结果信息;所述认证装置还包括:第二更新模块,用于在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证结果信息,更新所述第一映射关系中的二次认证状态信息。In an embodiment of the present invention, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to a secondary authentication status information; the first trigger module also includes: a second receiving submodule, which is used to receive the EAP re-authentication result information sent by the server after sending the EAP re-authentication identity response to the server to trigger the terminal to perform EAP re-authentication with the server; the authentication device also includes: a second updating module, which is used to update the secondary authentication status information in the first mapping relationship according to the EAP re-authentication result information after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID.
进一步的,所述的认证装置,还包括:第三处理模块,用于在接收服务器发送的重认证请求之前,在所述重认证操作对应的二次认证操作的过程中,获取UE ID、目标数据网络的标识以及EAP ID;并根据获取的UE ID、目标数据网络的标识以及EAP ID,得到所述映射关系。Furthermore, the authentication device also includes: a third processing module, which is used to obtain the UE ID, the target data network identifier and the EAP ID during the secondary authentication operation corresponding to the re-authentication operation before receiving the re-authentication request sent by the server; and obtain the mapping relationship based on the obtained UE ID, the target data network identifier and the EAP ID.
更进一步的,所述的认证装置,还包括:第一获取模块,用于在接收服务器发送的重认证请求之前,获取所述二次认证操作的认证结果信息,作为得到的所述映射关系的二次认证状态信息。Furthermore, the authentication device further includes: a first acquisition module, which is used to obtain authentication result information of the secondary authentication operation before receiving the re-authentication request sent by the server, as the secondary authentication state information of the obtained mapping relationship.
具体的,所述第三处理模块,包括:第三接收子模块,用于接收所述终端发送的协议数据单元PDU会话建立请求;第一获取子模块,用于从所述PDU会话建立请求中获取UEID、目标数据网络的标识以及EAP ID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,第四接收子模块,用于接收所述终端发送的PDU会话建立请求;第一处理子模块,用于从所述PDU会话建立请求中获取UE ID和目标数据网络的标识,并根据所述PDU会话建立请求向所述终端发送可扩展认证协议EAP身份请求;第五接收子模块,用于接收所述终端根据所述EAP身份请求反馈的EAP身份响应;第二获取子模块,用于从所述EAP身份响应中获取EAP ID;其中,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。Specifically, the third processing module includes: a third receiving submodule, used to receive a protocol data unit PDU session establishment request sent by the terminal; a first acquisition submodule, used to obtain UEID, an identifier of a target data network and an EAP ID from the PDU session establishment request, and the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, a fourth receiving submodule, used to receive a PDU session establishment request sent by the terminal; a first processing submodule, used to obtain UE ID and an identifier of a target data network from the PDU session establishment request, and send an extensible authentication protocol EAP identity request to the terminal according to the PDU session establishment request; a fifth receiving submodule, used to receive an EAP identity response fed back by the terminal according to the EAP identity request; a second acquisition submodule, used to obtain EAP ID from the EAP identity response; wherein the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
本发明实施例中,所述第一映射关系及二次认证状态信息均存储在本地或者统一数据管理设备UDM中。In the embodiment of the present invention, the first mapping relationship and the secondary authentication status information are both stored locally or in a unified data management device UDM.
其中,上述会话管理功能实体侧的认证方法的所述实现实施例均适用于该认证装置的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the authentication method on the session management function entity side are all applicable to the embodiments of the authentication device and can achieve the same technical effect.
本发明实施例还提供了一种认证装置,应用于服务器,如图8所示,包括:The embodiment of the present invention further provides an authentication device, which is applied to a server, as shown in FIG8 , and includes:
第一发送模块81,用于向会话管理功能SMF实体发送重认证请求;A first sending module 81 is used to send a re-authentication request to a session management function SMF entity;
其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID。The re-authentication request carries an extensible authentication protocol identity identifier EAP ID.
本发明实施例提供的所述认证装置通过向会话管理功能SMF实体发送重认证请求;其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;能够实现支撑实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The authentication device provided in the embodiment of the present invention sends a re-authentication request to the session management function SMF entity; wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; it can support the maintenance and use of the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in the core network element (SMF); during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, nor requiring the server to maintain the GPSI, and will not change the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; it is a good solution to the problem that the authentication scheme in the prior art exposes UE information and has high implementation and maintenance costs.
进一步的,所述的认证装置,还包括:第二接收模块,用于在向会话管理功能SMF实体发送重认证请求之后,接收所述SMF实体发送的可扩展认证协议EAP重认证身份响应;第一认证模块,用于根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证。Furthermore, the authentication device also includes: a second receiving module, used to receive an Extensible Authentication Protocol EAP re-authentication identity response sent by a session management function SMF entity after sending a re-authentication request to the SMF entity; and a first authentication module, used to perform EAP re-authentication with a corresponding terminal based on the EAP re-authentication identity response.
更进一步的,所述的认证装置,还包括:第二发送模块,用于在根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证之后,将EAP重认证结果信息发送给所述SMF实体。Furthermore, the authentication device also includes: a second sending module, which is used to send EAP re-authentication result information to the SMF entity after performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
其中,上述服务器侧的认证方法的所述实现实施例均适用于该认证装置的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the above-mentioned authentication method on the server side are all applicable to the embodiments of the authentication device and can achieve the same technical effect.
本发明实施例还提供了一种认证装置,应用于终端,如图9所示,包括:The embodiment of the present invention further provides an authentication device, which is applied to a terminal, as shown in FIG9 , and includes:
第三接收模块91,用于接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;The third receiving module 91 is used to receive an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
第一反馈模块92,用于根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;A first feedback module 92 is used to feed back an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity.
本发明实施例提供的所述认证装置通过接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同;能够实现支撑实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The authentication device provided in the embodiment of the present invention receives an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity; according to the EAP re-authentication identity request, an EAP re-authentication identity response is fed back to the SMF entity; wherein the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity; it can support the maintenance and use of the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in the core network element (SMF): during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, nor requiring the server to maintain the GPSI, and will not change the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; it well solves the problem of exposing UE information and high implementation and maintenance costs in the authentication scheme in the prior art.
具体的,所述第一反馈模块,包括:第一确定子模块,用于确定EAP ID;第一生成子模块,用于生成包含所述EAP ID的EAP重认证身份响应;第一反馈子模块,用于将生成的所述EAP重认证身份响应反馈给所述SMF实体。Specifically, the first feedback module includes: a first determination submodule, used to determine the EAP ID; a first generation submodule, used to generate an EAP re-authentication identity response including the EAP ID; and a first feedback submodule, used to feed back the generated EAP re-authentication identity response to the SMF entity.
其中,上述终端侧的认证方法的所述实现实施例均适用于该认证装置的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the above-mentioned terminal-side authentication method are all applicable to the embodiments of the authentication device and can achieve the same technical effects.
本发明实施例还提供了一种会话管理功能实体,如图10所示,包括:处理器101和收发机102;The embodiment of the present invention further provides a session management function entity, as shown in FIG10 , comprising: a processor 101 and a transceiver 102;
所述处理器101,用于利用所述收发机102接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;The processor 101 is configured to use the transceiver 102 to receive a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID;
根据所述服务器的地址,得到目标数据网络的标识;Obtaining an identification of a target data network according to the address of the server;
根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;Obtaining a terminal identification UE ID according to the EAP ID, an identification of a target data network and a first mapping relationship;
根据所述UE ID,触发对应终端与所述服务器进行重认证操作;According to the UE ID, trigger the corresponding terminal to perform a re-authentication operation with the server;
其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系。The first mapping relationship includes a mapping relationship between an EAP ID, an identifier of a target data network, and a UE ID.
本发明实施例提供的所述会话管理功能实体通过接收服务器发送的重认证请求,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;根据所述服务器的地址,得到目标数据网络的标识;根据所述EAP ID、目标数据网络的标识以及第一映射关系,得到终端标识UE ID;根据所述UE ID,触发对应终端与所述服务器进行重认证操作;其中,所述第一映射关系包括EAP ID、目标数据网络的标识以及UE ID之间的映射关系;能够实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The session management function entity provided in the embodiment of the present invention receives a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; obtains an identifier of a target data network according to the address of the server; obtains a terminal identifier UE ID according to the EAP ID, the identifier of the target data network and a first mapping relationship; triggers a corresponding terminal to perform a re-authentication operation with the server according to the UE ID; wherein the first mapping relationship includes a mapping relationship between the EAP ID, the identifier of the target data network and the UE ID; and can realize maintaining and using the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in a core network element (SMF): during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, without requiring the server to maintain the GPSI, and without changing the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; and well solves the problems of the authentication scheme in the prior art in exposing UE information and high implementation and maintenance costs.
具体的,所述处理器具体用于:根据所述UE ID,利用所述收发机向对应终端发送可扩展认证协议EAP重认证身份请求;利用所述收发机接收所述终端根据所述EAP重认证身份请求反馈的EAP重认证身份响应;利用所述收发机将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证;其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同或不同。Specifically, the processor is used to: send an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal using the transceiver according to the UE ID; receive an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request using the transceiver; send the EAP re-authentication identity response to the server using the transceiver to trigger the terminal to perform EAP re-authentication with the server; wherein the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request.
进一步的,处理器还用于:在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证身份响应中携带的EAP ID,更新所述第一映射关系。Further, the processor is further configured to: after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, update the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response.
具体的,所述处理器具体用于:将所述第一映射关系中的EAP ID更新为所述EAP重认证身份响应中携带的EAP ID。Specifically, the processor is specifically configured to: update the EAP ID in the first mapping relationship to the EAP ID carried in the EAP re-authentication identity response.
本发明实施例中,所述第一映射关系包括至少一个所述映射关系,每一所述映射关系对应一个二次认证状态信息;所述处理器还用于:在将所述EAP重认证身份响应发送给所述服务器,触发所述终端与所述服务器进行EAP重认证之后,利用所述收发机接收所述服务器发送的EAP重认证结果信息;所述处理器还用于:在根据所述UE ID,触发对应终端与所述服务器进行重认证操作之后,根据所述EAP重认证结果信息,更新所述第一映射关系中的二次认证状态信息。In an embodiment of the present invention, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to a secondary authentication status information; the processor is also used to: after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server, use the transceiver to receive the EAP re-authentication result information sent by the server; the processor is also used to: after triggering the corresponding terminal to perform a re-authentication operation with the server according to the UE ID, update the secondary authentication status information in the first mapping relationship according to the EAP re-authentication result information.
进一步的,所述处理器还用于:在接收服务器发送的重认证请求之前,在所述重认证操作对应的二次认证操作的过程中,获取UE ID、目标数据网络的标识以及EAP ID;并根据获取的UE ID、目标数据网络的标识以及EAP ID,得到所述映射关系。Furthermore, the processor is also used to: before receiving the re-authentication request sent by the server, during the secondary authentication operation corresponding to the re-authentication operation, obtain the UE ID, the identifier of the target data network and the EAP ID; and obtain the mapping relationship based on the obtained UE ID, the identifier of the target data network and the EAP ID.
更进一步的,所述处理器还用于:在接收服务器发送的重认证请求之前,获取所述二次认证操作的认证结果信息,作为得到的所述映射关系的二次认证状态信息。Furthermore, the processor is also used to: before receiving the re-authentication request sent by the server, obtain authentication result information of the secondary authentication operation as the secondary authentication state information of the obtained mapping relationship.
具体的,所述处理器具体用于:利用所述收发机接收所述终端发送的协议数据单元PDU会话建立请求;从所述PDU会话建立请求中获取UE ID、目标数据网络的标识以及EAPID,所述PDU会话建立请求中携带的EAP ID与所述重认证请求中携带的EAP ID相同;或者,利用所述收发机接收所述终端发送的PDU会话建立请求;从所述PDU会话建立请求中获取UEID和目标数据网络的标识,并根据所述PDU会话建立请求利用所述收发机向所述终端发送可扩展认证协议EAP身份请求;利用所述收发机接收所述终端根据所述EAP身份请求反馈的EAP身份响应;从所述EAP身份响应中获取EAP ID;其中,所述EAP身份响应中携带的EAP ID与所述重认证请求中携带的EAP ID相同。Specifically, the processor is specifically used to: use the transceiver to receive a protocol data unit PDU session establishment request sent by the terminal; obtain UE ID, a target data network identifier and EAPID from the PDU session establishment request, and the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, use the transceiver to receive a PDU session establishment request sent by the terminal; obtain UEID and a target data network identifier from the PDU session establishment request, and use the transceiver to send an extensible authentication protocol EAP identity request to the terminal according to the PDU session establishment request; use the transceiver to receive an EAP identity response fed back by the terminal according to the EAP identity request; obtain EAP ID from the EAP identity response; wherein the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
本发明实施例中,所述第一映射关系及二次认证状态信息均存储在本地或者统一数据管理设备UDM中。In the embodiment of the present invention, the first mapping relationship and the secondary authentication status information are both stored locally or in a unified data management device UDM.
其中,上述会话管理功能实体侧的认证方法的所述实现实施例均适用于该会话管理功能实体的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the authentication method on the session management function entity side are all applicable to the embodiments of the session management function entity and can achieve the same technical effect.
本发明实施例还提供了一种服务器,如图11所示,包括:处理器111和收发机112;The embodiment of the present invention further provides a server, as shown in FIG11 , comprising: a processor 111 and a transceiver 112;
所述处理器111,用于利用所述收发机112向会话管理功能SMF实体发送重认证请求;The processor 111 is used to send a re-authentication request to the session management function SMF entity using the transceiver 112;
其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID。The re-authentication request carries an extensible authentication protocol identity identifier EAP ID.
本发明实施例提供的所述服务器通过向会话管理功能SMF实体发送重认证请求;其中,所述重认证请求中携带有可扩展认证协议身份标识EAP ID;能够实现支撑实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The server provided in the embodiment of the present invention sends a re-authentication request to a session management function SMF entity; wherein the re-authentication request carries an extensible authentication protocol identity identifier EAP ID; it can support the maintenance and use of the mapping relationship between the EAP ID, the identifier of the target data network and the UE ID in the core network element (SMF); during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, nor requiring the server to maintain the GPSI, and will not change the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; it is a good solution to the problem that the authentication scheme in the prior art exposes UE information and has high implementation and maintenance costs.
进一步的,所述处理器还用于:在向会话管理功能SMF实体发送重认证请求之后,利用所述收发机接收所述SMF实体发送的可扩展认证协议EAP重认证身份响应;根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证。Furthermore, the processor is also used to: after sending a re-authentication request to the session management function SMF entity, use the transceiver to receive an extensible authentication protocol EAP re-authentication identity response sent by the SMF entity; and perform EAP re-authentication with the corresponding terminal based on the EAP re-authentication identity response.
更进一步的,所述处理器还用于:在根据所述EAP重认证身份响应,与对应的终端之间进行EAP重认证之后,利用所述收发机将EAP重认证结果信息发送给所述SMF实体。Furthermore, the processor is also used to: after performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response, use the transceiver to send EAP re-authentication result information to the SMF entity.
其中,上述服务器侧的认证方法的所述实现实施例均适用于该服务器的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the authentication method on the above-mentioned server side are all applicable to the embodiments of the server and can achieve the same technical effects.
本发明实施例还提供了一种终端,如图12所示,包括:处理器121和收发机122;The embodiment of the present invention further provides a terminal, as shown in FIG12 , including: a processor 121 and a transceiver 122;
所述处理器121,用于利用所述收发机122接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;The processor 121 is configured to receive, by using the transceiver 122, an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
根据所述EAP重认证身份请求,利用所述收发机122向所述SMF实体反馈EAP重认证身份响应;Feedback an EAP re-authentication identity response to the SMF entity using the transceiver 122 according to the EAP re-authentication identity request;
其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同。The EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity.
本发明实施例提供的所述终端通过接收会话管理功能SMF实体发送的可扩展认证协议EAP重认证身份请求;根据所述EAP重认证身份请求,向所述SMF实体反馈EAP重认证身份响应;其中,所述EAP重认证身份响应中携带有EAP ID;所述EAP重认证身份响应中携带的EAP ID与所述SMF实体接收到的重认证请求中携带的EAP ID相同或不同;能够实现支撑实现在核心网网元(SMF)中维护并使用EAP ID、目标数据网络的标识以及UE ID三者之间的映射关系:在重认证时利用映射关系使用EAP ID作为键值取得UE ID定位终端,触发重认证,不需获取GPSI,也不需要服务器维护GPSI,也不会改变服务器原有账号管理系统,降低实现和维护成本,并且避免暴露UE信息;很好的解决了现有技术中认证方案存在暴露UE信息、实现和维护成本高的问题。The terminal provided in the embodiment of the present invention receives an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity; according to the EAP re-authentication identity request, an EAP re-authentication identity response is fed back to the SMF entity; wherein the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity; it is possible to support the maintenance and use of a mapping relationship between the EAP ID, the identifier of the target data network, and the UE ID in a core network element (SMF): during re-authentication, the mapping relationship is used to use the EAP ID as a key value to obtain the UE ID to locate the terminal, trigger re-authentication, without obtaining the GPSI, without requiring the server to maintain the GPSI, and without changing the original account management system of the server, thereby reducing the implementation and maintenance costs and avoiding the exposure of UE information; it is a good solution to the problem that the authentication scheme in the prior art exposes UE information and has high implementation and maintenance costs.
具体的,所述处理器具体用于:确定EAP ID;生成包含所述EAP ID的EAP重认证身份响应;利用所述收发机将生成的所述EAP重认证身份响应反馈给所述SMF实体。Specifically, the processor is specifically used to: determine the EAP ID; generate an EAP re-authentication identity response including the EAP ID; and use the transceiver to feed back the generated EAP re-authentication identity response to the SMF entity.
其中,上述终端侧的认证方法的所述实现实施例均适用于该终端的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the above-mentioned terminal-side authentication method are all applicable to the embodiments of the terminal and can achieve the same technical effects.
本发明实施例还提供了一种会话管理功能实体,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;所述处理器执行所述程序时实现上述会话管理功能实体侧的认证方法。An embodiment of the present invention also provides a session management function entity, including a memory, a processor, and a program stored in the memory and executable on the processor; when the processor executes the program, the authentication method on the session management function entity side is implemented.
其中,上述会话管理功能实体侧的认证方法的所述实现实施例均适用于该会话管理功能实体的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the authentication method on the session management function entity side are all applicable to the embodiments of the session management function entity and can achieve the same technical effect.
本发明实施例还提供了一种服务器,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;所述处理器执行所述程序时实现上述服务器侧的认证方法。An embodiment of the present invention further provides a server, comprising a memory, a processor, and a program stored in the memory and executable on the processor; when the processor executes the program, the above-mentioned server-side authentication method is implemented.
其中,上述服务器侧的认证方法的所述实现实施例均适用于该服务器的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the authentication method on the above-mentioned server side are all applicable to the embodiments of the server and can achieve the same technical effects.
本发明实施例还提供了一种终端,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;所述处理器执行所述程序时实现上述终端侧的认证方法。An embodiment of the present invention further provides a terminal, comprising a memory, a processor, and a program stored in the memory and executable on the processor; when the processor executes the program, the above-mentioned terminal-side authentication method is implemented.
其中,上述终端侧的认证方法的所述实现实施例均适用于该终端的实施例中,也能达到相同的技术效果。Among them, the implementation embodiments of the above-mentioned terminal-side authentication method are all applicable to the embodiments of the terminal and can achieve the same technical effects.
本发明实施例还提供了一种可读存储介质,其上存储有程序,该程序被处理器执行时实现上述会话管理功能实体侧、服务器侧或终端侧的认证方法中的步骤。An embodiment of the present invention further provides a readable storage medium on which a program is stored. When the program is executed by a processor, the steps in the authentication method on the session management function entity side, server side or terminal side are implemented.
其中,上述会话管理功能实体侧、服务器侧或终端侧的认证方法的所述实现实施例均适用于该可读存储介质的实施例中,也能达到对应相同的技术效果。Among them, the implementation embodiments of the authentication method on the session management function entity side, server side or terminal side are all applicable to the embodiments of the readable storage medium, and can also achieve the corresponding same technical effects.
需要说明的是,此说明书中所描述的许多功能部件都被称为模块/子模块,以便更加特别地强调其实现方式的独立性。It should be noted that many functional components described in this specification are referred to as modules/sub-modules in order to more particularly emphasize the independence of their implementation methods.
本发明实施例中,模块/子模块可以用软件实现,以便由各种类型的处理器执行。举例来说,一个标识的可执行代码模块可以包括计算机指令的一个或多个物理或者逻辑块,举例来说,其可以被构建为对象、过程或函数。尽管如此,所标识模块的可执行代码无需物理地位于一起,而是可以包括存储在不同位里上的不同的指令,当这些指令逻辑上结合在一起时,其构成模块并且实现该模块的规定目的。In the embodiment of the present invention, module/submodule can be implemented with software so that it can be performed by various types of processors. For example, an executable code module of an identification can include one or more physical or logical blocks of computer instructions, for example, it can be constructed as an object, process or function. Nevertheless, the executable code of the identified module does not need to be physically located together, but can include different instructions stored in different positions, and when these instructions are logically combined together, it constitutes a module and realizes the specified purpose of this module.
实际上,可执行代码模块可以是单条指令或者是许多条指令,并且甚至可以分布在多个不同的代码段上,分布在不同程序当中,以及跨越多个存储器设备分布。同样地,操作数据可以在模块内被识别,并且可以依照任何适当的形式实现并且被组织在任何适当类型的数据结构内。所述操作数据可以作为单个数据集被收集,或者可以分布在不同位置上(包括在不同存储设备上),并且至少部分地可以仅作为电子信号存在于系统或网络上。In fact, executable code module can be a single instruction or many instructions, and can even be distributed on a plurality of different code segments, distributed among different programs, and distributed across a plurality of memory devices. Similarly, operating data can be identified in the module, and can be implemented and organized in the data structure of any appropriate type according to any appropriate form. The operating data can be collected as a single data set, or can be distributed in different locations (including on different storage devices), and can only be present on a system or network as an electronic signal at least in part.
在模块可以利用软件实现时,考虑到现有硬件工艺的水平,所以可以以软件实现的模块,在不考虑成本的情况下,本领域技术人员都可以搭建对应的硬件电路来实现对应的功能,所述硬件电路包括常规的超大规模集成(VLSI)电路或者门阵列以及诸如逻辑芯片、晶体管之类的现有半导体或者是其它分立的元件。模块还可以用可编程硬件设备,诸如现场可编程门阵列、可编程阵列逻辑、可编程逻辑设备等实现。When a module can be implemented by software, considering the level of existing hardware technology, a person skilled in the art can build a corresponding hardware circuit to implement the corresponding function of the module that can be implemented by software without considering the cost. The hardware circuit includes a conventional very large scale integration (VLSI) circuit or gate array and existing semiconductors such as logic chips, transistors, or other discrete components. The module can also be implemented by a programmable hardware device, such as a field programmable gate array, a programmable array logic, a programmable logic device, etc.
以上所述的是本发明的优选实施方式,应当指出对于本技术领域的普通人员来说,在不脱离本发明所述原理前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is a preferred embodiment of the present invention. It should be pointed out that for ordinary personnel in this technical field, several improvements and modifications can be made without departing from the principles of the present invention. These improvements and modifications should also be regarded as the scope of protection of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010685582.7ACN114024693B (en) | 2020-07-16 | 2020-07-16 | Authentication method, device, session management function entity, server and terminal |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010685582.7ACN114024693B (en) | 2020-07-16 | 2020-07-16 | Authentication method, device, session management function entity, server and terminal |
| Publication Number | Publication Date |
|---|---|
| CN114024693A CN114024693A (en) | 2022-02-08 |
| CN114024693Btrue CN114024693B (en) | 2024-11-08 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010685582.7AActiveCN114024693B (en) | 2020-07-16 | 2020-07-16 | Authentication method, device, session management function entity, server and terminal |
| Country | Link |
|---|---|
| CN (1) | CN114024693B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116980893A (en)* | 2022-04-21 | 2023-10-31 | 华为技术有限公司 | Communication method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019017835A1 (en)* | 2017-07-20 | 2019-01-24 | 华为国际有限公司 | Network authentication method and related device and system |
| CN110291803A (en)* | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Privacy protection and extensible authentication protocol authentication and authorization in cellular networks |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110235423B (en)* | 2017-01-27 | 2022-10-21 | 瑞典爱立信有限公司 | Secondary authentication of user equipment |
| CN113039825B (en)* | 2018-11-16 | 2024-08-13 | 联想(新加坡)私人有限公司 | Apparatus and method for wireless communication |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110291803A (en)* | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Privacy protection and extensible authentication protocol authentication and authorization in cellular networks |
| WO2019017835A1 (en)* | 2017-07-20 | 2019-01-24 | 华为国际有限公司 | Network authentication method and related device and system |
| Publication number | Publication date |
|---|---|
| CN114024693A (en) | 2022-02-08 |
| Publication | Publication Date | Title |
|---|---|---|
| US11895157B2 (en) | Network security management method, and apparatus | |
| US11296877B2 (en) | Discovery method and apparatus based on service-based architecture | |
| RU2372734C2 (en) | Method and device for reauthentication in cellular communication system | |
| JP3869392B2 (en) | User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method | |
| US7433959B2 (en) | Method and apparatus for retrieving access control information | |
| US7962954B2 (en) | Authenticating multiple network elements that access a network through a single network switch port | |
| CA2573171C (en) | Host credentials authorization protocol | |
| US20080072301A1 (en) | System And Method For Managing User Authentication And Service Authorization To Achieve Single-Sign-On To Access Multiple Network Interfaces | |
| US20080060061A1 (en) | System and method for automatic network logon over a wireless network | |
| US11895487B2 (en) | Method for determining a key for securing communication between a user apparatus and an application server | |
| JP7485788B2 (en) | Secure communication method and related device and system | |
| WO2011026404A1 (en) | Session updating method for authentication, authorization and accounting and equipment and system thereof | |
| WO2022237693A1 (en) | Method for authenticating nswo service, and device and storage medium | |
| CN115843447A (en) | Network authentication of user equipment access to edge data networks | |
| CN114024693B (en) | Authentication method, device, session management function entity, server and terminal | |
| CN118200923B (en) | Access control method, device and storage medium | |
| CN117412288A (en) | Communication method, device, related equipment and storage medium | |
| CN114844674A (en) | Dynamic authorization method, system, electronic device and storage medium | |
| CN116868609A (en) | User equipment authentication and authorization procedure for edge data networks | |
| US20250142336A1 (en) | Systems and Methods for Secure Connections and Data Transfer | |
| EP4513926A1 (en) | Systems and methods for end user authentication | |
| CN1698308B (en) | Method and apparatus enabling reauthentication in a cellular communication system | |
| WO2025202050A1 (en) | A method for network slice-specific authentication and authorization, corresponding user equipment and authentication, authorization and accounting server (aaa-s) | |
| CN119316834A (en) | Secondary authentication method, electronic device and readable storage medium | |
| WO2025044320A1 (en) | Key authentication method and apparatus, electronic device, and storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |