Detailed Description
The present application will be described in further detail with reference to the accompanying drawings and examples.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
As shown in fig. 1, an embodiment of the present disclosure provides a device authentication method, which is performed by a network device, and includes:
s1110, determining the security level of the first device to be authenticated;
s1120, determining a target node for authenticating the first equipment according to the security level;
s1130, sending an authentication request to the target node;
And S1140, receiving an authentication response returned by the target node based on the authentication request.
The network device may be a core network device. The core network device may be, for example, an access management Function (ACCESS MANAGEMENT Function, AMF) and/or other core network devices independent of the AMF. For example, in some embodiments, the core network device may also be a policy control function (Policy Control Function, PCF).
In some embodiments, the network device may be a network device of a private network. The network device may be, for example, a core network device of a private network. Illustratively, the private network may include, but is not limited to, a quantum private network.
In some embodiments, the quantum private network may include, but is not limited to, a fifth Generation mobile communication (5G) quantum private network.
In some embodiments, when the first device requests access, the network device may receive an authentication request sent by other network devices triggered by the first device requesting access. Illustratively, the network device may receive an authentication request sent by an AMF of the local network. At this time, the network device determines the security level of the first device, and determines a target node authenticating the first device according to the offloading policy and the security level of the first device.
The offload policy may be rules pre-configured at the network device or rules requested from other network devices, such as PCFs.
In some embodiments, the offload policy may include the corresponding stored security level and the corresponding destination node's routing information.
In other embodiments, after receiving the authentication request of the first device, it is determined that the request is authenticated as the first device to be authenticated.
In some embodiments, the security level of the first device is determined based on security level information carried in the authentication request.
In some embodiments, the security level of the first device is determined based on the device type of the first device. For example, a device type such as a mobile phone may have a high security level, and a physical network device may have a low security level.
After the security level is determined, the node adapted to the security level is adopted as a target node for authentication of the first device. The target node may be a core network device.
In some embodiments, the core network device includes, but is not limited to, an authentication service function (Authentication service function, AUSF).
In other embodiments, the core network device may include, but is not limited to, user data management (User DATA MANAGEMENT, UDM).
After determining the authentication request, the authentication request is routed to the corresponding target node, and the target node performs authentication of the first device.
In some embodiments, the authentication request may include at least identification information of the authenticated first device. The identification information may include device identification information of the first device and identification information of a subscriber identity module (subscriber identity module, SIM) included with the first device.
In some embodiments, the authentication response may include an authentication success response and/or an authentication failure response.
The authentication success response may indicate that the authentication was successful. The authentication failure response may indicate an authentication failure.
In some embodiments, the authentication success response may include a security parameter that may be used for secure communications after the first device authenticates the successful access to the network. The security parameters may include freshness values, root keys, and/or key identifications, etc.
In some embodiments, the authentication response is returned to the first device.
In some embodiments, the information such as the source address of the authentication response is returned to the first device after being replaced with the address of the network device.
In some embodiments, the authentication of the first device herein may include, but is not limited to, at least one of:
verifying whether the first device signs up for legal devices;
Verifying whether the first device has subscription access to the private network;
verifying whether the first device has a subscription private network roaming service;
And verifying whether the first device has the service requested by the signed first device.
Of course, the foregoing is merely an example of authentication of the first device, and the specific implementation is not limited to the foregoing example.
A network device performing the device authentication method provided by the embodiments of the present disclosure may be included in the communication system shown in fig. 2 and 3. The Network device may correspond to the virtual Network Function (NF) module in fig. 2 and 3.
The virtual NF module may be integrally provided on AMF, SMF, AUSF or UDM. The virtual module may also be set independently of AMF, SMF, AUSF or UDM.
The network device may belong to a private network. For example, a local AMF, a session management function (Session Management Function, SMF), AN Access Network (AN), a user plane function (User Plane Function, UPF), and a PCF are provided in the private Network. A central node is arranged outside the private network.
As shown in fig. 3, different private networks may be provided with separate branching nodes. For example, the branch node 1 and the branch node 2 shown in fig. 3 may correspond to different private networks.
In some embodiments, when the device is authenticated, a target node for authentication is selected according to the security level of the device, instead of uniformly using a certain node for authentication, so that on one hand, the problem of load caused by authentication by using a single node is reduced, and on the other hand, the security problem caused by storing all authentication information in the same node by using the authentication by using the single node is also reduced, thereby improving the security of the device authentication and/or the security of the authentication information.
In some embodiments, the S1120 includes:
When the security level of the first device is a first level, determining that the target node is a first node; and/or when the security level of the first device is the second level, determining that the target node is the second node.
In some embodiments, the second level is lower than the first level.
In some embodiments, the security level of the first node is higher than the security level of the second node, and/or the first node and the network device are in different network domains and the second node and the network device are in the same network domain.
Illustratively, the first node may be a central node. The second node may be a local node. As shown in fig. 2, the first node may be AUSF or a UDM of the central network domain. The second node may be AUSF or a UDM comprised by the private network.
The security level of the first node being higher than the security level of the second node may be represented by the security coefficient of the fire protection setting of the first node being higher than the security coefficient of the firewall setting of the second node.
As another example, communicating with the first node must be secure using a security algorithm, which may include an integrity algorithm, an encryption algorithm, and/or a scrambling algorithm, among others.
In some embodiments, the first node and the second node belong to different network domains. The different domains may correspond to different local area networks. For example, the first node is located outside of a private network where the network device is located. The first node is located in a private network in which the network device is located.
In some embodiments, the aforementioned routing information may include, but is not limited to, at least one of address information of the target node, node identification of the target node, node type of the target node.
The address information may include an IP address or a tunnel address, etc.
The node identification may include a node number or the like.
The node type may indicate whether the target node is a central node or a local node.
Illustratively, the diversion strategy includes:
The first rule comprises a first grade and a corresponding relation between the routing information of the first node;
The second rule includes a correspondence between the second level and routing information of the second node.
In some embodiments, the first level may be further divided into a plurality of sub-levels, with the security requirements being different between the different sub-levels comprised by the first level. Likewise, the second level may be divided into a plurality of sub-levels, the second level comprising security requirements that differ between different sub-levels. The security requirements may be reflected in the complexity of the security algorithm when devices of different sub-classes communicate.
In some embodiments, when the first device belonging to the first private network roams to the second private network, the network device of the second private network may receive the authentication request of the first device, and when the network device of the second private network may not store the authentication information of the first device and/or ask for subscription information of the first device and the security level of the first device is the first level, the authentication request may be directly sent to the first node, and the first node performs authentication and receives the authentication response from the first node. If the security level of the first device is the second level at this time, the network device sends an authentication request to the second node of the second private network. The second node of the second private network may not store the authentication information and/or subscription information of the first device at this time, but the second node may request the authentication information and/or subscription information for the authentication of the first device from the first node.
In some embodiments, the authentication information may be information generated from subscription information of the first device. The authentication information may be information specific to device authentication.
In some embodiments, the network device of the second private network may determine that the target node is the second node when the network device receives an authentication request attributed to the first device of the second private network. At this time, the local node of the second private network may perform local authentication on the first device, so as to accelerate authentication of the first device in the home private network of the first device. In other embodiments, even if the network device of the second private network receives the authentication request of the first device belonging to the second private network, the target node may be determined to be the first node, so that the devices with high security level are authenticated by the central node uniformly, and security of the devices is ensured.
In some embodiments, the sending an authentication request to the target node includes sending an encrypted authentication request to the first node. The receiving the authentication response returned by the target node based on the authentication request comprises receiving an encrypted authentication response returned by the first node based on the authentication request.
Since the first level is higher than the second level. The first-level equipment authenticates, the authentication request and the authentication response are encrypted, namely the authentication request and the authentication response are ciphertext, so that information leakage of the authentication request and the authentication response in a transmission process is reduced.
In some embodiments, the keys of the authentication request and the authentication response may be pre-negotiated by the network device and the first node, or pre-configured by the communication carrier on the network device and the first node.
In some embodiments, the keys corresponding to different private networks are different.
In some embodiments, the key may be a symmetric key or an asymmetric key.
In some embodiments, the authentication request sent to the second node and the authentication response received from the second node may be in plain text, reducing encryption and decryption processing by the second node, thereby reducing latency of authentication.
In some embodiments, the method further comprises:
the authentication information and/or the subscription information of the second equipment are acquired from the first node, the second equipment is associated with the first equipment of the first level, and the authentication information and/or the subscription information of the second equipment are stored in the first node.
In some embodiments, authentication information and/or subscription information of a second device associated with a first device is requested from a first node when the first device of a first security level requests access to a network.
In some embodiments, when the first node is required to authenticate the first device of the first class, the network device obtains an authentication response of the first device of the first class from the first node, where the authentication response carries authentication information and/or subscription information of the second device. Of course, the authentication information and/or subscription information of the second device may be carried in any message sent by the first node to the network device, and is not limited to the authentication response of the first device of the first class. For example, the authentication information and/or subscription information of the second device may be carried in an update message interacted between the first node and the network device, where the update message may be a message sent when the subscription information and/or authentication information of the associated second device of the first device is updated.
Authentication information and/or subscription information of the second device.
And the authentication information and/or subscription information of the second device are used for authenticating the second node to the second-level second device associated with the first device.
In some embodiments, the authentication information of the second device may be generated according to subscription information of the second device.
In some embodiments, the second device of the second level associated with the first device includes, but is not limited to, one of:
a second device of a second level that the user to which the first device belongs has;
And a second device of a second level possessed by an intimate user of the user to which the first device belongs.
For example, a user's office cell phone or office computer is a first device of a first level and a user's smart bracelet may be a second device of a second level.
For example, user a's cell phone is a first device of a first class and user a's child's cell phone or watch is a second device of a second class of an intimate user of user a.
Considering that the devices of different grades of the same user can move along with the user, the first device of the first grade of one user can move along with the second device in the roaming process, and also can request to access the network and authenticate, at the moment, the first node directly sends the authentication information corresponding to one or more second devices to the second node through the authentication response of the first device, so that the second node is convenient for the second node to subsequently authenticate the second device, and the second node does not need to request the authentication information from the first node.
In some embodiments, the authentication information of the second device may be distributed to the network device in the form of an authentication list. The network device may be forwarding to the second node or to a database of the second node. For example, the second node may be local AUSF, and the authentication information for the second device may be stored to the local UDM. The local AUSF can read the authentication information of the second device from the local UDM.
In some embodiments, if the second node is a local UDM, the authentication information and/or subscription information of the second device is stored directly in the local UDM.
In some embodiments, the authentication information and/or subscription information has a validity period. At the expiration of the validity period, the network device or network node (e.g., a second node such as the home AUSF or UDM) of the roaming network deletes the authentication information and/or subscription information.
In other embodiments, the network device or network node of the roaming network deletes the authentication information and/or subscription information of the second device or the first device upon a delete request of the second device.
In some embodiments, the method further comprises:
And deleting the authentication information of the second equipment or the subscription information of the second equipment when the trigger event is detected.
Illustratively, the triggering event includes, but is not limited to, at least one of:
A first device having a first rank logs off from a second private network;
The first device with the first level returns to the home first private network. Of course, the above is merely examples, and the specific implementation is not limited to the above examples.
In some embodiments, S1110 may include:
and determining the security level of the first equipment according to the identification information of the first equipment.
In some embodiments, the identification information may be device identification information of the first device and/or identification information of a subscriber identity module (subscriber identity module, SIM) comprised by the first device.
In some embodiments, the subscriber identity module may include an embedded (embedded subscriber identity module, eSIM) or a physical SIM.
In some embodiments, the backup identification information may include an international mobile equipment identity (International Mobile Equipment Identity, IMEI) of the device, an international mobile subscriber identity (International Mobile Subscriber Identification Number, IMSI).
In some embodiments, the identification information of the SIM may include an integrated circuit card identification code (INTEGRATE CIRCUIT CARD IDENTITY, ICCID), and/or a mobile station integrated services digital network/public services telephone network number (Mobile Subscriber International(Integrated Service Digital Network,ISDN)/(Public Service Telephone Network,PSTN)number,MSISDN).
Therefore, the network equipment can determine the security level of the first equipment according to the identification of the first equipment without providing additional information by the terminal, and signaling overhead is saved.
In some embodiments, S1110 may specifically include at least one of:
determining a security level of the first device based on a user permanent identifier (Subscription PERMANENT IDENTIFIER, SUPI) of the first device;
a security level of the first device is determined based on a user hidden identifier (Subscription Concealed Identifier, SUCI) of the first device.
As such, the SUPI and SUCI may be information written into the SIM of the first device, such that the communications carrier may write the corresponding security level SUPI and SUCI to the SIM card according to the security level subscribed to by the first device when writing information to the SIM.
Illustratively, the assigned bits of the bit sequences corresponding to SUPI or SUCI of different security levels are different. The specified bits may be one or more bits. The specified bits may include the most significant bits or the least significant bits of the bit sequence.
As shown in fig. 4, an embodiment of the present disclosure provides a device authentication method, performed by a first node, the method including:
s2110, receiving an authentication request sent by a network device, wherein the authentication request is used for requesting authentication of a first device when the security level of the first device is a first level;
And S2120, sending an authentication response of the first device to the network device.
In some embodiments, the first node may be a core network device. The core network device may be AUSF or UDM, etc. Illustratively, the first device may be the central node shown in fig. 2.
In some embodiments, the first node may be AUSF or other nodes dedicated to authentication, the UDM may provide data support for AUSF, e.g., the UDM may store subscription information and/or authentication information for devices of the first level, providing AUSF with the data required for device authentication.
In embodiments of the present disclosure, a first node will receive an authentication request from a network device located in a private network, the authentication request requesting the first node to authenticate a first level device. The authentication request may include identification information of the device to be authenticated.
In some embodiments, the first node may obtain authentication information of the first device according to the identification information of the first device, and authenticate the first device according to the authentication information.
In some embodiments, the authentication information may be generated from subscription information of the first device.
In some embodiments, the authentication of the first device herein may include, but is not limited to, at least one of:
verifying whether the first device signs up for legal devices;
Verifying whether the first device has subscription access to the private network;
verifying whether the first device has a subscription private network roaming service;
And verifying whether the first device has the service requested by the signed first device.
Of course, the foregoing is merely an example of authentication of the first device, and the specific implementation is not limited to the foregoing example.
After the authentication of the first device is completed, the response is authenticated to the network device.
In some embodiments, the authentication response may include an authentication success response and/or an authentication failure response.
The authentication success response may indicate that the authentication was successful. The authentication failure response may indicate an authentication failure.
In some embodiments, an authentication success response is sent to the network device when the first device passes authentication.
In some embodiments, an authentication failure response is sent to the network device when the first device fails authentication.
The foregoing corresponding embodiments may be referred to herein as how the first node specifically authenticates the first device, and will not be repeated here.
In some embodiments, when the first device associates one or more second devices, sending authentication information of the second devices or subscription information of the second devices to the network device, wherein the security level of the second devices is a second level, the second level is lower than the first level, and the authentication information of the second devices or subscription information of the second devices is used for local authentication of the second devices by a second node associated with the network device.
In some embodiments, the authentication information and/or subscription information of the second device may be carried in the authentication response of the first device of the first class.
In some embodiments, the authentication information of the second device is generated according to subscription information of the second device.
In some embodiments, when the first device passes authentication, authentication information of the second device is carried in an authentication success response, unnecessary circulation of the authentication information of the second device is reduced, and security of the authentication information of the second device is improved.
In some embodiments, when the first device is verified as a legal device but the service requested by the first device is not verified, the authentication failure response may also carry authentication information of the second device.
The description of the second device associated with the first device may be found in the previous embodiments and will not be repeated here.
In some embodiments, the authentication information and/or subscription information of the second device in the authentication response may be sent to the network device in the form of a list.
In some embodiments, the authentication request is an encrypted request and the authentication response is an encrypted response.
As shown in fig. 5, an embodiment of the present disclosure provides a device authentication method, performed by a second node, the method including:
S3110, receiving an authentication request sent by a network device, wherein the authentication request is used for requesting authentication of a first device when the security level of the first device is a second level;
and S3120, sending an authentication response of the first device to the network device.
In some embodiments, the second node corresponds to a second level.
In some embodiments, the second node may be AUSF or UDM or the like belonging to the same network domain as the device.
In some embodiments, the second node may be AUSF or other nodes dedicated to authentication, the UDM may provide data support for AUSF, e.g., the UDM may store subscription information and/or authentication information for devices of the first level, providing AUSF with information needed to authenticate the devices.
In some embodiments, the security level of the second node may be lower than the security level of the first level.
In some embodiments, the second node may authenticate the second level device.
The second node may refer here to the corresponding embodiment described above in particular how the second node authenticates the first device, and will not be repeated here.
Likewise, the authentication request may include identification information of the first device. The identification information may be the aforementioned device identification information and/or identification information of the SIM.
In some embodiments, the authentication response may include an authentication success response and/or an authentication failure response.
In some embodiments, an authentication success response is sent to the network device when the first device passes authentication.
In some embodiments, an authentication failure response is sent to the network device when the first device fails authentication.
In some embodiments, the method may further comprise:
and when the security level of the first equipment is the first level, receiving at least one second equipment authentication information and/or subscription information of the second equipment from the network equipment, wherein the second equipment is associated with the first equipment, and the authentication information and/or subscription information of the second equipment can be carried in an authentication response sent to the network equipment by the first node. The authentication information and subscription information of the second device may be carried in an authentication success response of the network device, for example, at the first node.
And storing authentication information and/or subscription information of the second equipment.
In some embodiments, the method may further comprise:
and deleting the authentication information and/or subscription information of the second equipment when the specified condition is met.
In some embodiments, the authentication information and/or subscription information of the second device has a validity period.
In some embodiments, the second node deletes authentication information and/or subscription information of the second device upon expiration of the validity period.
In some embodiments, the triggering event is detected at the second node, and authentication information and/or subscription information of the second device is deleted.
In some embodiments, when a deletion instruction of the first device or the second device is received, authentication information and/or subscription information of the second device is deleted.
And deleting the authentication-subtracting information and/or subscription information of the second equipment when the network equipment receives a deleting instruction sent by the triggering event.
The triggering event includes, but is not limited to, at least one of:
A first device having a first rank logs off from a second private network;
The first device with the first level returns to the home first private network. Of course, the above is merely examples, and the specific implementation is not limited to the above examples.
In some embodiments, the second node may be a network device as described above that determines a target node of the first device to be authenticated. I.e. the network device and the second node may be integrally arranged or arranged as one and the same network node. The embodiment of the disclosure provides a more perfect method for supporting a distributed subscription authentication network architecture and customizing data transmission based on a virtual network element module method. The method and the system can efficiently solve the problem of configuring a plurality of pairs of network elements, upgrade the current private network deployment mode, improve the management control and information integration of the central node users on each private network user, ensure that the users authenticate access to the network at the central node UDM or AUSF through a shared authentication strategy under a plurality of isolated private network roaming scenes, and simultaneously provide a mode for carrying out a custom encryption algorithm on transmission data. The method solves the problems of high deployment cost, no support of multiple encryption algorithms and poor flexibility in the existing method.
The embodiment of the disclosure provides a network scheme which is based on a virtual network element module and supports multi-node subscription authentication, shared roaming authentication processing and a link personalized encryption algorithm. The original network deployment architecture is expanded into a multi-node signing authentication network architecture of a local node and a central node by deploying a virtual network element software module in the original private network scheme. Meanwhile, a shared authentication processing strategy is designed, when a user roams to a new visit domain isolated private network, the authentication process of the user once center node is utilized to ensure that the authentication of other terminals of the user and the Internet of things equipment under the local isolated private network is successful, thereby solving the roaming authentication problem and efficiency and reducing the access pressure of a center node authentication server.
And encrypting and transmitting the user sensitive data transmitted in the clear between the network element interfaces through a personalized encryption algorithm, and enhancing the protection of the user information data so as to solve the problem mentioned in the fourth section. The dual UDM subscription authentication network architecture of the independent private network may be as shown in fig. 2.
The multi-node subscription authentication network architecture across private networks may be as shown in fig. 3.
The software function modules in the two network architecture schemes comprise a virtual network element module, a data distribution module, a data encryption and decryption module, a routing forwarding module and a shared authentication processing module, wherein the modules specifically function as follows:
And the virtual network element module establishes connection with the opposite end network element based on a service (Service Based Interface, SBI) interface standard protocol, receives and analyzes a request message signaling of the opposite end network element, replaces basic information such as a network element address of a central node, a network element address of a branch node, a virtual network element address, an access network element address and the like, and completes normal service interaction with the opposite end network element.
And the data distribution module is used for realizing signaling identification based on information such as user number segments and the like on the data message received by the virtual network element module and determining the node position of a real authentication server of the network access authentication equipment and the network element address of a target UDM or AUSF to which the signaling message is to be sent.
And the data encryption and decryption module is used for encrypting and packaging the plaintext signaling message of the high-security-level equipment authenticated at the central node according to the signaling security level and the unified management and control requirement, and decrypting the received encrypted signaling message at the same time, so that the potential threat of optical fiber interception is avoided.
And the route forwarding module is used for packaging the signaling message to be transmitted according to the standard protocol of the service-based interface (Service Based Interface, SBI) interface and forwarding the signaling message to the appointed target network element.
And the shared authentication processing module acquires a shared authentication association list and subscription information from the central node according to SUCI or SUPI of the network access authentication equipment, and caches the shared authentication association list and subscription information for a period of time in the virtual network element server and the local node UDM or AUSF server to finish the local authentication behavior of the equipment in the subsequent association list. The shared authentication association list may be a list carrying authentication information of the aforementioned second device. The subscription information acquired from the central node may be subscription information of the second device.
The multi-node subscription authentication private network architecture and deployment flow may be as shown in fig. 6.
As shown in fig. 6, 3 servers are set up at each branch node, and the server deploys UDM and AUSF network elements for signing authentication of terminals with low security level.
And deploying AMF, SMF, UPF other private network elements and the like with the server I to complete private network coverage of the branch nodes. The server three deploys a virtual network element module, a data distribution module, a data encryption and decryption module, a routing forwarding module and a shared authentication processing module, and assists in completing the distributed UDM private network service operation at the branch node and the shared authentication mechanism of the associated equipment.
2 Servers are built at the central node, and the server is deployed with UDM and AUSF network elements for terminal account opening and subscription authentication with high security level. And the second server deploys a data encryption and decryption module, a routing forwarding module and a shared authentication processing module to assist in completing the service operation of the distributed UDM private network of the central node and issuing a shared authentication mapping table.
And adding terminal equipment information into the branch node UDM and the central node UDM by the terminal under the branch node according to the terminal security level and the unified management and control requirement. For example, subscription information or authentication information such as an IMSI, an authentication key (KEY IDENTITFIER, ki) and the like of low-security-level equipment which is not required to be uniformly managed by a central node is added to a branch node UDM, and subscription/authentication information such as an IMSI, ki and the like of high-security-level mobile terminal equipment which is required to be uniformly managed is added to the central node UDM. The same user information can be added in the branch node and the central node UDM at the same time, and the central node is used as disaster recovery backup of the branch node.
The central node stores a user associated equipment mapping database, when the branch node initiates a network access request of terminal roaming to the central node, the shared authentication processing module acquires subscription information and/or authentication information of associated equipment of user shared authentication from the central node, acquires subscription information and/or authentication information of user equipment from a home node of the associated equipment, and issues and caches the subscription information and/or authentication information to a server where the branch node UDM or AUSF is located.
For a period of time for the associated device to apply for authentication of access to the network. The duration of the period of time may be determined based on the validity period of subscription information or authentication information of the associated device received from the central node. The associated device is the second device.
In the configuration file of the AMF of each branch node, the addresses of the opposite terminals UDM and AUSF are configured as the network protocol (Internet Protocol, IP) addresses of the three virtual network element modules of the branch node server, and the virtual network element modules of the server three serve as the opposite terminals UDM and AUSF to complete service establishment.
And configuring the network element IP address of the central node (UDM, AUSF), the IP address of the branch node, the distribution strategy and the data security algorithm in the module configuration files of the branch node server III and the central node server II.
The offload policy may include, for example, a target subscription address for the high security level device. The data security algorithm may include an asymmetric algorithm, a hash algorithm, and/or a symmetric algorithm.
Specific data security algorithms herein may include the SM3 algorithm and the SM4 algorithm.
The SM3 algorithm is suitable for the generation and verification of digital signature and verification message authentication codes and the generation of random numbers in commercial password application. The SM4 algorithm is used for realizing encryption/decryption operation of data so as to ensure confidentiality of the data and information.
And starting each functional module of the branch node server III and the center node server II. The virtual network element module completes connection establishment with network elements such as AMF, SMF and the like of the branch node server II, and the routing forwarding module monitors and forwards signaling messages received by the server.
Base station equipment such as a baseband processing Unit (Baseband Processing Unit, BBU), an Extension Unit (EU), a remote radio Unit (Radio Remote Unit, RRU) and the like are deployed at the branch node and connected with the branch node AMF, so that signal coverage at the branch node is completed.
Fig. 7 shows an authentication method for an internet of things device, which may include:
The terminal is expected to be in a prestige state, and the base station initiates an initialization message to the AMF of the core network;
the AMF sends an authentication request to a virtual network element module which can correspond to the network device in the example shown in FIG. 1;
The data separation module judges the signing authentication path. Here, the subscription authentication path is also called authentication path;
the data encryption and decryption module encrypts and transmits;
And the routing forwarding module completes protocol encapsulation and sends the ciphertext request to the central node. The ciphertext request is the encrypted authentication request;
The central node decryption module decrypts;
the central node UDM/AUSF receives the authentication request and returns an authentication response;
The data encryption response message (including authentication response) is transmitted by the central node back to the branch node, and the shared authentication list is issued. The shared authentication list comprises authentication information and/or subscription information of associated devices of the device being authenticated;
the data encryption interface module decrypts the supervision response and caches the shared authentication list to the branch node;
The virtual network element module analyzes the response message and modifies the address information in the response message, for example, the address information of the central node is modified into the address information of the virtual network element module;
the routing forwarding module carries out protocol split charging on the response message and returns the response message to the AMF of the core network;
The AMF returns a response to the base station and the terminal.
If the subscription authentication of the West Anze branch node is permitted, the branch node UDM/AUSF receives an authentication request and returns an authentication response.
The virtual network element module analyzes the response message and modifies the address information AUSF/UDM in the response message to be the address information of the virtual network element;
and the routing forwarding module packages the message in a protocol and returns the message to the AMF of the core network.
The AMF returns the response to the base station and the terminal.
Taking the Internet of things equipment and the AKA subscription authentication of the mobile user terminal under the branch node as an example, the following process description is carried out:
the internet of things terminal with low security level and the mobile user terminal with high security level respectively (or cooperatively) access to the network under the private network base station, and the base station initiates an initialization message to the core network AMF (INITIATING MESSAGE).
The AMF sends an authentication request to the virtual network element module based on the hypertext transfer protocol (hypertext transfer protocol, http) 2 protocol, which may contain SUPI or SUCI, home network name (serving Network Name) information, etc.
And after receiving the authentication request, the virtual network element module identifies the security level of the terminal according to the SUPI or SUCI and other information, and the data distribution module selects a data distribution path corresponding to the UDM or AUSF. The terminal with low security level selects the local branch node for authentication, and the terminal with high security level authenticates at the central node.
And for the high-security-level terminal, information encryption is carried out according to a preset algorithm of the data encryption and decryption module, such as an SM4 algorithm.
The route forwarding module encapsulates the authentication request information based on an http2 protocol, and forwards the directed route to a center, a branch UDM or AUSF target address. The authentication request information of the unencrypted low-security-level terminal is routed to the first branch node server, and the authentication request of the encrypted high-security-level terminal is routed to the second central node server.
After the routing forwarding module of the central node server II receives the authentication request sent by the branch node, an encryption and decryption module preset algorithm, such as SM4, decrypts. The decrypted signaling message is packaged by the routing forwarding module based on an http2 protocol and forwarded to the central node server I.
And after receiving the authentication request information, AUSF of the central node and the branch node server I perform authentication calculation with the UDM and return an authentication response message (namely authentication response). The return message includes a random number (RAND), an authentication token (Authentication token, AUTN), a high security level encrypted authentication expected response (hypertext reference Expected response, HXREX x), a hypertext reference (hypertext reference, href), etc. The authentication response of the branch node is returned to the branch node server III, and the authentication response of the center node is returned to the center node server II. The random number, the authentication token and the expected response can be used as security parameters contained in the authentication response and can be used for the secure communication of subsequent devices.
After receiving the authentication response message, the routing forwarding module of the second central node server encrypts information by a data encryption and decryption module through a preset encryption algorithm, and the routing forwarding module packages and sends the information to the third branch node server based on an http2 protocol. And meanwhile, the shared authentication processing module encrypts and transmits the user shared authentication list data of the terminal user and subscription information of the shared authentication associated equipment to a server III of the branch node.
The routing forwarding module of the branch node server III receives response messages of the branch node UDM or AUSF and the central node UDM or AUSF, and the data encryption and decryption module decrypts the encrypted response message of the central node.
And the virtual network element module of the branch node server III processes the branch node and the decrypted central node response message and replaces basic information such as the central node network element address, the branch node network element address, the virtual network element address and the like of the UDM or AUSF in the href.
And the routing forwarding module of the branch node server III encapsulates the processed authentication response message based on an http2 protocol and returns the authentication response message to the core network AMF core network element. Thus, the one-time signaling interaction flow of the AKA authentication flow of the user terminal equipment with high security level and low security level is completed.
And the branch node server III decrypts the shared association list and caches the user equipment data in the association list to the branch node UDM. When the terminal equipment in the table initiates an authentication request to the virtual network element module, the virtual network element module and the branch node UDM or AUSF rapidly complete the authentication flow of the user terminal equipment according to the shared authentication strategy.
The embodiment of the disclosure provides a more perfect network architecture supporting a distributed UDM private network and a network purchasing scheme supporting a link personalized encryption algorithm, and simultaneously provides a method for directional subscription authentication based on a software module, which can strengthen information integration and unified management and control capability of users under each branch node and ensure the safety of high-safety-level user information under the branch node.
The embodiment of the invention provides a distributed UDM private network architecture which can be applied to private network scenes of a single park and multiple parks, and solves the problems that the prior isolation private networks are not communicated, users lack uniform management and control, and sensitive identity information of the users under branch nodes is easy to leak. The central node executes the unified account opening of all branch node isolation private network high security level users, and can be used as the backup of branch node UDM account opening information, so that the service can be quickly recovered when the child node UDM fails.
The embodiment of the disclosure provides a virtual network element module for solving the problem of multi-network element distributed authentication signing, the method designs a virtual network element module code, and solves the problem of distributed authentication signing under the condition that network elements such as AMF (advanced mobile communication) can only configure one opposite-end UDM (universal description) or AUSF network element address by configuring virtual core network elements by utilizing programming frameworks such as netty, http and the like.
The embodiment of the disclosure provides a one-time signaling authentication processing flow, and after different types of terminals respectively (or cooperatively) initiate an authentication request, a distribution module firstly judges the security level of the terminal according to information such as the terminal SUCI. And encrypting the authentication request of the high-security mobile user terminal, forwarding to a central UDM or AUSF node for authentication calculation, and feeding back related authentication response information (comprising a shared authentication list) to the branch node. The low-security internet of things terminal does not need to encrypt the authentication request, forwards the authentication request to a local (branch) UDM or AUSF node for quick authentication calculation, and feeds relevant authentication response information back to the branch node. Thus realizing one signaling authentication processing of different types of terminals.
The embodiment of the disclosure provides a shared authentication processing flow, and a branch (local) node server (which may be a server where a terminal in a roaming scenario is located) caches user equipment data in an association list to a branch node UDM after obtaining the user shared authentication list. When terminal equipment (including all security class type terminals) in the list is accessed to the network to initiate an authentication request, the authentication request is directly forwarded to a branch node UDM or AUSF to quickly complete a corresponding authentication flow.
As shown in fig. 8, an embodiment of the present disclosure provides an authentication method, which may include:
1. an authentication request of a User Equipment (UE), here the UE may be understood as the aforementioned device.
2. The AMF sends an authentication request of the equipment to the virtual network element module;
3. and selecting a target node according to the shunt strategy.
4. A local subscription authentication device;
5. a local subscription authentication device;
6. Sealing and forwarding an authentication response;
7. finishing authentication;
8. an authentication response, which may include an authentication response, is sent by the AMF to the device.
9. An authentication request;
10. Selecting a target node according to the shunt strategy;
11. an authentication request;
12. authentication response;
13. packaging and forwarding an authentication response;
14. and finishing authentication.
The embodiment of the disclosure provides a shared authentication processing flow supporting distributed UDM or AUSF subscription authentication. The multi-UDM network scheme provided by the application has the capability of managing and controlling the user data of the multi-isolation private network and performing distributed registration and authentication, the storage safety of high-protection user identity information under the branch isolation private network is enhanced, and the networking capability of the Internet of things equipment under the branch node is ensured.
The embodiment of the disclosure provides a shared authentication processing flow which has the advantages of convenience, high expansibility and low cost.
The application refers to a one-to-many distributed opposite end network element configuration mode, by deploying and configuring a virtual network element software module, the analysis, encapsulation and forwarding of a core network signaling can be configured according to user requirements, the network element configuration architecture is conveniently customized and expanded, and the independence and expansion capability of an SBI interface are further utilized;
in summary, the embodiments of the present disclosure provide a processing mechanism for user roaming sharing authentication, which uses a mapping database of a user association device of a central node to enable a user to roam to a new isolated private network, so that a terminal device associated with the user realizes fast network access authentication of the new isolated private network.
The cryptographic algorithm on the transmission link protects. The scheme provided by the embodiment of the disclosure considers the security of user signaling data, prevents backdoor loopholes and malicious attacks of a public protocol, and soft realizes encryption and decryption capability of a national encryption algorithm among network element interfaces, so that the integrity, encryption and replay resistance among core network elements are realized conveniently.
The embodiment of the disclosure provides a relatively perfect network architecture supporting a distributed UDM private network and a network architecture scheme supporting a link personalized encryption algorithm, and simultaneously provides a lightweight method for configuring multiple pairs of terminal network elements based on a software module. The architecture scheme of the distributed UDM enables network access behaviors under private network nodes to be distributed and authenticated based on security level and delay requirements, and simultaneously realizes unified control and remote killing and the like of the central node on users under the branch isolation private network. The virtual network element module of the embodiment of the disclosure solves the configuration problem of the opposite end network element of the core network, enriches the deployment architecture of the network conveniently and rapidly, and further applies the strong expansibility advantage of the network service interface. The embodiment of the disclosure has been deployed in the security private network frontier technical research project, and expands the configuration deployment mode of the UDM network element. The embodiment of the invention is flexible in deployment and has universality, so that the method and the device are applicable to most private network deployment scenes, the link encryption capability is easy to popularize in network scenes, and the application prospect is wide.
In the architecture design of the private network, the unified user management of private network users can be realized through the multi-UDM scheme architecture in the scheme by coping with the roaming requirement scenes of the single private network and the multi-node isolation private network, and the deployment architecture of the private network is expanded through the multi-peer network element configuration technology, so that a new technical path is provided for meeting the requirements of various scenes of clients.
In some embodiments, private networks provided by embodiments of the present disclosure may include, but are not limited to, quantum private networks.
As shown in fig. 9, an embodiment of the present disclosure provides a device authentication apparatus, including:
a first determining module 1101, configured to determine a security level of a first device to be authenticated;
A second determining module 1102, configured to determine, according to the security level, a target node authenticating the first device;
A first sending module 1103, configured to send an authentication request to the target node;
The first receiving module 1104 is configured to receive an authentication response returned by the target node based on the authentication request, and in some embodiments, the first determining module is specifically configured to determine that the target node is a first node when the security level of the first device is a first level, determine that the target node is a second node when the security level of the first device is a second level, the second level is lower than the first level, the security level of the first node is higher than the security level of the second node, and/or the first node and the network device are in different network domains and the second node and the network device are in the same network domain.
In some embodiments, the first sending module is specifically configured to send an encrypted authentication request to the first node, and the first receiving module is specifically configured to receive an encrypted authentication response returned by the first node based on the authentication request.
In some embodiments, a first receiving module is configured to obtain authentication information and/or subscription information of a second device from the first node, where the second device is associated with the first device at the first level, the authentication information of the second device is generated according to the subscription information of the second device, and a security level of the second device is lower than that of the first device, and a first sending module is configured to store the authentication information and/or subscription information of the second device to the second node. Authentication information and/or subscription information of the second device, for authentication of the second device by the second node in some embodiments, the first determining module is specifically configured to determine a security level of the first device according to the identification information of the first device.
In some embodiments, the first determining module is specifically configured to perform at least one of:
determining a security level of the first device according to a user permanent identifier SUPI of the first device;
a security level of the first device is determined based on the user hidden identifier SUCI of the first device.
As shown in fig. 10, an embodiment of the present disclosure provides a device authentication apparatus, including:
The second receiving module 1201 is configured to receive an authentication request sent by a network device, where the authentication request is configured to request authentication of a first device when a security level of the first device is a first level;
A second sending module 1202, configured to send an authentication response of the first device to the network device.
In some embodiments, the second sending module is specifically configured to send authentication information and/or subscription information of the second device to the network device when the first device associates one or more second devices, where a security level of the second device is lower than that of the first device, the authentication information and/or subscription information of the second device is used for local authentication of the second device by a second node associated with the network device, and the authentication information of the second device is generated according to the subscription information of the second device.
In some embodiments, the authentication request is an encrypted request and the authentication response is an encrypted response.
As shown in fig. 11, an embodiment of the present disclosure provides a device authentication apparatus, including:
The third receiving module 1301 is configured to receive an authentication request sent by a network device, where the authentication request is used to request authentication of a first device when a security level of the first device is a second level;
A third sending module 1302 is configured to send an authentication response of the first device to the network device.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides an electronic device. Fig. 12 shows only an exemplary structure of the access control device, not all of which, and part or all of the structure shown in fig. 12 may be implemented as needed.
As shown in fig. 12, an electronic device 1000 provided by an embodiment of the application includes at least one processor 1001, a memory 1002, a user interface 1003, and at least one network interface 1004. The various components in the access control device are coupled together by a bus system 1005. It is understood that the bus system 1005 is used to enable connected communications between these components. The bus system 1005 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus system 1005 in fig. 10.
The user interface 1003 may include, among other things, a display, keyboard, mouse, trackball, click wheel, keys, buttons, touch pad, or touch screen, etc.
The memory 1002 in embodiments of the present application is used to store various types of data to support the operation of the access control device. Examples of such data include any computer program for operation on an access control device.
The device authentication method disclosed in the embodiment of the present application may be applied to the processor 1001 or implemented by the processor 1001. The processor 1001 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the device authentication method may be performed by integrated logic circuitry of hardware in the processor 1001 or instructions in the form of software. The Processor 1001 may be a general purpose Processor, a digital signal Processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 1001 may implement or execute the methods, steps and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software module may be located in a storage medium, where the storage medium is located in the memory 1002, and the processor 1001 reads information in the memory 1002, and in combination with hardware, performs the steps of the device authentication method provided by the embodiment of the present application.
In an exemplary embodiment, the electronic device may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable logic devices (PLDs, programmable Logic Device), complex programmable logic devices (CPLDs, complex Programmable Logic Device), field programmable gate arrays (FPGAs, field Programmable GATE ARRAY), general purpose processors, controllers, microcontrollers (MCUs, micro Controller Unit), microprocessors (microprocessors), or other electronic elements for performing the foregoing methods.
It is to be appreciated that memory 1002 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The non-volatile Memory may be, among other things, a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read-Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read-Only Memory (EEPROM, ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory), Magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk-Only Memory (CD-ROM, compact Disc Read-Only Memory), which may be disk Memory or tape Memory. the volatile memory may be random access memory (RAM, random Access Memory) which acts as external cache memory. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), and, Double data rate synchronous dynamic random access memory (DDRSDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), Direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). the memory described by embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
In an exemplary embodiment, the present application also provides a storage medium, i.e. a computer storage medium, which may be specifically a computer readable storage medium, for example, including a memory 1002 storing a computer program, where the computer program may be executed by the processor 1001 of the electronic device, to perform the steps of the method according to the embodiment of the present application. The computer readable storage medium may be ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
It should be noted that first, second, etc. are used to distinguish similar objects and are not necessarily used to describe a particular order or sequence.
In addition, the embodiments of the present application may be arbitrarily combined without any collision.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily appreciate variations or alternatives within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.