Mobile network authentication using hidden identity
By using hidden identifiers for authentication, the problem of 5G-enabled UEs exposing secret subscriber identifiers in non-3GPP access networks is solved, achieving secure authentication and privacy protection, and meeting the security requirements of 5G networks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- LENOVO (SINGAPORE) PTE LTD
- Filing Date
- 2020-06-22
- Publication Date
- 2026-07-03
AI Technical Summary
In existing technologies, when a 5G-enabled user equipment (UE) accesses a mobile core network through a non-3GPP access network, it may expose its secret subscriber identifier, leading to security risks and violating the privacy protection requirements of 5G networks.
Authentication is performed using a hidden identifier (such as SUCI) and through a non-3GPP access network and mobile communication network. During the authentication process using the hidden identifier, network function detection is performed to remove the hidden identifier and obtain a permanent identifier, thereby achieving secure authentication of the UE.
It enables secure authentication of 5G-enabled UEs in non-3GPP access networks, protecting user privacy and meeting the security requirements of 5G networks.
Smart Images

Figure CN115943652B_ABST
Abstract
Description
Technical Field
[0001] The topics disclosed in this article generally relate to supporting authentication using hidden identifiers and mobile core networks. Background Technology
[0002] The following abbreviations and acronyms are defined herein, and at least some of them are referenced in the following description.
[0003] 3GPP (3rd Generation Partnership Project), 5GC (5th Generation Core Network), Access and Mobility Management Function (AMF), Access Point Name (APN), Access Layer (AS), Access Network Information (ANT), Application Programming Interface (API), Data Network Name (DNN), Downlink (DL), Enhanced Mobile Broadband (eMBB), Evolved Node B (eNB), Evolved Packet Core (EPC), Evolved Packet System (EPS), Evolved UMTS Terrestrial Radio Access Network (E-UTRAN), Home Subscriber Service The following are listed: HSS ("HSS"), IP Multimedia Subsystem ("IMS", also known as "IP Multimedia Core Network Subsystem"), Internet Protocol ("IP"), Long Term Evolution ("LTE"), LTE-Advanced ("LTE-A"), Media Access Control ("MAC"), Mobile Network Operator ("MNO"), Mobility Management Entity ("MME"), Non-Access Stratum ("NAS"), Narrowband ("NB"), Network Functions ("NF"), Network Access Identifier ("NAI"), Next Generation (e.g., 5G) Node B ("gNB"), Next Generation Radio Access Network ("NG-RAN"), New Radio ("NR") The following are included: Non-3GPP Access Network (“N3AN”), Policy Control Function (“PCF”), Packet Data Network (“PDN”), Packet Data Unit (“PDU”), PDN Gateway (“PGW”), Public Land Mobile Network (“PLMN”), Quality of Service (“QoS”), Radio Access Network (“RAN”), Radio Access Technology (“RAT”), Radio Resource Control (“RRC”), Receive (“Rx”), Security Mode Control (“SMC”), Single Network Slice Selection Auxiliary Information (“S-NSSAI”), Serving Gateway (“SGW”), Session Management Function (“SMF”). Transmission Control Protocol (“TCP”), Transmission (“Tx”), Trusted Non-3GPP Access Network (“TNAN”), Trusted Non-3GPP Access Point (“TNAP”), Trusted Non-3GPP Gateway Function (“TNGF”), Unified Data Management (“UDM”), User Entity / Equipment (Mobile Terminal) (“UE”), Uplink (“UL”), User Plane (“UP”), Universal Mobile Telecommunications System (“UMTS”), User Datagram Protocol (“UDP”), User Location Information (“ULI”), Wireless Local Area Network (“WLAN”), and Global Microwave Access Interoperability (“WiMAX”).
[0004] In some embodiments, the UE can access the 5G core ("5GC") network via a gateway function in a non-3GPP access network ("N3AN"). Summary of the Invention
[0005] For example, a method for supporting UE authentication using a hidden identifier with a mobile core network includes sending a first authentication message to a network function to authenticate with a mobile communication network via a non-3GPP access network. Here, the first authentication message includes a hidden identifier for the device. The method includes receiving a second authentication message from the network function in response to the first authentication message. Here, the second authentication message includes an authentication response based on the hidden identifier. The method includes completing authentication with the mobile communication network in response to an authentication response including a challenge packet. The method includes receiving configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network.
[0006] For example, an AAA function method for supporting authentication using a hidden identifier with a mobile core network includes receiving a first authentication message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the first authentication message includes an identifier for the remote unit and an authentication type. The method includes detecting that the identifier is a hidden identifier for the remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. The method includes creating an authentication vector request message including the hidden identifier and an authentication method, the authentication type specifying the authentication method. The method includes sending the authentication vector request message to the network function. Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for the remote unit. The method includes receiving an authentication vector response message from the network function. Here, the authentication vector response message includes a permanent identifier for the remote unit and an authentication vector.
[0007] For example, a method for an HSS (Hypervisor Service) supporting authentication using a hidden identifier and a mobile core network includes receiving an authentication vector request message from a first network function to authenticate a remote unit via a non-3GPP access network. Here, the authentication vector request message includes an identifier for the remote unit. The method includes detecting that the identifier is a hidden identifier for the remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. The method includes selecting a second network function based on the hidden identifier. Here, the second network function is configured to de-hide the hidden identifier. The method includes sending an authentication vector request message to the second network function to request an authentication vector associated with the hidden identifier and an authentication type. The method includes receiving an authentication vector response message from the second network function. Here, the authentication vector response message includes a permanent identifier for the remote unit and an authentication vector.
[0008] For example, a method for a UDM (User Device Management) supporting authentication using a hidden identifier with a mobile core network includes receiving an authentication vector request message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the authentication vector request message includes an identifier for the remote unit and an authentication type. The method includes detecting that the identifier is a hidden identifier for the remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. The method includes dehiding the hidden identifier to determine a permanent identifier for the remote unit. The method includes creating an authentication vector response message including the dehidden permanent identifier for the remote unit and an authentication method, wherein the authentication type specifies the authentication method. The method includes sending the authentication vector response message to the network function.
[0009] For example, an AUSF method for supporting authentication using a hidden identifier and a mobile core network includes receiving an authentication vector request message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the authentication vector request message includes an identifier for the remote unit. The method includes detecting that the identifier is a hidden identifier for the remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. The method includes selecting a network function to de-hide the hidden identifier based on a routing identifier of the hidden identifier. The method includes sending the authentication vector request message to the network function. Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for the remote unit. The method includes receiving an authentication vector response message from the network function. Here, the authentication vector response message includes a permanent identifier for the remote unit and an authentication vector. Attached Figure Description
[0010] A more detailed description of the embodiments briefly described above will be presented with reference to specific embodiments illustrated in the accompanying drawings. It should be understood that these drawings depict only a few embodiments and are therefore not intended to limit the scope. The embodiments will be described and explained using additional specificity and detail through the use of the drawings, in which:
[0011] Figure 1 This is a diagram illustrating one embodiment of a wireless communication system for supporting authentication using a hidden identifier and a mobile core network;
[0012] Figure 2A This is a signal flow diagram illustrating one embodiment of a solution for supporting authentication using hidden identifiers and mobile core networks;
[0013] Figure 2B yes Figure 2A The continuation of the process depicted in the text;
[0014] Figure 2C yes Figure 2A The continuation of the process depicted in the text;
[0015] Figure 2D yes Figure 2B and 2C The continuation of the process depicted in the text;
[0016] Figure 3 This is a block diagram illustrating one embodiment of a user equipment device that supports authentication using a hidden identifier and a mobile core network;
[0017] Figure 4 This is a block diagram illustrating one embodiment of a user equipment device that supports authentication using a hidden identifier and a mobile core network;
[0018] Figure 5 This is a flowchart illustrating an embodiment of a first method for supporting authentication using a hidden identifier with a mobile core network;
[0019] Figure 6 This is a flowchart illustrating an embodiment of a second method for supporting authentication using a hidden identifier with the mobile core network;
[0020] Figure 7 This is a flowchart illustrating an embodiment of a third method for supporting authentication using a hidden identifier with the mobile core network;
[0021] Figure 8 This is a flowchart illustrating an embodiment of a fourth method for supporting authentication using a hidden identifier and a mobile core network; and
[0022] Figure 9 This is a flowchart illustrating an embodiment of a fifth method for supporting authentication using a hidden identifier with the mobile core network. Detailed Implementation
[0023] As those skilled in the art will understand, aspects of the embodiments can be embodied as a system, apparatus, method, or program product. Therefore, embodiments can take the form of a completely hardware embodiment, a completely software embodiment (including firmware, resident software, microcode, etc.), or an embodiment combining software and hardware aspects.
[0024] For example, the disclosed embodiments can be implemented as hardware circuitry including custom-designed very large-scale integration (“VLSI”) circuitry or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. The disclosed embodiments can also be implemented in programmable hardware devices such as field-programmable gate arrays, programmable array logic, programmable logic devices, etc. As another example, the disclosed embodiments may include one or more physical or logical blocks of executable code, which may, for example, be organized as objects, procedures, or functions.
[0025] Furthermore, embodiments may take the form of a program product embodied in one or more computer-readable storage devices stored in machine-readable code, computer-readable code, and / or program code, hereinafter referred to as code. The storage device may be tangible, non-transitory, and / or non-transferable. The storage device may not embody signals. In one embodiment, the storage device employs only signals for accessing the code.
[0026] Any combination of one or more computer-readable media may be used. A computer-readable medium may be a computer-readable storage medium. A computer-readable storage medium may be a storage device for storing code. A storage device may be, for example, but not limited to, electronic, magnetic, optical, electromagnetic, infrared, holographic, micromechanical, or semiconductor systems, apparatuses, or devices, or any suitable combination thereof.
[0027] More specific examples of storage devices (a non-exhaustive list) will include the following: electrical connections having one or more cables, portable computer disks, hard disks, random access memory (“RAM”), read-only memory (“ROM”), erasable programmable read-only memory (“EPROM” or flash memory), portable compact disk read-only memory (“CD-ROM”), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In the context of this document, a computer-readable storage medium can be any tangible medium capable of containing or storing programs for use by or in connection with an instruction execution system, apparatus, or device.
[0028] References to "an embodiment," "embodiment," or similar language in this specification mean that a particular feature, structure, or characteristic described in connection with that embodiment is included in at least one embodiment. Therefore, unless expressly specified otherwise, throughout this specification, the phrases "in an embodiment," "in an embodiment," and similar language may, but not necessarily all, refer to the same embodiment, but rather mean "one or more, but not all, embodiments." Unless expressly specified otherwise, the terms "comprising," "including," "having," and variations thereof mean "including, but not limited to,". Unless expressly specified otherwise, the list of enumerated items does not imply that any or all items are mutually exclusive. Unless expressly specified otherwise, the terms "a," "an," and "the" also mean "one or more".
[0029] As used herein, a list connected with "and / or" includes any single item in the list or a combination of items in the list. For example, a list of A, B, and / or C includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C, or a combination of A, B, and C. As used herein, a list using the term "one or more of" includes any single item in the list or a combination of items in the list. For example, one or more of A, B, and C includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C, or a combination of A, B, and C. As used herein, a list using the term "one of" includes one and only one of any single item in the list. For example, "one of A, B, and C" includes only A, only B, or only C and excludes combinations of A, B, and C. As used herein, "selected from the group consisting of A, B, and C" includes one and only one of A, B, or C and excludes combinations of A, B, and C. As used in this article, “selecting members of a group consisting of A, B, and C and their combinations” includes only A, only B, only C, combinations of A and B, combinations of B and C, combinations of A and C, or combinations of A, B, and C.
[0030] Furthermore, the features, structures, or characteristics of the described embodiments can be combined in any suitable manner. Numerous specific details, such as examples of programming, software modules, user selection, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., are provided in the following description to provide a thorough understanding of the embodiments. However, those skilled in the art will recognize that the embodiments can be practiced without one or more specific details, or using other methods, components, materials, etc. In other instances, well-known structures, materials, or operations have not been shown or described in detail to avoid obscuring aspects of the embodiments.
[0031] The aspects of the embodiments are described below with reference to schematic flowcharts and / or schematic block diagrams of methods, apparatus, systems, and program products according to the embodiments. It will be understood that each block of the schematic flowcharts and / or schematic block diagrams, and combinations of blocks in the schematic flowcharts and / or schematic block diagrams, can be implemented by code. This code can be provided to a processor of a general-purpose computer, special-purpose computer, or other programmable data processing apparatus to generate machinery, such that instructions executable via the processor of the computer or other programmable data processing apparatus create means for implementing the functions / actions specified in the schematic flowcharts and / or schematic block diagrams.
[0032] The code can also be stored in a storage device that can instruct a computer, other programmable data processing device or other device to operate in a particular manner, such that the instructions stored in the storage device produce an article of art including instructions that implement the functions / actions specified in the schematic flowchart and / or schematic block diagram.
[0033] The code may also be loaded onto a computer, other programmable data processing apparatus or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer-implemented process, such that the code executing on the computer or other programmable apparatus provides a process for implementing the function / action specified in the schematic flowchart and / or schematic block diagram.
[0034] The schematic flowcharts and / or block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of apparatus, system, method, and program products according to various embodiments. In this regard, each block in the schematic flowcharts and / or block diagrams may represent a module, segment, or portion of code, which includes one or more executable instructions for implementing a specified logical function.
[0035] It should also be noted that in some alternative embodiments, the functions annotated in the boxes may occur in a different order than those annotated in the figures. For example, depending on the functionality involved, two boxes shown successively may actually be performed substantially simultaneously, or these boxes may sometimes be performed in reverse order. Other steps and methods that are functionally, logically, or effectively equivalent to one or more boxes or portions thereof in the illustrated figures are conceivable.
[0036] The description of the elements in each figure can be referenced to the elements in the preceding figures. Throughout all figures, the same reference numerals refer to the same elements, including alternative embodiments of the same elements.
[0037] Methods, apparatus, and systems for supporting authentication in mobile core networks using hidden identifiers are disclosed. Currently, the process for trusted non-3GPP access in 3GPP TS33.402 anticipates that the UE will send its International Mobile Subscriber Identity (“IMSI”) in plaintext—e.g., unencrypted—to an AAA server in the core network via the air interface. While 5G UEs may be backward compatible with previous generations, security measures implemented in earlier technologies may not have the same security level as in 5G; for example, they may be lower in security level or have lower security requirements than in 5G.
[0038] The resulting problem is that when a UE is redirected to non-3GPP access via an EPC, a 5G-capable UE can be subject to a bidding down attack in retrieving its Secret Subscriber Identifier (SUPI). This is because the UE may behave like a 4G UE and may send its SUPI directly in the first message or as a response to an Identifier Request message, as described in 3GPP TS33.402v15.0.0. This 4G behavior by a 5G UE may violate 5G requirements where the Secret Subscriber Permanent Identifier (“SUPI”) may need to be hidden in the first message or as a response to an Identifier Request message.
[0039] As currently described in TS 33.402, for authentication, the UE sends an EAP response / identification message. The UE should send its identifier conforming to the Network Access Identifier (“NAI”) format currently specified in 3GPP TS 23.003 v16.0.0 (i.e., with the format “username@realm”). The NAI contains a pseudonym assigned to the UE in previous runs of the authentication process, or, in the case of initial authentication, the IMSI. In the case of initial authentication, the NAI should indicate 'EAP-AKA' as specified in TS 23.003.
[0040] The UE can send a secret subscriber identifier before any secure channel used for encryption is enabled. This secret subscriber identifier may have been derived from its IMSI or may be the same as its IMSI. Because the UE has 5G capabilities, this may not be necessary in 5G procedures, as the UE and network may need to support subscriber identifier privacy in 5G, as well as during non-3GPP access procedures to 5GC.
[0041] This document discloses a process that enables a 5G-capable UE to perform "Access Authentication for Non-3GPP Access in EPS," as currently specified in Clause 6.2 of TS 33.402. As used herein, "Access Authentication for Non-3GPP Access in EPS" refers to authentication for access (i.e., non-3GPP access network) and receiving an IP address. Following this, the UE can register to the 5GC network via NAS signaling, whereby the UE will be authenticated by the 5GC. In other words, the UE can access the 5GC, and it can also connect to a non-3GPP access network using authentication via EAP-AKA / EAP-AKA with the EPC. The UE can be a 4G and 5G dual-mode UE, which can perform any registration using the SUCI required by 5G, such as non-3GPP registration, where the SUCI is a hidden secret subscriber identifier that may have been derived from or may be the same as the UE's IMSI.
[0042] Because the UE is 5G capable, its secret subscriber identifier—the Subscription Permanent Identifier (“SUPI”)—may be hidden, for example, as SUCI, or replaced with a temporary identifier such as 5G-GUTI. The subject matter disclosed herein describes applying the same concept to 4G non-3GPP access for 5G capable UEs, for example, the UE using its hidden 5G identifier in an EAP response toward a 4G network. Enhancements in the network may be necessary to support such significant changes, such as, for example, with respect to the following embodiment, where the UE does not need to support NAS protocols via non-3GPP access; for example, the UE has 3GPP credentials but may not support NAS via non-3GPP access.
[0043] Figure 1 A wireless communication system 100 for supporting authentication using hidden identifiers and a mobile core network is depicted. In one embodiment, the wireless communication system 100 includes at least one remote unit 105, at least one non-3GPP access network 120, which may include a trusted non-3GPP access network (“TNAN”), and a mobile core network 140 in a PLMN. However, those skilled in the art will recognize from this disclosure that an untrusted non-3GPP access network may also be used. The non-3GPP access network 120 may consist of at least one base station unit 121. The remote unit 105 may communicate with the non-3GPP access network 120 using a non-3GPP communication link 113, depending on the radio access technology deployed on the non-3GPP access network 120. Even in Figure 1 The description includes a specific number of remote units 105, base station units 121, non-3GPP access networks 120, and mobile core networks 140. Those skilled in the art will recognize that any number of remote units 105, base station units 121, non-3GPP access networks 120, and mobile core networks 140 can be included in the wireless communication system 100.
[0044] In one implementation, the wireless communication system 100 conforms to the 4G and 5G systems specified in the 3GPP specifications. However, more generally, the wireless communication system 100 may implement other open or proprietary communication networks, such as LTE / EPC (referred to as "4G") or WiMAX, and other networks. This disclosure is not intended to limit implementation to any particular wireless communication system architecture or protocol.
[0045] In one embodiment, remote unit 105 may include computing devices such as desktop computers, laptop computers, personal digital assistants (“PDAs”), tablet computers, smartphones, smart TVs (e.g., internet-connected TVs), smart appliances (e.g., internet-connected appliances), set-top boxes, game consoles, security systems (including security cameras), in-vehicle computers, network devices (e.g., routers, switches, modems), etc. In some embodiments, remote unit 105 may include wearable devices such as smartwatches, fitness bands, optical head-mounted displays, etc. Furthermore, remote unit 105 may be referred to as a UE, subscriber unit, mobile device, mobile station, user, terminal, mobile terminal, fixed terminal, subscriber station, user terminal, wireless transmit / receive unit (“WTRU”), device, or other terms used in the art.
[0046] Remote unit 105 can communicate directly with one or more base station units 121 in the non-3GPP access network 120 via uplink (“UL”) and downlink (“DL”) communication signals. Furthermore, the UL and DL communication signals can be carried on communication link 113. Note that the non-3GPP access network 120 is an intermediate network providing remote unit 105 with access to the mobile core network 140.
[0047] Base station unit 121 can serve a plurality of remote units 105 within a service area, such as a cell or cell sector, via communication link 113. Base station unit 121 can communicate directly with one or more of the remote units 105 via communication signals. Typically, base station unit 121 transmits DL communication signals to serve the remote units 105 in the time, frequency, and / or spatial domains. Furthermore, the DL communication signals can be carried on communication link 113. Communication link 113 can be any suitable carrier in the licensed or unlicensed radio spectrum. Communication link 113 facilitates communication between one or more of the remote units 105 and / or one or more of the base station units 121.
[0048] As described above, the non-3GPP access network 120 supports a secure signaling interface and interoperates with 4G and 5G core networks. The non-3GPP access network 120 may include a proxy AAA; in the depicted embodiment, the non-3GPP access network 120 includes an AAA proxy 123.
[0049] Base station unit 121 may be distributed across a geographical area. In some embodiments, base station unit 121 may also be referred to as a non-3GPP access point, access terminal, access point, base station, relay node, device, or any other term used in the art. Base station unit 121 is typically part of a radio access network (“RAN”) such as non-3GPP access network 120, which may include one or more controllers communicatively coupled to one or more corresponding base station units 121. These and other elements of the radio access network are not illustrated but are generally well known to those skilled in the art. Base station unit 121 is connected to mobile core network 140 via non-3GPP access network 120.
[0050] In some embodiments, remote unit 105 communicates with an application server (or other communication peer) via a network connection to mobile core network 140. For example, an application in remote unit 105 (e.g., a web browser, media client, telephony / VoIP application) can trigger remote unit 105 to establish a PDU session (or other data connection) with mobile core network 140 using non-3GPP access network 120. To establish a PDU session, remote unit 105 must register with mobile core network.
[0051] In one embodiment, the mobile core network 140 is a 5G core (“5GC”) or an evolved packet core (“EPC”) that can be coupled to data networks such as the Internet and private data networks, as well as other data networks. The remote unit 105 may utilize the mobile core network 140 with a subscription or other account. This disclosure is not intended to limit implementations to any particular wireless communication system architecture or protocol.
[0052] Mobile core network 140 includes several network functions (“NFs”). As depicted, mobile core network 140 includes at least one user plane function (“UPF”) 141. Mobile core network 140 also includes multiple control plane functions, including but not limited to access and mobility management functions (“AMF”) 143, session management functions (“SMF”) 145, and policy control functions (“PCF”) 147. In some embodiments, mobile core network 140 may also include a Home Subscriber Server (“HSS”) 151, a Unified Data Management Function (“UDM”) 155, an Authentication Server Function (“AUSF”) 153, a Subscription Identifier De-hiding Function (“SIDF”) 157, a Network Repository Function (“NRF”) (used by various NFs for discovery and communication with each other via APIs), or other NFs defined for the 5G core. In some embodiments, mobile core network 140 may also include a 3GPP AAA server 149 to provide authentication, authorization, policy control, and routing information for access gateways or interoperability functions for non-3GPP access. Note that the 3GPP AAA server can be merged and / or quasi-co-located with other network functions in the mobile core network 140.
[0053] In various embodiments, the mobile core network 140 supports different types of mobile data connections and different types of network slices, where each mobile data connection utilizes a specific network slice. Here, a "network slice" refers to a portion of the mobile core network 140 optimized for a specific service type or communication service. Network instances may be identified by S-NSSAI, while the set of network slices authorized for use by the remote unit 105 is identified by NSSAI. Each network slice includes a set of CP and UP network functions, where each network slice is optimized for a specific type of service or traffic type. For ease of illustration, in Figure 1 Different network slices are not shown, but their support is assumed. In one example, each network slice includes SMF and UPF, but various network slices share AMF143, PCF147, and UDM155. In another example, each network slice includes AMF, SMF, and UPF.
[0054] Despite Figure 1 A specific number and type of network functions are described, but those skilled in the art will recognize that any number and type of network functions can be included in the mobile core network 140. Although Figure 1The components of the 5G RAN and 5G core network are described, but the embodiments described for supporting authentication with the mobile core network using hidden identifiers are applicable to other types of communication networks and RATs, including IEEE 802.11 variants, GSM, GPRS, UMTS, LTE variants, CDMA 2000, Bluetooth, ZigBee, Sigfoxx, etc.
[0055] Furthermore, when the mobile core network 140 includes an EPC, the described network functions can be replaced by appropriate EPC entities such as MME, S-GW, P-GW, HSS, etc. For example, AMF 143 can be mapped to the MME, SMF 145 can be mapped to the control plane portion of the PGW and / or to the MME, UPF 141 can be mapped to the SGW and the user plane portion of the PGW, UDM can be mapped to the HSS, etc.
[0056] In various embodiments, remote unit 105 is a 4G and 5G capable device that uses a hidden identifier, rather than an explicitly sent identifier, to register with mobile core network 140, such as a 4G core network, 5G core network, etc., via a non-3GPP access network 120, such as a WLAN. The subject matter disclosed herein is to retrieve a permanent identifier for remote device 105 corresponding to the hidden identifier by authenticating with the mobile core network using the hidden identifier for remote unit 105 via access to 3GPP AAA servers 149, HSS 151, AUSF 153, UDM 155 in a core mobile network 140 such as a 4G / 5G core network.
[0057] Figures 2A to 2D A process 200 for supporting authentication using a hidden identifier and mobile core network according to embodiments of this disclosure is described. Process 200 relates to a UE 205 (e.g., an embodiment of remote unit 105), a non-3GPP access network 207, and a proxy AAA server 211 (e.g., an embodiment of AAA proxy 123) within a VPLMN 210. Process 200 also relates to a 3GPP AAA server 217, an HSS 219 (in some embodiments), an AUSF 223 (in other embodiments), and a UDM / SIDF 221, which reside within an HPLMN 215. In its most typical case, the trusted non-3GPP access network 210 is a WLAN access network conforming to the IEEE 802.11 specification.
[0058] In one implementation, such as Figure 2A , Figure 2B and Figure 2DAs illustrated, UE 205 provides SUCI, such as IMSI / SUPI, to 3GPP AAA server 217 without revealing its permanent subscription ID. This is as described below and... Figure 2B The two options shown are as follows: In option A, 3GPP AAA server 217 accesses SUPI from UDM 221 via HSS 219, while in option B, 3GPP AAA server 217 accesses SUPI directly from UDM 221. However, in both options A and B, 3GPP AAA server 217 is performing authentication.
[0059] In another embodiment, such as Figure 2A , Figure 2C and Figure 2D As illustrated in Option C, the 3GPP AAA server 217 communicates with AUSF 223 (e.g., instead of HSS 219), and the authentication process runs between UE 205 and AUSF 223 (e.g., not between UE 205 and 3GPP AAA server 217). In this embodiment, as explained in more detail below, the 3GPP AAA server 217 detects that the NAI from UE 205 includes SUCI instead of IMSI. The 3GPP AAA server 217 maps the authentication method indication (e.g., 0, 1, 6, etc.) from the NAI to indicate the authentication method to AUSF 223, such as authentication method = EAP-AKA'. The interface between the 3GPP AAA server 217 and AUSF 223 can be a service-based interface (“SBI”) or an AAA interface, and therefore, the 3GPP AAA server 217 acts as an AMF (i.e., using SBI) or AAA agent 211 (i.e., using the AAA interface). AUSF 223 further provides this instruction to UDM 221 so that the authentication method indicated is selected by UDM 221 rather than another local standard based on UDM 221. AUSF 223 authenticates UE205 instead of 3GPP AAA server 217.
[0060] Process 200 begins Figure 2AIn step 1, UE 205 establishes a Layer-2 (L2) connection with a non-3GPP access point, such as a WLAN access point, in a non-3GPP access network 207 (see message passing 225). In the case of an IEEE 802.11 WLAN, this L2 connection corresponds to an 802.11 association. The WLAN AP may broadcast a list of PLMNs, including those supported by the non-3GPP access 207, that support AAA connectivity. UE 205 is 5G capable, but the non-3GPP access 207 only advertises AAA connectivity (interoperability with EPC) for the PLMNs subscribed to by UE 205. UE 205 may connect to the WLAN AP.
[0061] In steps 2-3, the EAP procedure is initiated by a non-3GPP access point 207, such as a non-3GPP access point or WLAN AP. The EAP message is encapsulated into Layer-2 packets, for example, IEEE 802.11 / 802.1x packets. The non-3GPP access point 207 requests the UE identifier, and the UE 205 sends a Network Access Identifier (“NAI”) in response (see Message Passing 227). The UE 205 identifies the network as a network with AAA connectivity and sends its SUCI in the NAI format defined in 3GPP TS23.003 instead of the IMSI in the EAP response (see Box 229), for example:
[0062] NAI=0 <suci>@wlan.mnc <mnc>.mcc <mcc>.3gppnetwork.org
[0063] Equation 1
[0064] NAI=0 <suci>@nai.epc.mnc <mnc>.mcc <mcc>.3gppnetwork.org
[0065] Equation 2
[0066] NAI=6 <suci>@nai.epc.mnc <mnc>.mcc <mcc>.3gppnetwork.org
[0067] Equation 3
[0068] NAI = wlan.mnc <homemnc>.mcc <homemcc>.3gppnetwork.org
[0069] !6 <suci>@wlan.mnc <visitedmnc>.mcc <visitedmcc>.3gppnetwor k.org
[0070] Equation 4
[0071] Among them, the leading digit identification authentication method, for example, the leading digit 0 indicates EAP-AKA authentication and the leading digit 6 indicates EAP-AKA' authentication.
[0072] As described herein, UE 205 uses a hidden identifier SUCI as part of its NAI when connecting to a non-3GPP access network 207 using EAP-AKA, EAP-AKA', and EPC authentication, which may be required by 5G standards. The hidden identifier SUCI can be the UE's IMSI or can be derived from the UE's IMSI. In any case, as described herein, the UE's identifier is hidden, for example, encrypted, so that it is not transmitted in plaintext over the air when connecting to a 4G non-3GPP access network 207 using a 5G-capable UE.
[0073] In step 4, the non-3GPP access 207 can forward the EAP-response to the AAA agent 211 in the VPLMN 210 based on the NAI's domain or field (see Message Passing 231). The message forwarded to the AAA agent 211 may include the NAI as the username and the EAP payload, for example, SWA AAA Request (username = NAI, EAP payload).
[0074] In step 5, the AAA agent 211 in VPLMN 210 sends the EAP-response to the 3GPP AAA server 217 in HPLMN 215 based on the NAI's domain / field (see Message Passing 233). The message forwarded to the AAA agent 211 may include the NAI as the username, an identifier for the VPLMN, and an EAP payload, such as SWd AAA Request (username = NAI, visited-network-identifier, EAP payload).
[0075] In step 6A (see box 235), the 3GPP AAA server 217 detects that the identifier in the username portion of the NAI is a hidden identifier, such as SUCI, instead of IMSI. In step 6B (see box 237), the 3GPP AAA server 217 detects / determines the authentication method from the NAI, such as based on the SUCI prefix in the NAI (e.g., leading digits 0, 1, 6).
[0076] At this point, process 200 depends on the implementation of HPLMN 215 following any one of option A, option B, or option C. As depicted in Figure 2, in option A, at step A1, 3GPP AAA-server 217 sends an authentication vector request (see message 239) to HSS 219 in HPLMN 215, which has a hidden identifier, such as SUCI, as the username, and an indication of the authentication method used for the request, such as 'Authentication Method = EAP-AKA', which is derived from the SUCI prefix in NAI. The authentication vector request sent to HSS 219 may, for example, have the form SWx AAA request (username = SUCI, visited-network-identifier, number of authentication vectors, authentication method = EAP-AKA').
[0077] In step S2 (see box 241), HSS 219 detects that the username is a hidden identifier, such as SUCI, and not IMSI. In step A3 (see box 243), HSS 219 selects UDM 221, for example, based on a routing identifier such as the home network ID (e.g., MCC, MNC) of SUCI.
[0078] In step A4, HSS 219 connects to UDM 221 to request authentication vector transmission by sending an AKA-AV request with SUCI (see message 245) and an indication for the requested authentication method to UDM / SIDF 221. For example, the AKA-AV request could be Nudm_UEAuthentication_GetRequest(SUCI, service network name, RAND&AUTS, authentication request type = EAP-AKA'). In an alternative embodiment of step A4, HSS 219 connects to UDM 221 to request de-hiding of a hidden identifier, such as SUCI, by sending an identification request with SUCI to UDM / SIDF 221.
[0079] In step A5, UDM 221 verifies the AKA-AV request and queries SIDF 221 to dehide the hidden identifier, e.g., SUCI, to reveal the permanent identifier, e.g., SUPI. UDM 221 generates an AKA-AV response based on the requested authentication method, e.g., for 5GEAP-AKA' master authentication. UDM 221 may generate an EAP-AKA AV instead of an EAP-AKA' AV. UDM 221 provides (see message passing 247) the AKA-AV for EAP-AKA or EAP-AKA' in the AKA AV response to the request received in step A4 to HSS 219. For example, the EAP-AKA AV response could be Nudm_UEAuthentication_GetResponse(SUPI, authentication type = EAP-AKA', authentication vector).
[0080] In an alternative embodiment of step 5, if the identification request is sent to UDM 221 in step A4, UDM 221 verifies the request and queries SIDF 221 to dehide the hidden identifier, e.g., SUCI, to reveal the permanent identifier, e.g., SUPI, and sends SUPI to HSS 219 in the identification response to the request received in alternative step A4. UDM 221 sends the permanent identifier, e.g., SUPI, to HSS 219 in IMSI format.
[0081] In step A6, HSS 219 selects the corresponding subscriber profile, such as SUPI, based on the received permanent identifier, and generates an AKA-AV and provides the AKA-AV to 3GPP AAA server 217 (see message passing 249). The AKA-AV sent by HSS to 3GPP AAA server 217 can be an SWx AAA response (username = SUPI, result, authentication data). In this case, it is only necessary to enhance HSS 219 to communicate with UDM 221 to remove the hidden identifier, such as SUCI. HSS 219 can generate EAP-AKA'AV instead of EAP-AKA AV based on the indication for the requested authentication method.
[0082] Continue to refer to Figure 2B In step B1, in option B, the 3GPP AAA server 217 directly selects UDM 221 (see box 251) instead of HSS 219. UDM 221 can be selected based on a routing identifier, such as a hidden identifier of SUCI.
[0083] In step B2, the 3GPP AAA server 217, when using the AAA interface, sends the AKA-AV request (see message 253) directly to the UDM 221. In some implementations, if the 3GPP AAA server 217 is enhanced with a service-based interface ("SBI"), then it behaves like AUSF 223 and sends a Nudm_UEAuthentication_Get request to the UDM 221, for example, Nudm_UEAuthentication_GetRequest(SUCI, service network name, RAND&AUTS, authentication request type = EAP-AKA'). Thus, the request to the UDM 221 includes a hidden identifier, such as SUCI, and an indication of the requested authentication method, such as authentication request type = EAP-AKA'.
[0084] In step B3, UDM 221 removes the hidden identifier, e.g., SUCI, to reveal the permanent identifier, e.g., SUPI, to select the subscriber profile and generate an EAP-AKA' authentication vector similar to the 5G EAP-AKA' master authentication. UDM 221 provides (see message 255) the AKA-AV, including the permanent identifier, e.g., SUPI, back to the 3GPP AAA server 217, e.g., Nudm_UEAuthentication_GetResponse(SUPI, authentication type = EAP-AKA', authentication vector). UDM 221 can generate an EAP-AKA AV instead of the EAP-AKA' AV based on the requested authentication method from the 3GPP AAA server 217.
[0085] Now for reference Figure 2C In option C, in step C1, 3GPP AAA server 217 sends (see message passing 257) an authentication vector request to AUSF 223 containing a hidden identifier as the username, for example, username = SUCI, and an indication for the requested authentication method, for example, authentication request type = EAP-AKA'. The message depends on the interface between 3GPP AAA server 217 and AUSF 223—if 3GPP AAA server 217 hosts an SBI with AUSF 223, then 3GPP AAA server 217 sends a Nausf_UEAuthentication_Authenticate request message with the hidden identifier, for example, Nausf_UEAuthentication_Authenticate request(SUCI, service network name, authentication request type = EAP-AKA'). Alternatively, if 3GPP AAA server 217 hosts an AAA protocol interface with AUSF 223, then 3GPP AAA server 217 sends an AKA AV request to AUSF 223.
[0086] In step C2, AUSF 223 selects UDM 221, for example, a routing identifier based on SUCI, and sends (see message transmission 259) a UE authentication request to UDM / SIDF 221 with a hidden identifier, such as SUCI, and an indication for the requested authentication method. For example, AUSF 223 may send a Nudm_UEAuthentication_GetRequest message, such as Nudm_UEAuthentication_GetRequest(SUI, Serving Network Name, RAND&AUTS, Authentication Request Type = EAP-AKA').
[0087] In step C3, UDM 221 verifies the received UE authentication request and queries SIDF 221 to dehide the hidden identifier, e.g., SUCI, to reveal the permanent identifier, e.g., SUPI. UDM 221 generates AKA-AV according to the requested authentication method, e.g., for 5G EAP-AKA' primary authentication. UDM 221 can generate EAP-AKAAV instead of EAP-AKA'AV according to the requested authentication method. UDM 221 provides the authentication vector in the UE authentication response to AUSF 223 (see message passing 261). For example, UDM 221 can send a Nudm_UEAuthentication_GetResponse message, e.g., Nudm_UEAuthentication_GetResponse(SUPI, authentication type = EAP-AKA', authentication vector).
[0088] In step C4, AUSF 223 initiates authentication to UE 205 by sending an authentication response message (see Message Passing 263) to 3GPP AAA server 217. For example, AUSF 223 may send a Nausf_UEAuthentication_Authenticate response message such as Nausf_UEAuthentication_Authenticate response (Authentication Type = 'EAP-AKA', URI, authCtxld, EAP payload).
[0089] Depending on how the 3GPP AAA server 217 connects to AUSF 223, it can serve several functions. For example, if the 3GPP AAA server 217 hosts the SBI of AUSF 223, then the 3GPP AAA server 217 acts as an AMF (Advanced Management Function). In another implementation, if the 3GPP AAA server 217 hosts the AAA protocol interface of AUSF 223, then the 3GPP AAA server acts as an AAA proxy 211.
[0090] Now for reference Figure 2D This applies to each of options A, B, and C. Unless otherwise specified, process 200 in steps C5-C16 (see messages 265-287) generally follows the normal authentication process specified in subclause 6.2 of 3GPP TS 33.402v16.2.0 to authenticate UE 205 and complete the EAP authentication process. In some implementations, 3GPP AAA server 217 may function as AUSF 223 for authenticating UE 205 with 5G capability.
[0091] In step C5, the 3GPP AAA server 217 sends (see message passing 265) a response to the agent AAA 211 in the VPLMN 210, containing the username (e.g., NAI) and the EAP payload. For example, the EAP response message could be SWd AAA response (username = NAI, EAP payload).
[0092] In step C6, the proxy AAA 211 sends (see message 267) a response to the non-3GPP access 207 containing the username and payload received from the 3GPP AAA server 217, for example, a SWA AAA response (username = NAI, EAP payload).
[0093] In step C7, the non-3GPP access 207 sends an EAP payload (see message 269) to UE 205, such as an EAP-Request / AKA-Challenge. When UE 205 receives the EAP-Request / AKA-Challenge, it knows that it performs access authentication only according to subclause 6.2 of 3GPP TS 33.402, not full primary authentication for 5GC. Specifically, if the network responds with an EAP-AKA-Challenge, this indicates that the network supports hiding hidden identifiers, such as SUCI, as described above, using 3GPP AAA Server 217, HSS 219, and / or AUSF 223 connected to UDM 221. Figure 2A-2C The process flowchart is as described in the diagram. Otherwise, if the network responds with authentication rejection, the network's 4G 3GPP AAA server 217, HSS 219, and / or AUSF 223 do not understand SUCI.
[0094] In steps C8-C10, in response to receiving the challenge packet in step C7, process 200 sends a further EAP authentication message to 3GPP AAA server 217 (see messaging 271-275) for EAP authentication. In option C, at steps C11 and C12, process 200 exchanges additional authentication messages with AUSF 223 (see messaging 277-279) to continue authentication. In steps C13-C16, 3GPP AAA server 217 creates an MSK (see box 281) and sends an EAP-success flag to UE 205 (see messaging 283-287).
[0095] In steps 10A-10B, after successful authentication, for example, after receiving the EAP-success flag, the 5G UE 205 receives IP configuration access information. Secure establishment with the non-3GPP access 207 can be established using a key derived from the MSK (see message 289), for example, as part of a four-way handshake for WLAN. In some embodiments, the UE 205 may only have local IP access at the non-3GPP access 207 (see message 291) and may not have access to the 5GC.
[0096] Although Figure 2A-2D A UE 205 is depicted interacting with a 3GPP AAA server 217 in an HPLMN 215 via a proxy AAA 211 in a VPLMN 210. However, in other embodiments, the UE 205 may interact with the 3GPP AAA server 217 via a non-3GPP access 207 without using the proxy AAA 211. For example, if the UE 205 is not roaming, it may interact with the 3GPP AAA server 217 via a non-3GPP access 207 without using the proxy AAA 211.
[0097] Figure 3 An embodiment of a user equipment device 300 according to embodiments of the present disclosure is depicted. The user equipment device 300 may be an embodiment of a remote unit 105 and / or a UE 205. Furthermore, the user equipment device 300 may include a processor 305, a memory 310, an input device 315, an output device 320, and a transceiver 325. In some embodiments, the input device 315 and the output device 320 are combined into a single device, such as a touchscreen. In some embodiments, the user equipment device 300 may not include any input device 315 and / or output device 320.
[0098] As depicted, transceiver 325 includes at least one transmitter 330 and at least one receiver 335. Here, transceiver 325 communicates with a mobile core network (e.g., 7GC) via an access network. Furthermore, transceiver 325 may support at least one network interface 340. Here, at least one network interface 340 facilitates communication with AAA agent 123 or AAA server 149.
[0099] In one embodiment, processor 305 may include any known controller capable of executing computer-readable instructions and / or performing logical operations. For example, processor 305 may be a microcontroller, microprocessor, central processing unit ("CPU"), graphics processing unit ("GPU"), auxiliary processing unit, field-programmable gate array ("FPGA"), or similar programmable controller. In some embodiments, processor 305 executes instructions stored in memory 310 to perform the methods and routines described herein. Processor 305 is communicatively coupled to memory 310, input device 315, output device 320, and transceiver 325.
[0100] In various embodiments, processor 305 controls user equipment device 300 to implement the UE behavior described above. In some embodiments, processor 305 (e.g., via transceiver 325) sends a first authentication message to a network function for authentication with the mobile communication network via a non-3GPP access network. The first authentication message includes a hidden identifier for device 300. In some embodiments, processor 305 receives a second authentication message from the network function (e.g., via transceiver 325) in response to the first authentication message. Here, the second authentication message includes an authentication response based on the hidden identifier.
[0101] In a further embodiment, the processor 305 completes authentication with the mobile communication network in response to an authentication response containing a challenge packet and receives configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network.
[0102] In one embodiment, the hidden identifier sent to the network function's apparatus 300 in the first authentication message includes a subscription hidden identifier. In some embodiments, the SUCI is sent as part of the network access identifier ("NAI") for the apparatus, and the NAI has the format SUCI@realm. In one embodiment, the network function includes a proxy AAA server that forwards the NAI to the AAA server based on the NAI's domain.
[0103] In some embodiments, the configuration information for accessing the mobile communication network includes Internet Protocol ("IP") access configuration information for non-3GPP access points to access the mobile communication network. In one embodiment, in response to receiving a challenge packet, the processor 305 performs access authentication with the mobile communication network without performing full main network access layer ("NAS") authentication.
[0104] In one embodiment, in response to an authentication response received in a second authentication message that includes an authentication rejection indicator, the device 300 fails to authenticate with the mobile communication network, wherein the authentication is rejected because the network function is unable to dehide the identifier.
[0105] In various embodiments, processor 305 receives a request for an identifier for device 305 in response to the device establishing a connection with a non-3GPP access network before sending a first authentication message. In some embodiments, the mobile communication network includes a 4G non-3GPP access network with access to a 5G Unified Data Management ("UDM") server, and device 300 is 4G and 5G capable. In some embodiments, network functionality includes a 4G 3GPP AAA server in the mobile communication network. The 4G 3GPP AAA server detects the hidden identifier sent in the first authentication message from device 300.
[0106] In one embodiment, memory 310 is a computer-readable storage medium. In some embodiments, memory 310 includes volatile computer storage media. For example, memory 310 may include RAM, including dynamic RAM ("DRAM"), synchronous dynamic RAM ("SDRAM"), and / or static RAM ("SRAM"). In some embodiments, memory 310 includes non-volatile computer storage media. For example, memory 310 may include a hard disk drive, flash memory, or any other suitable non-volatile computer storage device. In some embodiments, memory 310 includes both volatile and non-volatile computer storage media.
[0107] In some embodiments, memory 310 stores data related to supporting authentication with the mobile core network using a hidden identifier, such as security keys, IP addresses, etc. In some embodiments, memory 310 also stores program code and related data, such as an operating system ("OS") or other controller algorithms and one or more software applications running on user equipment device 300.
[0108] In one embodiment, input device 315 may include any known computer input device, including a touch panel, buttons, keyboard, stylus, microphone, etc. In some embodiments, input device 315 may be integrated with output device 320, for example, as a touchscreen or similar touch-sensitive display. In some embodiments, input device 315 includes a touchscreen, allowing text to be entered using a virtual keyboard displayed on the touchscreen and / or by handwriting on the touchscreen. In some embodiments, input device 315 includes two or more different devices, such as a keyboard and a touch panel.
[0109] In one embodiment, output device 320 may include any known electronically controllable display or display device. Output device 320 is designed to output visual, auditory, and / or tactile signals. In some embodiments, output device 320 includes an electronic display capable of outputting visual data to a user. For example, output device 320 may include, but is not limited to, LCD displays, LED displays, OLED displays, projectors, or similar display devices capable of outputting images, text, etc., to a user. As another non-limiting example, output device 320 may include wearable displays, such as smartwatches, smart glasses, heads-up displays, etc. Furthermore, output device 320 may be a component of a smartphone, personal digital assistant, television, desktop computer, laptop computer, personal computer, vehicle dashboard, etc.
[0110] In some embodiments, output device 320 includes one or more speakers for generating sound. For example, output device 320 may generate an auditory alarm or notification (e.g., a buzzer or ring). In some embodiments, output device 320 includes one or more haptic devices for generating vibration, motion, or other haptic feedback. In some embodiments, all or part of output device 320 may be integrated with input device 315. For example, input device 315 and output device 320 may form a touchscreen or similar touch-sensitive display. In other embodiments, all or part of output device 320 may be located near input device 315.
[0111] As discussed above, transceiver 325 communicates with one or more network functions of a mobile communication network via one or more access networks. Transceiver 325 operates under the control of processor 305 to transmit and receive messages, data, and other signals. For example, processor 305 may selectively activate the transceiver (or a portion thereof) at specific times to send and receive messages.
[0112] Transceiver 325 may include one or more transmitters 330 and one or more receivers 335. Although only one transmitter 330 and one receiver 335 are illustrated, user equipment device 300 may have any suitable number of transmitters 330 and receivers 335. Furthermore, transmitters 330 and receivers 335 may be of any suitable type. In one embodiment, transceiver 325 includes a first transmitter / receiver pair for communicating with a mobile communication network on licensed radio spectrum and a second transmitter / receiver pair for communicating with a mobile communication network on unlicensed radio spectrum.
[0113] In some embodiments, a first transmitter / receiver pair for communicating with a mobile communication network on licensed radio spectrum and a second transmitter / receiver pair for communicating with a mobile communication network on unlicensed radio spectrum may be combined into a single transceiver unit, such as a single chip performing functions for both licensed and unlicensed radio spectrum. In some embodiments, the first transmitter / receiver pair and the second transmitter / receiver pair may share one or more hardware components. For example, certain transceivers 325, transmitters 330, and receivers 335 may be implemented as physically separate components that access shared hardware and / or software resources, such as, for example, a network interface 340.
[0114] In various embodiments, one or more transmitters 330 and / or one or more receivers 335 may be implemented and / or integrated into a single hardware component such as a multi-transceiver chip, a system-on-a-chip, an ASIC, or other types of hardware components. In some embodiments, one or more transmitters 330 and / or one or more receivers 335 may be implemented and / or integrated into a multi-chip module. In some embodiments, other components such as network interface 340 or other hardware components / circuitets may be integrated with any number of transmitters 330 and / or receivers 335 into a single chip. In such embodiments, transmitters 330 and receivers 335 may be logically configured as a transceiver 325 using a more common control signal or as modular transmitters 330 and receivers 335 implemented in the same hardware chip or multi-chip module.
[0115] Figure 4 An embodiment of a network device apparatus 400 according to embodiments of the present disclosure is depicted. In some embodiments, the network device apparatus 400 may be an embodiment of a 3GPP AAA server, HSS, AUSF, and / or UDM. Furthermore, the network device apparatus 400 may include a processor 405, a memory 410, an input device 415, an output device 420, and a transceiver 425. In some embodiments, the input device 415 and the output device 420 are combined into a single device, such as a touchscreen. In some embodiments, the network device apparatus 400 may not include any input device 415 and / or output device 420.
[0116] As depicted, transceiver 425 includes at least one transmitter 430 and at least one receiver 435. Here, transceiver 425 communicates with one or more remote units 105. Additionally, transceiver 425 may support at least one network interface 440, such as... Figure 1 The transceiver 425 is depicted as SWA, SWd, N8, and N13. In some embodiments, the transceiver 425 supports a first interface for communicating with RAN nodes, a second interface for communicating with one or more network functions in the mobile core network (e.g., 8GC), and a third interface for communicating with remote unit 105 (e.g., UE 300).
[0117] In one embodiment, processor 405 may include any known controller capable of executing computer-readable instructions and / or performing logical operations. For example, processor 405 may be a microcontroller, microprocessor, central processing unit ("CPU"), graphics processing unit ("GPU"), auxiliary processing unit, field-programmable gate array ("FPGA"), or similar programmable controller. In some embodiments, processor 405 executes instructions stored in memory 410 to perform the methods and routines described herein. Processor 405 is communicatively coupled to memory 410, input device 415, output device 420, and first transceiver 425.
[0118] In various embodiments, processor 405 controls network device apparatus 400 to implement the 3GPP AAA server behavior described above. In one embodiment, processor 405 (e.g., via transceiver 425) receives a first authentication message from a network function to authenticate remote unit 105, such as UE 300, via a non-3GPP access network and mobile communication network. Here, the first authentication message includes an identifier for remote unit 105 and an authentication type. In some embodiments, processor 405 detects that the identifier is a hidden identifier for remote unit 105. Here, the hidden identifier indicates that remote unit 105 has 5G capability.
[0119] In one embodiment, processor 405 creates an authentication vector request message that includes a hidden identifier and an authentication method. Here, the authentication type may specify the authentication method. In various embodiments, processor 405 sends the authentication vector request message to a network function (e.g., via transceiver 425). Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for remote unit 105. In some embodiments, processor 405 receives an authentication vector response message from the network function. The authentication vector response message may include a permanent identifier and an authentication vector for remote unit 105.
[0120] In one embodiment, processor 405 detects a hidden identifier in the username portion of a Network Access Identifier ("NAI") received as part of a first authentication message in place of the International Mobile Subscriber Identity ("IMSI"). In some embodiments, the hidden identifier includes a Subscription Hidden Identifier ("SUCI") for remote unit 105. In various embodiments, the network function to which the authentication vector request message is sent includes a Home Subscriber Server ("HSS").
[0121] In one embodiment, the network function to which the authentication vector request message is sent includes a unified data management ("UDM") server. In some embodiments, processor 405 selects a UDM server based on routing information associated with a hidden identifier. In various embodiments, apparatus 400 is enhanced to represent an authentication server function ("AUSF") and communicates directly with the UDM server via a service-based interface ("SBI").
[0122] In one embodiment, the authentication vector request message includes a Nudm_UEAuthentication_Getrequest message in response to a device-hosted SBI for communication with the DUM and one of an Authentication and Key Protocol ("AKA") authentication vector ("AV") in response to a device-hosted AAA protocol interface with the UDM.
[0123] In some embodiments, the network function that sends the authentication vector request message includes an authentication server function ("AUSF"). In one embodiment, the authentication vector request message includes one of a Nausf_UEAuthentication_Authenticate request message (e.g., in response to a service-based interface ("SBI") hosted with AUSF, where device 400 acts as an AMF) and an Authentication and Key Protocol ("AKA") authentication vector ("AV") request message (e.g., in response to an AAA protocol interface hosted with AUSF, where device 400 acts as an AAA proxy). In some embodiments, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for remote unit 105.
[0124] In various embodiments, processor 405 controls network device apparatus 400 to implement the HSS behavior described above. In one embodiment, processor 405 (e.g., via transceiver 415) receives an authentication vector request message from a first network function to authenticate remote unit 105, such as UE 300, via a non-3GPP access network and mobile communication network. Here, the authentication vector request message includes an identifier for remote unit 105 and an authentication type specifying the authentication method.
[0125] In one embodiment, the processor 405 detects that the identifier is a hidden identifier for the remote unit 105. Here, the hidden identifier indicates that the remote unit 105 has 5G capability. In a further embodiment, the processor 405 selects a second network function based on the hidden identifier. Here, the second network function is configured to remove the hidden identifier.
[0126] In some embodiments, processor 405 (e.g., via transceiver 425) sends an authentication vector request message to a second network function to request an authentication vector associated with a hidden identifier and an authentication type. In some embodiments, processor 405 receives an authentication vector response message from the second network function. Here, the authentication vector response message includes a permanent identifier and an authentication vector for remote unit 105.
[0127] In one embodiment, the first network function includes an AAA server and the second network function includes a Unified Data Management ("UDM") server. In a further embodiment, the processor 405 connects to the UDM server to dehide a hidden identifier by sending an identification request that includes the hidden identifier. In one embodiment, the processor 405 sends an Authentication and Key Protocol ("AKA") Authentication Vector ("AV") request message to the UDM server to dehide the hidden identifier.
[0128] In various embodiments, processor 405 sends an identification request message to the UDM server to remove the hidden identifier. In some embodiments, the hidden identifier in the authentication vector request message includes a subscription hidden identifier ("SUCI") for remote unit 105. In one embodiment, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for remote unit 105.
[0129] In various embodiments, processor 405 controls network device apparatus 400 to implement the UDM behavior described above. In one embodiment, processor 405 (e.g., via transceiver 425) receives an authentication vector request message from a network function to authenticate remote unit 105, such as UE, 300, via a non-3GPP access network and mobile communication network. Here, the authentication vector request message includes an identifier and authentication type for remote unit 105.
[0130] In one embodiment, processor 405 detects that the identifier is a hidden identifier for remote unit 105. Here, the hidden identifier indicates that remote unit 105 is 5G capable. In various embodiments, processor 405 de-hides the hidden identifier to determine a permanent identifier for remote unit 105. In some embodiments, processor 405 creates an authentication vector response message including the de-hides permanent identifier for remote unit 105 and an authentication method, wherein the authentication type specifies the authentication method. In various embodiments, processor 405 sends the authentication vector response message to a network function (e.g., via transceiver 425).
[0131] In one embodiment, processor 405 verifies the received authentication vector request message before dehiding the hidden identifier. In some embodiments, processor 405 queries the Subscribed Identifier Dehiding Function ("SIDF") to dehide the hidden identifier. In one embodiment, the authentication vector request message further includes an authentication method. Here, processor 405 generates an authentication vector response message based on the received authentication method.
[0132] In some embodiments, the network function includes a User Server ("HSS") and the processor 405 sends a de-hiding identifier to the HSS in an identification response in response to an authentication vector request message that includes an identification request. In one embodiment, the network function includes a 3GPP AAA Server and the processor 405 sends a de-hiding identifier to the 3GPP AAA Server in an authentication vector response message. In a further embodiment, the network function includes an Authentication Server Function ("AUSF") and the processor 405 sends a de-hiding identifier to the AUSF in an authentication vector response message.
[0133] In one embodiment, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for remote unit 105. In some embodiments, processor 405 formats the SUPI in the International Mobile Subscriber Identity ("IMSI") format. In one embodiment, processor 405 creates the authentication vector response message according to the authentication method specified in the authentication type in the received authentication vector request message.
[0134] In various embodiments, processor 405 controls network device apparatus 400 to implement the aforementioned AUSF behavior. In one embodiment, processor 405 (e.g., via transceiver 425) receives an authentication vector request message from a network function to authenticate remote unit 105, such as UE, 300, via a non-3GPP access network and mobile communication network. Here, the authentication vector request message includes an identifier for remote unit 105.
[0135] In one embodiment, the processor 405 detects that the identifier is a hidden identifier for the remote unit 105. Here, the hidden identifier indicates that the remote unit 105 has 5G capability. In some embodiments, the processor 405 selects the network function to remove the hidden identifier based on the routing identifier of the hidden identifier.
[0136] In one embodiment, processor 405 (e.g., via transceiver 425) sends an authentication vector request message to a network function. Here, the network function dehides a hidden identifier to retrieve a permanent identifier for remote unit 105. In a further embodiment, processor 405 receives an authentication vector response message from the network function. Here, the authentication vector response message includes a permanent identifier and an authentication vector for remote unit 105.
[0137] In one embodiment, memory 410 is a computer-readable storage medium. In some embodiments, memory 410 includes volatile computer storage media. For example, memory 410 may include RAM, including dynamic RAM ("DRAM"), synchronous dynamic RAM ("SDRAM"), and / or static RAM ("SRAM"). In some embodiments, memory 410 includes non-volatile computer storage media. For example, memory 410 may include a hard disk drive, flash memory, or any other suitable non-volatile computer storage device. In some embodiments, memory 410 includes both volatile and non-volatile computer storage media.
[0138] In some embodiments, memory 410 stores data related to supporting authentication with the mobile core network using a hidden identifier, such as security keys, IP addresses, UE context, etc. In some embodiments, memory 410 also stores program code and related data, such as an operating system ("OS") or other controller algorithms running on network device device 400, and one or more software applications.
[0139] In one embodiment, input device 415 may include any known computer input device, including a touch panel, buttons, keyboard, stylus, microphone, etc. In some embodiments, input device 415 may be integrated with output device 420, for example, as a touchscreen or similar touch-sensitive display. In some embodiments, input device 415 includes a touchscreen, allowing text to be entered using a virtual keyboard displayed on the touchscreen and / or by handwriting on the touchscreen. In some embodiments, input device 415 includes two or more different devices, such as a keyboard and a touch panel.
[0140] In one embodiment, output device 420 may include any known electronically controllable display or display device. Output device 420 may be designed to output visual, auditory, and / or tactile signals. In some embodiments, output device 420 includes an electronic display capable of outputting visual data to a user. For example, output device 420 may include, but is not limited to, LCD displays, LED displays, OLED displays, projectors, or similar display devices capable of outputting images, text, etc., to a user. As another non-limiting example, output device 420 may include wearable displays, such as smartwatches, smart glasses, heads-up displays, etc. Furthermore, output device 420 may be a component of a smartphone, personal digital assistant, television, desktop computer, laptop computer, personal computer, vehicle dashboard, etc.
[0141] In some embodiments, output device 420 includes one or more speakers for generating sound. For example, output device 420 may generate an auditory alarm or notification (e.g., a buzzer or ring). In some embodiments, output device 420 includes one or more haptic devices for generating vibration, motion, or other haptic feedback. In some embodiments, all or part of output device 420 may be integrated with input device 415. For example, input device 415 and output device 420 may form a touchscreen or similar touch-sensitive display. In other embodiments, all or part of output device 420 may be located near input device 415.
[0142] As discussed above, transceiver 425 can communicate with one or more remote units 105 and / or with one or more interoperability functions that provide access to one or more PLMNs. Transceiver 425 can also communicate with one or more network functions (e.g., in the mobile core network 140). Transceiver 425 operates under the control of processor 405 to transmit messages, data, and other signals, and also to receive messages, data, and other signals. For example, processor 405 can selectively activate the transceiver (or a portion thereof) at specific times to send and receive messages.
[0143] Transceiver 425 may include one or more transmitters 430 and one or more receivers 435. In some embodiments, one or more transmitters 430 and / or one or more receivers 435 may share transceiver hardware and / or circuitry. For example, one or more transmitters 430 and / or one or more receivers 435 may share antennas, antenna tuners, amplifiers, filters, oscillators, mixers, modulators / demodulators, power supplies, etc. In one embodiment, transceiver 425 implements multiple logical transceivers using different communication protocols or protocol stacks while using common physical hardware.
[0144] Figure 5 An embodiment of a method 500 for supporting authentication using a hidden identifier and a mobile core network, according to embodiments of the present disclosure, is described. In various embodiments, method 500 is performed by a UE such as remote unit 105, UE 205, and / or user equipment device 300 as described above. In some embodiments, method 500 is performed by a processor such as a microcontroller, microprocessor, CPU, GPU, auxiliary processing unit, FPGA, etc.
[0145] Method 500 begins by sending a first authentication message 505 to the network function to authenticate the remote unit 105 with the mobile communication network via a non-3GPP access network 207. The first authentication message includes a hidden identifier.
[0146] Method 500 includes receiving a second authentication message from network function 510 in response to a first authentication message. The second authentication message includes an authentication response based on a hidden identifier.
[0147] Method 500 completes authentication of 515 with the mobile communication network 515 in response to an authentication response including a challenge packet.
[0148] Method 500 includes receiving 520 configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network. Method 500 ends.
[0149] Figure 6 An embodiment of a method 600 for supporting authentication using a hidden identifier and a mobile core network, according to embodiments of the present disclosure, is described. In various embodiments, method 600 is performed by an AAA server such as the 3GPP AAA server 217 and / or network device device 400 described above. In some embodiments, method 600 is performed by a processor such as a microcontroller, microprocessor, CPU, GPU, auxiliary processing unit, FPGA, etc.
[0150] Method 600 begins by receiving, 605 from a network function, a first authentication message to authenticate a remote unit with the mobile communication network 105 via a non-3GPP access network 207. The first authentication message includes an identifier for the remote unit 105 and an authentication type. Method 600 includes detecting, 610, that the identifier is a hidden identifier for the remote unit 105. The hidden identifier indicates that the remote unit 105 is 5G capable.
[0151] Method 600 includes creating an authentication vector request message 615, which contains a hidden identifier and an authentication method, the authentication type specifying the authentication method. Method 600 includes sending an authentication vector request message 620 to a network function. Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for the remote unit 105. Method 600 includes receiving an authentication vector response message 625 from the network function. Here, the authentication vector response message includes a permanent identifier for the remote unit 105 and an authentication vector. Method 600 ends.
[0152] Figure 7 An embodiment of a method 700 for supporting authentication using a hidden identifier and a mobile core network, according to embodiments of the present disclosure, is described. In various embodiments, method 700 is performed by an HSS such as the HSS 219 and / or the HSS of network device device 400 as described above. In some embodiments, method 700 is performed by a processor such as a microcontroller, microprocessor, CPU, GPU, auxiliary processing unit, FPGA, etc.
[0153] Method 700 begins by receiving an authentication vector request message 705 from a first network function to authenticate the remote unit 105 with the mobile communication network via a non-3GPP access network 207. Here, the authentication vector request message includes an identifier for the remote unit 105 and an authentication type specifying the authentication method.
[0154] Method 700 includes detecting 710 that the identifier is a hidden identifier for remote unit 105. The hidden identifier indicates that remote unit 105 has 5G capability. Method 700 selects a second network function based on the hidden identifier 715. Here, the second network function is configured to remove the hidden identifier.
[0155] Method 700 sends an authentication vector request message (720) to a second network function to request an authentication vector associated with a hidden identifier and an authentication type. Method 700 includes receiving an authentication vector response message (725) from the second network function. Here, the authentication vector response message includes a permanent identifier and an authentication vector for the remote unit 105. Method 700 ends.
[0156] Figure 8 An embodiment of a method 800 for supporting authentication using a hidden identifier and a mobile core network, according to embodiments of the present disclosure, is described. In various embodiments, method 800 is performed by a UDM such as the UDM 221 and / or network device device 400 described above. In some embodiments, method 800 is performed by a processor such as a microcontroller, microprocessor, CPU, GPU, auxiliary processing unit, FPGA, etc.
[0157] Method 800 begins and receives an authentication vector request message 805 from the network function to authenticate the remote unit 105 with the mobile communication network via a non-3GPP access network 207. Here, the authentication vector request message includes an identifier and authentication type for the remote unit 105. Method 800 detects 810 that the identifier is a hidden identifier for the remote unit 105. Here, the hidden identifier indicates that the remote unit is 5G capable.
[0158] Method 800 involves dehiding the hidden identifier (815) to determine a permanent identifier for remote unit 105. Method 800 includes creating (820) an authentication vector response message that includes the dehidden permanent identifier for remote unit 105 and an authentication method, wherein the authentication type specifies the authentication method. Method 800 sends the authentication vector response message (825) to the network function. Method 800 ends.
[0159] Figure 9 This description describes one embodiment of a method 900 for supporting authentication using a hidden identifier and a mobile core network, according to embodiments of the present disclosure. In various embodiments, method 900 is performed by an AUSF such as the AUSF 223 described above and / or network device device 400. In some embodiments, method 900 is performed by a processor such as a microcontroller, microprocessor, CPU, GPU, auxiliary processing unit, FPGA, etc.
[0160] Method 900 begins by receiving an authentication vector request message 905 from the network function to authenticate the remote unit 105 with the mobile communication network via a non-3GPP access network 207. Here, the authentication vector request message includes an identifier for the remote unit 105.
[0161] Method 900 includes detecting 910 that the identifier is a hidden identifier for remote unit 105. The hidden identifier indicates that remote unit 105 has 5G capability. Method 900 includes routing identifier selection 915 based on the hidden identifier for network functions that remove the hidden identifier.
[0162] Method 900 includes sending an authentication vector request message to network function 920. The network function de-hides a hidden identifier to retrieve a permanent identifier for remote unit 105. Method 900 also includes receiving an authentication vector response message from network function 925. Here, the authentication vector response message includes the permanent identifier for remote unit 105. Method 900 concludes with the authentication vector.
[0163] According to embodiments of this disclosure, a first apparatus for supporting authentication using a hidden identifier with a mobile core network is disclosed herein. The first apparatus may be implemented by a UE such as remote unit 105, UE 205, and / or user equipment apparatus 300. The first apparatus includes a transceiver that communicates with a non-3GPP access network; and a processor that establishes connectivity with a first access point in the non-3GPP access network.
[0164] Here, the processor sends a first authentication message to the network function for authentication via a non-3GPP access network and mobile communication network. The first authentication message includes a hidden identifier for the device. In some embodiments, the processor receives a second authentication message from the network function in response to the first authentication message. Here, the second authentication message includes an authentication response based on the hidden identifier.
[0165] In a further embodiment, the processor completes authentication with the mobile communication network in response to an authentication response including a challenge packet, and receives configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network.
[0166] In one embodiment, the hidden identifier for the device sent in the first authentication message to the network function includes a subscription hidden identifier. In some embodiments, the SUCI is sent as part of the network access identifier ("NAI") for the device, which has the format SUCI@realm. In one embodiment, the network function includes a proxy AAA server that forwards the NAI to the AAA server based on the domain of the NAI.
[0167] In some embodiments, the configuration information for accessing the mobile communication network includes Internet Protocol ("IP") access configuration information for non-3GPP access points to access the mobile communication network. In one embodiment, in response to receiving a challenge packet, the processor performs access authentication with the mobile communication network without performing full main network access layer ("NAS") authentication.
[0168] In one embodiment, in response to an authentication response received in a second authentication message that includes an authentication rejection indicator, the device fails to authenticate with the mobile communication network, wherein the authentication is rejected because the network function is unable to hide the hidden identifier.
[0169] In various embodiments, the processor receives a request for an identifier for the device in response to the device establishing a connection with a non-3GPP access network before sending a first authentication message. In some embodiments, the mobile communication network includes a 4G non-3GPP access network with access to a 5G Unified Data Management ("UDM") server, and the device is 4G and 5G capable. In some embodiments, network functionality includes a 4G 3GPP AAA server in the mobile communication network. The 4G 3GPP AAA server detects the hidden identifier sent from the first authentication message from the device.
[0170] According to embodiments of this disclosure, a first method for supporting authentication with a mobile core network using a hidden identifier is disclosed herein. The first method can be performed by a UE such as remote unit 105, UE 205, and / or user equipment device 300. The first method includes sending a first authentication message to a network function for authentication with a mobile communication network via a non-3GPP access network. The first authentication message includes a hidden identifier for the device. In some embodiments, the first method receives a second authentication message from the network function in response to the first authentication message. Here, the second authentication message includes an authentication response based on the hidden identifier.
[0171] In a further embodiment, the first method completes authentication with the mobile communication network in response to an authentication response including a challenge packet, and receives configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network.
[0172] In one embodiment, the hidden identifier for the device sent in the first authentication message to the network function includes a subscription hidden identifier. In some embodiments, the SUCI is sent as part of the network access identifier ("NAI") for the device, which has the format SUCI@realm. In one embodiment, the network function includes a proxy AAA server that forwards the NAI to the AAA server based on the domain of the NAI.
[0173] In some embodiments, the configuration information for accessing the mobile communication network includes Internet Protocol ("IP") access configuration information for non-3GPP access points to access the mobile communication network. In one embodiment, in response to receiving a challenge packet, a first method performs access authentication with the mobile communication network without performing full main network access layer ("NAS") authentication.
[0174] In one embodiment, in response to an authentication response including an authentication rejection indicator received in a second authentication message, the UE fails to authenticate with the mobile communication network, wherein the authentication is rejected in response to the network function's inability to hide the hidden identifier.
[0175] In various embodiments, the first method receives a request for an identifier for the device in response to the device establishing a connection with a non-3GPP access network before sending a first authentication message. In some embodiments, the mobile communication network includes a 4G non-3GPP access network with access to a 5G Unified Data Management ("UDM") server, and the device is 4G and 5G capable. In some embodiments, network functionality includes a 4G 3GPP AAA server in the mobile communication network. The 4G 3GPP AAA server detects the hidden identifier sent from the first authentication message from the device.
[0176] According to embodiments of this disclosure, a second means for supporting authentication using a hidden identifier with a mobile core network is disclosed. The second means may be implemented by an AAA server such as a 3GPP AAA server 217 and / or a network device means 400. The second means includes a network interface for communicating with a mobile communication network; and a processor for establishing connectivity with a first access point in a non-3GPP access network.
[0177] In one embodiment, the processor receives a first authentication message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the first authentication message includes an identifier for the remote unit and an authentication type. In some embodiments, the processor detects that the identifier is a hidden identifier for the remote unit. Here, the hidden identifier indicates that the remote unit is 5G capable.
[0178] In one embodiment, the processor creates an authentication vector request message that includes a hidden identifier and an authentication method, wherein the authentication type specifies the authentication method. In various embodiments, the processor sends the authentication vector request message to a network function. Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for the remote unit. In some embodiments, the processor receives an authentication vector response message from the network function, which includes a permanent identifier for the remote unit and an authentication vector.
[0179] In one embodiment, the processor detects a hidden identifier in the username portion of the Network Access Identifier ("NAI") received as part of a first authentication message, rather than in the International Mobile Subscriber Identifier ("IMSI"). In some embodiments, the hidden identifier includes a Subscription Hidden Identifier ("SUCI") for a remote unit. In various embodiments, the network function to which the authentication vector request message is sent includes a Home Subscriber Server ("HSS").
[0180] In one embodiment, the network function to which the authentication vector request message is sent includes a unified data management ("UDM") server. In some embodiments, the processor selects the UDM server based on routing information associated with a hidden identifier. In various embodiments, the apparatus is enhanced via a service-based interface ("SBI") to represent an authentication server function ("AUSF") and to communicate directly with the UDM server.
[0181] In one embodiment, the authentication vector request message includes one of a Nudm_UEAuthentication_Get request message in response to a device-hosted SBI for communicating with the UDM and an Authentication and Key Protocol ("AKA") authentication vector ("AV") request message in response to a device-hosted AAA protocol interface with the UDM.
[0182] In some embodiments, the network function to which the authentication vector request message is sent includes an authentication server function ("AUSF"). In one embodiment, the authentication vector request message includes one of the following: a Nausf_UEAuthentication_Authenticate request message in response to a service-based interface ("SBI") hosted by the device with AUSF, the device acting as an Access and Mobility Management function ("AMF"), and an Authentication and Key Protocol ("AKA") authentication vector ("AV") request message in response to an AAA protocol interface hosted by the device with UDM, the device acting as an AAA server. In some embodiments, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for the remote unit.
[0183] According to embodiments of this disclosure, a second method for supporting authentication using a hidden identifier and a mobile core network is disclosed. The second method can be performed by an AAA server such as 3GPP AAA server 217 and / or network device device 400. In one embodiment, the second method receives a first authentication message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the first authentication message includes an identifier for the remote unit. In some embodiments, the second method detects that the identifier is a hidden identifier for the remote unit and an authentication type. Here, the hidden identifier indicates that the remote unit is 5G capable.
[0184] In one embodiment, the second method creates an authentication vector request message that includes a hidden identifier and an authentication method, wherein the authentication type specifies the authentication method. In various embodiments, the second method sends the authentication vector request message to a network function. Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for the remote unit. In some embodiments, the second method receives an authentication vector response message from the network function, the authentication vector response message including a permanent identifier for the remote unit and an authentication vector.
[0185] In one embodiment, the second method detects a hidden identifier in the username portion of the Network Access Identifier ("NAI") received as part of the first authentication message, rather than in the International Mobile Subscriber Identity ("IMSI"). In some embodiments, the hidden identifier includes a Subscription Hidden Identifier ("SUCI") for a remote unit. In various embodiments, the network function to which the authentication vector request message is sent includes a Home Subscriber Server ("HSS").
[0186] In one embodiment, the network function to which the authentication vector request message is sent includes a unified data management ("UDM") server. In some embodiments, the second method selects the UDM server based on routing information associated with a hidden identifier. In various embodiments, the apparatus is enhanced via a service-based interface ("SBI") to represent an authentication server function ("AUSF") and to communicate directly with the UDM server.
[0187] In one embodiment, the authentication vector request message includes one of a Nudm_UEAuthentication_Get request message in response to a device-hosted SBI for communicating with the UDM and an Authentication and Key Protocol ("AKA") authentication vector ("AV") request message in response to a device-hosted AAA protocol interface with the UDM.
[0188] In some embodiments, the network function to which the authentication vector request message is sent includes an authentication server function ("AUSF"). In one embodiment, the authentication vector request message includes one of the following: a Nausf_UEAuthentication_Authenticate request message in response to a service-based interface ("SBI") hosted by the device with AUSF, the device acting as an Access and Mobility Management function ("AMF"), and an Authentication and Key Protocol ("AKA") authentication vector ("AV") request message in response to an AAA protocol interface hosted by the device with UDM, the device acting as an AAA server. In some embodiments, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for the remote unit.
[0189] According to embodiments of this disclosure, a third means for supporting authentication using a hidden identifier and a mobile core network is disclosed. The third means may be implemented by an HSS server, such as HSS 219 and / or network device device 400. The third means includes a network interface that communicates with a mobile communication network; and a processor that receives an authentication vector request message from a first network function to authenticate a remote unit with the mobile communication network via a non-3GPP access network. Here, the authentication vector request message includes an identifier for the remote unit and an authentication type specifying the authentication method.
[0190] In one embodiment, the processor detects that the identifier is a hidden identifier for a remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. In a further embodiment, the processor selects a second network function based on the hidden identifier. Here, the second network function is configured to remove the hidden identifier.
[0191] In some embodiments, the processor sends an authentication vector request message to a second network function to request an authentication vector associated with a hidden identifier and an authentication type. In some embodiments, the processor receives an authentication vector response message from the second network function. Here, the authentication vector response message includes a permanent identifier and an authentication vector for the remote unit.
[0192] In one embodiment, the first network function includes an AAA server and the second network function includes a Unified Data Management ("UDM") server. In a further embodiment, the processor connects to the UDM server to dehide a hidden identifier by sending an identification request that includes the hidden identifier. In one embodiment, the processor sends an Authentication and Key Protocol ("AKA") Authentication Vector ("AV") request message to the UDM server to dehide the hidden identifier.
[0193] In various embodiments, the processor sends an identification request message to the UDM server to remove the hidden identifier. In some embodiments, the hidden identifier in the authentication vector request message includes a subscription hidden identifier ("SUCI") for the remote unit. In one embodiment, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for the remote unit.
[0194] According to embodiments of this disclosure, a third method for supporting authentication using a hidden identifier and a mobile core network is disclosed herein. The third method can be performed by an HSS server, such as HSS 219 and / or network device apparatus 400. In one embodiment, the third method receives an authentication vector request message from a first network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the authentication vector request message includes an identifier for the remote unit and an authentication type specifying the authentication method.
[0195] In one embodiment, the third method detects that the identifier is a hidden identifier for a remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. In a further embodiment, the third method selects a second network function based on the hidden identifier and the authentication type. Here, the second network function is configured to de-hide the hidden identifier.
[0196] In some embodiments, the third method sends an authentication vector request message to the second network function to request an authentication vector associated with a hidden identifier. In some embodiments, the third method receives an authentication vector response message from the second network function. Here, the authentication vector response message includes a permanent identifier for the remote unit and an authentication vector.
[0197] In one embodiment, the first network function includes an AAA server and the second network function includes a Unified Data Management ("UDM") server. In a further embodiment, a third method connects to the UDM server to dehide a hidden identifier by sending an identification request that includes the hidden identifier. In one embodiment, the third method sends an Authentication and Key Protocol ("AKA") Authentication Vector ("AV") request message to the UDM server to dehide the hidden identifier.
[0198] In various embodiments, the third method sends an identification request message to the UDM server to remove the hidden identifier. In some embodiments, the hidden identifier in the authentication vector request message includes a subscription hidden identifier ("SUCI") for the remote unit. In one embodiment, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for the remote unit.
[0199] According to embodiments of this disclosure, a fourth means for supporting authentication with a mobile core network using a hidden identifier is disclosed herein. The fourth means may be implemented by a UDM such as UDM 221 and / or network device means 400. The fourth means includes a network interface that communicates with a mobile communication network; and a processor that receives authentication vector request messages from network functions to authenticate a remote unit with the mobile communication network via a non-3GPP access network. Here, the authentication vector request message includes an identifier and authentication type for the remote unit.
[0200] In one embodiment, the processor detects that the identifier is a hidden identifier for a remote unit. Here, the hidden identifier indicates that the remote unit is 5G capable. In various embodiments, the processor dehides the hidden identifier to determine a permanent identifier for the remote unit. In some embodiments, the processor creates an authentication vector response message that includes the dehides permanent identifier for the remote unit and an authentication method, wherein the authentication type specifies the authentication method. In various embodiments, the processor sends the authentication vector response message to the network function.
[0201] In one embodiment, the processor verifies the received authentication vector request message before dehiding the hidden identifier. In some embodiments, the processor queries the Subscribe Identifier Dehiding Function ("SIDF") to dehide the hidden identifier. In one embodiment, the authentication vector request message further includes an authentication method. Here, the processor generates an authentication vector response message based on the received authentication method.
[0202] In some embodiments, the network function includes a User Server ("HSS"), and the processor sends a de-hiding identifier to the HSS in an identification response in response to an Authentication Vector Request message that includes an identification request. In one embodiment, the network function includes a 3GPP AAA Server, and the processor sends a de-hiding identifier to the 3GPP AAA Server in an Authentication Vector Response message. In a further embodiment, the network function includes an Authentication Server Function ("AUSF"), and the processor sends a de-hiding identifier to the AUSF in an Authentication Vector Response message.
[0203] In one embodiment, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for the remote unit. In some embodiments, the processor formats the SUPI in the International Mobile Subscriber Identity ("IMSI") format. In one embodiment, the processor creates the authentication vector response message according to the authentication method specified in the received authentication vector request message.
[0204] According to embodiments of this disclosure, a fourth method for supporting authentication using a hidden identifier and a mobile core network is disclosed herein. The fourth method can be performed by a UDM such as UDM 221 and / or network device device 400. In one embodiment, the fourth method receives an authentication vector request message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the authentication vector request message includes an identifier and authentication type for the remote unit.
[0205] In one embodiment, the fourth method detects that the identifier is a hidden identifier for the remote unit. Here, the hidden identifier indicates that the remote unit is 5G capable. In various embodiments, the fourth method dehides the hidden identifier to determine a permanent identifier for the remote unit. In some embodiments, the fourth method creates an authentication vector response message that includes the dehides permanent identifier for the remote unit and an authentication method, wherein the authentication type specifies the authentication method. In various embodiments, the fourth method sends the authentication vector response message to the network function.
[0206] In one embodiment, the fourth method verifies the received authentication vector request message before dehiding the hidden identifier. In some embodiments, the fourth method queries the Subscribe Identifier Dehiding Function ("SIDF") to dehide the hidden identifier. In one embodiment, the authentication vector request message further includes an authentication method. Here, the fourth method generates an authentication vector response message based on the received authentication method.
[0207] In some embodiments, the network function includes a User Server ("HSS") and the processor sends a de-hiding identifier to the HSS in an identification response in response to an Authentication Vector Request message that includes an identification request. In one embodiment, the network function includes a 3GPP AAA Server, and a fourth method sends a de-hiding identifier to the 3GPP AAA Server in an Authentication Vector Response message. In a further embodiment, the network function includes an Authentication Server Function ("AUSF") and a fourth method sends a de-hiding identifier to the AUSF in an Authentication Vector Response message.
[0208] In one embodiment, the permanent identifier in the received authentication vector response message includes a subscription permanent identifier ("SUPI") for the remote unit. In some embodiments, the fourth method formats the SUPI in the International Mobile Subscriber Identity ("IMSI") format.
[0209] According to embodiments of this disclosure, a fifth means for supporting authentication with a mobile core network using a hidden identifier is disclosed herein. The fifth means may be implemented by an AUSF such as AUSF 223 and / or network device means 400. The fifth means includes a network interface that communicates with a mobile communication network; and a processor that receives an authentication vector request message from a network function to authenticate a remote unit with the mobile communication network via a non-3GPP access network. Here, the authentication vector request message includes an identifier for the remote unit.
[0210] In one embodiment, the processor detects that the identifier is a hidden identifier for a remote unit. Here, the hidden identifier indicates that the remote unit is 5G capable. In some embodiments, the processor selects the network function to remove the hidden identifier based on the routing identifier of the hidden identifier.
[0211] In one embodiment, the processor sends an authentication vector request message to the network function. Here, the network function de-hides a hidden identifier to retrieve a permanent identifier for the remote unit. In a further embodiment, the processor receives an authentication vector response message from the network function. Here, the authentication vector response message includes a permanent identifier for the remote unit and an authentication vector.
[0212] According to embodiments of this disclosure, a fifth method for supporting authentication using a hidden identifier and a mobile core network is disclosed herein. The fifth method can be performed by an AUSF such as AUSF 223 and / or network device apparatus 400. In one embodiment, the fifth method receives an authentication vector request message from a network function to authenticate a remote unit via a non-3GPP access network and a mobile communication network. Here, the authentication vector request message includes an identifier for the remote unit.
[0213] In one embodiment, the fifth method detects that the identifier is a hidden identifier for a remote unit. Here, the hidden identifier indicates that the remote unit has 5G capability. In some embodiments, the fifth method selects the network function used to remove the hidden identifier based on the routing identifier of the hidden identifier.
[0214] In one embodiment, the fifth method sends an authentication vector request message to the network function. Here, the network function de-hides the hidden identifier to retrieve a permanent identifier for the remote unit. In a further embodiment, the fifth method receives an authentication vector response message from the network function. Here, the authentication vector response message includes a permanent identifier for the remote unit and an authentication vector.
[0215] The embodiments may be practiced in other specific forms. The described embodiments are to be considered illustrative in all respects and not restrictive. Therefore, the scope of the invention is indicated by the appended claims rather than by the foregoing description. All variations within the meaning and scope of the claims should be covered within their scope.< / visitedmcc> < / visitedmnc> < / suci> < / homemcc> < / homemnc> < / mcc> < / mnc> < / suci> < / mcc> < / mnc> < / suci> < / mcc> < / mnc> < / suci>
Claims
1. An apparatus, the apparatus being configured to: Sending a first authentication message to a network function via a non-3GPP access network, wherein the first authentication message includes a hidden identifier, and wherein the network function includes a 4G Home Subscriber Server (HSS). In response to the first authentication message, a second authentication message is received from the network function, wherein the second authentication message includes an authentication response based on the de-hiding of the hidden identifier by the Unified Data Management / Subscription Identifier De-hiding Function (UDM / SIDF); and In response to successful authentication with the network, configuration information for accessing the mobile network is received, wherein the mobile network includes a 4G non-3GPP access network, and wherein the device is capable of accessing multiple access networks.
2. The apparatus according to claim 1, wherein, The hidden identifier includes the subscription hidden identifier SUCI.
3. The apparatus according to claim 2, wherein, The SUCI is sent as part of the Network Access Identifier (NAI).
4. The apparatus according to claim 1, wherein, The configuration information includes Internet Protocol (IP) access information for accessing non-3GPP access point (AP).
5. The apparatus according to claim 1, wherein, In response to receiving a challenge packet, the device is further configured to perform access authentication with the mobile network without performing full main network access layer (NAS) authentication.
6. The apparatus according to claim 1, wherein, The device is configured to: in response to a received second authentication message, determine a failed authentication with the mobile network.
7. The apparatus according to claim 1, wherein, The device is also configured to receive a request for an identifier for the device in response to the device establishing a connection with the non-3GPP access network before sending the first authentication message.
8. An apparatus, the apparatus being configured to: Receive a first authentication message from a network function to authenticate a user equipment (UE) with a mobile network via a non-3GPP access network, wherein the first authentication message includes an identifier for the UE, and wherein the network function includes a 4G 3GPP AAA server. The identifier is detected to be a hidden identifier for the UE, wherein the hidden identifier indicates that the UE supports 5G capability; An authentication request message is sent to the Unified Data Management (UDM) server, wherein the authentication request message includes the hidden identifier; and The device receives an authentication response message from the UDM, wherein the authentication response message includes a permanent identifier for the UE, wherein the mobile network includes a 4G non-3GPP access network, and wherein the device is capable of accessing multiple access networks.
9. The apparatus according to claim 8, wherein, The apparatus is configured to detect the hidden identifier in a portion of the Network Access Identifier (NAI) received as part of the first authentication message.
10. The apparatus according to claim 9, wherein, The hidden identifier includes the subscription hidden identifier SUCI.
11. The apparatus according to claim 8, wherein, The device is configured to select the UDM server based on routing information associated with the hidden identifier.
12. The apparatus according to claim 8, wherein, The device is configured to represent the Authentication Server Function (AUSF) via a service-based interface (SBI) and communicate directly with the UDM server.
13. The apparatus according to claim 12, wherein, The authentication request message includes one of the following: Nudm_UEAuthentication_Get request message; or Authentication and Key Protocol AKA Authentication Vector AV Request Message.
14. The apparatus according to claim 8, wherein, The network functionality includes the Authentication Server Function (AUSF).
15. The apparatus according to claim 14, wherein, The authentication request message includes one of the following: Nausf_UEAuthentication_Authenticate request message; or Authentication and Key Protocol AKA Authentication Vector AV Request Message.
16. An apparatus comprising: The authentication request message is received from a first network function to authenticate a user equipment (UE) with a mobile network via a non-3GPP access network, wherein the authentication request message includes an identifier for the UE, and wherein the first network function includes a 4G3GPP AAA server. The identifier is detected to be a hidden identifier for the UE, wherein the hidden identifier indicates that the UE supports 5G capability; A second network function is selected based on the hidden identifier, wherein the second network function includes the Unified Data Management / Subscription Identifier Dehiding Function (UDM / SIDF). Send the authentication request message to the second network function; as well as The device receives an authentication response message from the second network function, wherein the authentication response message includes a permanent identifier and an authentication vector for the UE, wherein the mobile network includes a 4G non-3GPP access network, and wherein the device is capable of accessing multiple access networks.
17. An apparatus configured to: The network function receives an authentication request message to authenticate a user equipment (UE) with a mobile network via a non-3GPP access network, wherein the authentication request message includes an identifier for the UE, and wherein the network function includes a 4G 3GPP AAA server. The identifier is detected to be a hidden identifier for the UE, wherein the hidden identifier indicates that the UE supports 5G capability; Remove the hidden identifier to determine a permanent identifier for the UE; Create an authentication response message that includes the de-hidden identifier for the UE; as well as Send the authentication response message to the network function, wherein the mobile network includes a 4G non-3GPP access network, and wherein the device is a Uniform Data Management / Subscription Identifier De-hiding Function (UDM / SIDF) device.