Authentication method and apparatus

By generating detection rules and instructing network nodes to process application data, the problem of APP information being stolen or tampered with is solved, improving network security and operational efficiency.

CN115996378BActive Publication Date: 2026-07-14HUAWEI TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUAWEI TECH CO LTD
Filing Date
2021-10-20
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

When multiple applications are associated with network slices, existing technologies make it easy for APP information to be stolen or tampered with, resulting in poor network security and low operating efficiency.

Method used

By receiving application information from terminal devices, sending application information to authentication devices, and receiving authentication results to generate detection rules, network nodes are instructed to perform forwarding or discarding operations on data from different applications, ensuring that network resources are not abused even if application information is stolen or tampered with.

Benefits of technology

It improves network security and operational efficiency, ensures the legitimate use of application information, and prevents the abuse of network resources.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115996378B_ABST
    Figure CN115996378B_ABST
Patent Text Reader

Abstract

The application provides an authentication method and device, which can solve the problem that APP information is easily stolen or tampered with, thereby improving network security and operation efficiency, and can be applied to a communication system such as Internet of Vehicles, V2X, 5G, 6G, etc. The method comprises the following steps: a first network element receives application information from a terminal device, and forwards the application information to an authentication device, and then receives an authentication result from the authentication device, thereby completing secondary authentication based on the application information. The authentication result is determined according to the application information, and is used to generate a detection rule, and the detection rule is used to perform a forwarding or discarding operation on data of an application corresponding to the application information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communications, and more particularly to an authentication method and apparatus. Background Technology

[0002] When multiple applications (APPs) are running associated with a network slice, they can establish new packet data unit (PDU) sessions based on user equipment route selection policy (URSP) rules, or choose an existing PDU session to associate with the network slice. For example, assuming that APP1 and APP2 are both allowed to use network slice 1, APP1 has already passed network slice-specific authentication and authorization (NSSAA), and APP1 can be associated with network slice 1 through a newly created PDU session 1, then no further authentication is required for APP2, and it can be associated with network slice 1 through PDU session 1.

[0003] In this situation, various information of the APP can be easily stolen or tampered with, leading to the problem of abuse of network slice resources / data network resources, poor network security, and low operating efficiency. Summary of the Invention

[0004] This application provides an authentication method and apparatus that can solve the problem of APP information being easily stolen or tampered with, thereby improving network security and operational efficiency.

[0005] To achieve the above objectives, this application adopts the following technical solution:

[0006] Firstly, an authentication method is provided, applied to a first network element. The method includes: receiving application information from a terminal device, sending the application information to an authentication device, and then receiving an authentication result from the authentication device. The authentication result is determined based on the application information, and is used to generate detection rules. These detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0007] Based on the authentication methods described in the first to the third aspects below, the authentication device can perform authentication operations on each application corresponding to any application information according to the application information. In this way, the first network element can customize detection rules for each application based on the authentication result and instruct each network node on the data transmission path to perform forwarding or discarding operations on the data of each application corresponding to different application information based on the customized detection rules. For example, forwarding the data of successfully authenticated applications and discarding the data of applications that failed authentication, to ensure that even if application information is stolen or tampered with, network resources will not be abused, thereby improving network security and operational efficiency.

[0008] In one possible design, the application information includes application identification information, and the authentication result includes application identification information. The application identification information may include one or more of the following: application identifier, Internet Protocol (IP) 5-tuple, application name, etc. This information can be used to perform authentication operations on applications, and based on the authentication results, customized detection rules can be created for each application to provide differentiated data transmission services for different applications. For example, data from authenticated applications can be forwarded, or data from unauthenticated applications can be discarded, thereby improving network security and operational efficiency.

[0009] Optionally, the application information also includes application authentication information. This application authentication information may include one or more of the following: username, password, certificate information, etc., which, together with application identification information, can be used by the authentication device to perform authentication operations on the application, thereby improving the reliability of the authentication results and further enhancing network security and operational efficiency.

[0010] In this application, the authentication result can be indicated implicitly or explicitly. Examples are given below.

[0011] For example, the authentication result also includes authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0012] Alternatively, the authentication result may not include authentication instructions but instead include application identification information. In this case, the application identification information in the authentication result can be understood as one of the following: all applications corresponding to each application identification information are assumed to have passed authentication by default; all applications corresponding to each application identification information are assumed to have failed authentication by default; or some applications corresponding to some application identification information are assumed to have passed authentication by default, while applications corresponding to other application identification information are assumed to have failed authentication by default. These two parts of application identification information can be placed in different locations within the authentication result, such as different fields or information elements (IEs), to distinguish them.

[0013] In one possible design, the first network element can be an access and mobility management network element. Accordingly, the method described in the first aspect may further include: the access and mobility management network element sending authentication results to the session management network element, so that the session management network element can determine the detection rules itself, or request the policy control network element to determine the detection rules, thereby enabling differentiated data transmission services for applications corresponding to different application information.

[0014] In another possible design, the first network element can be a session management network element. Accordingly, the method described in the first aspect may further include: the session management network element determining detection rules based on the authentication result and sending the detection rules to the user plane network element.

[0015] Similarly, the session management network element can determine the detection rules on its own or request the policy control network element to determine the detection rules, thereby enabling the provision of differentiated data transmission services for applications corresponding to different application information.

[0016] Optionally, the session management network element determines the detection rules based on the authentication results, specifically including: the session management network element sending the authentication results to the policy control network element and receiving the detection rules from the policy control network element, thereby enabling differentiated data transmission services for applications corresponding to different application information.

[0017] Secondly, an authentication method is provided, applied to an authentication device. The method includes: acquiring application information, wherein the application information is used to determine the authentication result; and sending the authentication result to a first network element. The authentication result is used to determine detection rules, which are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0018] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0019] Optionally, the application information may also include application authentication information.

[0020] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0021] In one possible design, obtaining application information specifically includes receiving application information from the first network element.

[0022] Thirdly, an authentication method is provided, applied to a terminal device. This method includes sending application information to a first network element. The application information is used to determine the authentication result, the authentication result is used to generate detection rules, and the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0023] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0024] Optionally, the application information may also include application authentication information.

[0025] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0026] In one possible design, the method described in the third aspect further includes: receiving the authentication result from the first network element.

[0027] Furthermore, the technical effects of the authentication methods described in the second and third aspects can be referred to the technical effects of the authentication methods described in the first aspect, and will not be repeated here.

[0028] Fourthly, an authentication device is provided, which can be applied to a first network element. The device includes a receiving module and a sending module. The receiving module is used to receive application information from a terminal device. The sending module is used to send the application information to the authentication device. The receiving module is also used to receive the authentication result from the authentication device. The authentication result is determined based on the application information, and the authentication result is used to generate detection rules. The detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0029] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0030] Optionally, the application information may also include application authentication information.

[0031] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0032] In one possible design, the first network element can be an access and mobility management network element. Correspondingly, the sending module is also used to send the authentication result to the session management network element.

[0033] In another possible design, the first network element can be a session management network element. Accordingly, the apparatus described in the fourth aspect further includes a processing module. The processing module is used to determine detection rules based on the authentication result. The sending module is also used to send the detection rules to the user plane network element.

[0034] Optionally, the sending module is also used to send authentication results to the policy control network element. The receiving module is also used to receive detection rules from the policy control network element.

[0035] Optionally, the receiving module and the transmitting module can also be integrated into a single module, such as a transceiver module. The transceiver module is used to implement the transceiver functions of the device described in the fourth aspect.

[0036] Optionally, the authentication device described in the fourth aspect may further include a storage module storing computer programs or instructions. When the processing module executes the computer program or instructions, the authentication device can perform the authentication method described in the first aspect.

[0037] Optionally, the authentication device described in the fourth aspect may be a first network element, such as an access and mobility management network element or a session management network element, or it may be a chip (system) or other component or assembly that can be set in the first network element, or it may be a device or system that includes the first network element. This application does not limit this.

[0038] Fifthly, an authentication device is provided, applied to an authentication equipment. The device includes an acquisition module and a transmission module. The acquisition module is used to acquire application information, which is used to determine the authentication result. The transmission module is used to send the authentication result to a first network element. The authentication result is used to determine detection rules, which are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0039] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0040] Optionally, the application information may also include application authentication information.

[0041] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0042] In one possible design, the apparatus described in the fifth aspect further includes a receiving module. The receiving module is used to receive application information from the first network element.

[0043] Optionally, the acquisition module may have a receiving function, and this receiving function and the sending module may also be integrated into a single module, such as a transceiver module. The transceiver module is used to implement the transceiver functions of the device described in the fifth aspect.

[0044] Optionally, the acquisition module may also have processing functions, such as accessing local storage space. These processing functions may also be integrated with other processing functions of the device described in the fifth aspect into a single module, such as a processing module. The processing module is used to implement the processing functions of the device.

[0045] Optionally, the authentication device described in the fifth aspect may further include a storage module storing computer programs or instructions. When the processing module executes the computer program or instructions, the authentication device can perform the authentication method described in the second aspect.

[0046] Optionally, the authentication device described in the fifth aspect may be an authentication equipment, or a chip (system) or other component or assembly that can be set in the authentication equipment, or a device or system that includes the authentication equipment. This application does not limit this.

[0047] Sixthly, an authentication device is provided, applicable to terminal equipment. The device includes a sending module. The sending module is used to send application information to a first network element. The application information is used to determine the authentication result, the authentication result is used to generate detection rules, and the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0048] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0049] Optionally, the application information may also include application authentication information.

[0050] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0051] In one possible design, the apparatus described in the sixth aspect further includes a receiving module. The receiving module is used to receive the authentication result from the first network element.

[0052] Optionally, the receiving module and the transmitting module can also be integrated into a single module, such as a transceiver module. The transceiver module is used to implement the transceiver functions of the device described in the sixth aspect.

[0053] Optionally, the apparatus described in the sixth aspect may further include a processing module. The processing module is used to implement the processing functions of the apparatus.

[0054] Optionally, the authentication device described in the sixth aspect may further include a storage module storing computer programs or instructions. When the processing module executes the computer program or instructions, the authentication device can perform the authentication method described in the third aspect.

[0055] Optionally, the authentication device described in the sixth aspect may be a terminal device, or a chip (system) or other component or assembly that can be disposed in the terminal device, or a device or system that includes the terminal device. This application does not limit this.

[0056] A seventh aspect provides an authentication device. This authentication device is used to perform the authentication method described in any one of the first to third aspects.

[0057] The authentication device described in the seventh aspect includes modules, units, or means that implement the authentication methods described in any one of the first to third aspects. These modules, units, or means can be implemented in hardware, software, or by hardware executing corresponding software. The hardware or software includes one or more modules or units for performing the functions involved in the aforementioned authentication methods.

[0058] Eighthly, an authentication apparatus is provided. The authentication apparatus includes a processor configured to execute the authentication method described in any one of the first to third aspects.

[0059] In one possible design, the authentication device described in the eighth aspect may further include a transceiver. This transceiver may be a transceiver circuit or an interface circuit. The transceiver can be used for communication between the authentication device described in the eighth aspect and other devices.

[0060] In one possible design, the authentication device described in the eighth aspect may further include a memory. This memory may be integrated with the processor or disposed separately. The memory may be used to store computer programs and / or data related to the authentication methods described in any of the first to third aspects.

[0061] A ninth aspect provides an authentication apparatus. The authentication apparatus includes a processor coupled to a memory, the processor executing a computer program stored in the memory, such that the authentication apparatus performs the authentication method described in any one of the first to third aspects.

[0062] In one possible design, the authentication device described in the ninth aspect may further include a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver can be used for communication between the authentication device described in the ninth aspect and other devices.

[0063] In one possible design, the authentication device described in the ninth aspect may further include a memory. This memory may be integrated with the processor or disposed separately. The memory may be used to store computer programs and / or data related to the authentication methods described in any of the first to third aspects.

[0064] A tenth aspect provides an authentication apparatus, comprising: a processor and a memory; the memory being used to store a computer program, which, when executed by the processor, causes the authentication apparatus to perform the authentication method described in any one of the first to third aspects.

[0065] Optionally, the memory can be integrated with the processor or disposed separately. The memory can be used to store computer programs and / or data related to the authentication methods described in any of the first to third aspects.

[0066] In one possible design, the authentication device described in the tenth aspect may further include a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver can be used for communication between the authentication device described in the tenth aspect and other authentication devices.

[0067] Eleventhly, an authentication apparatus is provided, comprising: a processor; the processor being configured to be coupled to a memory, and, after reading a computer program from the memory, to execute an authentication method as described in any one of the first to third aspects according to the computer program.

[0068] Optionally, the memory can be integrated with the processor or disposed separately. The memory can be used to store computer programs and / or data related to the authentication methods described in any of the first to third aspects.

[0069] In one possible design, the authentication device described in the eleventh aspect may further include a transceiver. This transceiver may be a transceiver circuit or an interface circuit. The transceiver can be used for communication between the authentication device described in the eleventh aspect and other devices.

[0070] Optionally, the authentication device described in the seventh to eleventh aspects above may be the first network element, authentication device, or terminal device, or it may be a chip (system) or other component or assembly that can be disposed in the first network element, authentication device, or terminal device, or it may be a device or system that includes the first network element, authentication device, or terminal device. This application does not limit this.

[0071] Furthermore, the technical effects of the authentication devices described in aspects four through eleven above can be referenced to the technical effects of the authentication method described in aspect one above, and will not be repeated here.

[0072] In a twelfth aspect, a communication system is provided. The communication system includes a first network element, an authentication device, and a terminal device.

[0073] In a thirteenth aspect, a computer-readable storage medium is provided, storing a computer program or instructions; when the computer program or instructions are run on a computer, the computer causes the computer to perform the authentication method described in any one of the first to third aspects.

[0074] Fourteenth aspect: A computer program product is provided, including a computer program or instructions that, when run on a computer, cause the computer to perform the authentication method described in any one of the first to third aspects. Attached Figure Description

[0075] Figure 1 Select an example for an existing PDU session;

[0076] Figure 2 This is a schematic diagram of the existing secondary authentication process based on network slice authentication. Figure 1 ;

[0077] Figure 3 This is a schematic diagram of the existing secondary authentication process based on network slice authentication. Figure 2 ;

[0078] Figure 4 This is a schematic diagram of the existing secondary authentication process based on PDU session flow;

[0079] Figure 5 Schematic diagram of the communication system architecture provided in the embodiments of this application Figure 1 ;

[0080] Figure 6 Schematic diagram of 5G system architecture Figure 1 ;

[0081] Figure 7 Schematic diagram of 5G system architecture Figure 2 ;

[0082] Figure 8 Schematic diagram of 5G system architecture Figure 3 ;

[0083] Figure 9 Schematic diagram of 5G system architecture Figure 4 ;

[0084] Figure 10 Schematic diagram of 5G system architecture Figure 5 ;

[0085] Figure 11 Schematic diagram of 5G system architecture Figure 6 ;

[0086] Figure 12 Flowchart of the authentication method provided in the embodiments of this application Figure 1 ;

[0087] Figure 13 Flowchart of the authentication method provided in the embodiments of this application Figure 2 ;

[0088] Figure 14Flowchart of the authentication method provided in the embodiments of this application Figure 3 ;

[0089] Figure 15 Flowchart of the authentication method provided in the embodiments of this application Figure 4 ;

[0090] Figure 16 Flowchart of the authentication method provided in the embodiments of this application Figure 5 ;

[0091] Figure 17 Schematic diagram of the authentication device provided in the embodiments of this application Figure 1 ;

[0092] Figure 18 Schematic diagram of the authentication device provided in the embodiments of this application Figure 2 ;

[0093] Figure 19 Schematic diagram of the authentication device provided in the embodiments of this application Figure 3 ;

[0094] Figure 20 Schematic diagram of the authentication device provided in the embodiments of this application Figure 4 . Detailed Implementation

[0095] First, let's introduce the technical terms used in the embodiments of this application.

[0096] 1. URSP

[0097] In 5G mobile communication, user equipment (UE) related policy information is introduced, such as the user equipment route selection policy (URSP). The UE acts as the executor of this policy, selecting a suitable PDU session for the service flow. In other words, some services have certain requirements regarding the data network (DN), network slice, and session and service continuity mode (SSC) used by the PDU session. The UE can use this policy to determine whether a detected application (APP) can be associated with an established PDU session, whether it can be offloaded to a non-3GPP access outside the PDU session, or whether it can trigger the establishment of a new PDU session.

[0098] URSP is typically sent to the UE via the following path: PCF->AMF->UE. Here, PCF stands for Policy Control Function (PCF), and AMF stands for Access and Mobility Management Function (AMF).

[0099] Specifically, the PCF can generate the above URSP rules based on the contract information (whether the slice / DNN needs secondary authentication, whether a certain application needs secondary authentication of the slice / DNN, etc.) or the information reported by the AMF and SMF (whether the slice / DNN needs secondary authentication, whether a certain application needs secondary authentication of the slice / DNN, etc.), and then send them to the AMF.

[0100] URSP execution: This is performed by the UE and may trigger the establishment or modification of a PDU session. For example, if there is no PDU session that meets the requirements, the UE will initiate the PDU session establishment process; if there is a session that meets the requirements, it may directly use an existing PDU session.

[0101] URSP consists of one or more URSP rules. A URSP rule mainly comprises two parts: a traffic descriptor and a route selection descriptor. The traffic descriptor includes the names or identifiers of multiple applications, while the route selection descriptor includes network slice selection information for each application, as well as wildcard network slice selection information, such as network slice selection information available to applications not included in the traffic descriptor. URSP rules are shown in Table 2, and route selection descriptors are shown in Table 3.

[0102] Table 1

[0103]

[0104] Table 2

[0105]

[0106]

[0107] Table 3

[0108]

[0109] When a new application is detected, the UE determines the corresponding route selection descriptor (RSD) based on the URSP and checks if a PDU session matching the RSD exists among the established PDU sessions. If so, the UE associates the detected new application with the PDU session matching the RSD and transmits the new application's data through that PDU session. If not, the UE establishes a PDU session matching the RSD.

[0110] For example, Figure 1 Select an example for an existing PDU session. For example... Figure 1 As shown, the UE establishes PDU session 1 for application B, and selects existing PDU sessions for applications A, C, D, E, and F, such as selecting PDU session 2 for application A.

[0111] 2. Secondary authentication

[0112] 5G communication systems include operator networks. When a UE accesses an operator network, it needs to be authenticated (operator network authentication, first-level authentication, first-level authentication, initial authentication, primary authentication, main authentication) to determine whether the UE has access to the operator network. This can be determined if the UE is a subscribed user of the operator network, or if the operator to which the UE is subscribed has a roaming service agreement with the owner of the operator network (another operator) that the UE wants to access.

[0113] Optionally, the 5G communication system may also include a provider network, meaning the application content may be provided by a third-party application provider. Similarly, when a UE accesses a provider network through an operator network, in addition to the primary authentication mentioned above, the provider network also needs to authenticate the UE (provider network authentication, secondary authentication, secondary authentication, second authentication, quasi-authentication, auxiliary authentication) to determine whether the UE has access rights to the provider network, such as if the UE is a subscribed user of the provider network.

[0114] It should be noted that secondary authentication can be delegated to the operator's network, such as network slice authentication performed by the operator's network as described below, or it can be performed by the provider's network, such as PDU session authentication performed by the data network (DN) deployed by the provider, such as AAA-S in the DN.

[0115] 3. Network Slicing Authentication

[0116] Network slicing uses slicing technology to virtualize multiple end-to-end networks on a general-purpose hardware platform. Each network has different network functions to adapt to different types of service requirements. In other words, network slicing can be understood as a logical network based on a portion of the physical network resources to achieve one or more specific functions. For example, after deploying physical resources, operators can use these resources to virtualize an enhanced mobile broadband (eMBB) slice for mass internet access services; a massive machine-type communication (mMTC) slice for smart metering needs of certain vendors in vertical industries; and an ultra-reliable low-latency communication (uRLLC) slice for needs such as autonomous driving and driverless vehicles. These three network slices provide different types of services for different business scenarios.

[0117] Network slices can be identified using single network slice selection assistance information (S-NSSAI). Depending on the operator's operational or deployment needs, one S-NSSAI can be associated with one or more network slice instances, and one network slice instance can be associated with one or more S-NSSAIs.

[0118] S-NSSAI comprises two parts: Slice / Service Type (SST) and Slice Differentiator (SD). SST refers to the expected network slice behavior in terms of characteristics and services. The standard value range for SST is 1, 2, or 3, where 1 represents eMBB, 2 represents URLLC, and 3 represents massive internet of things (MIoT). SD is optional information used to supplement SST to differentiate multiple network slices of the same slice / service type.

[0119] The SST and SD parts are combined to represent the slice type and multiple slices of the same type. For example, S-NSSAI values ​​of 0x01000000, 0x02000000, and 0x03000000 represent eMBB type slices, uRLLC type slices, and MIoT type slices, respectively. S-NSSAI values ​​of 0x01000001 and 0x01000002 represent eMBB type slices, serving user group 1 and user group 2, respectively.

[0120] Network slice selection assistance information (NSSAI) is a collection of S-NSSAIs. The NSSAIs used in 5G networks include requested NSSAIs, allowed NSSAIs, and configured NSSAIs, and their specific definitions are shown in Table 4.

[0121] Table 4

[0122]

[0123] The network slice selection policy (NSSP) is sent to the UE by the PCF as part of the UE route selection policy (URSP) rules through the AMF. The UE uses the NSSP to associate the APP ID and S-NSSAI. For the specific implementation of network slice selection, existing solutions can be referenced, such as implementing network slice selection during the attachment procedure.

[0124] While the network function requirements of mass internet access services and various industries across different sectors are diverse, these requirements can all be broken down into demands for network bandwidth, connection capacity, latency, reliability, and other network functionalities. The 5G standard also summarizes the network function requirements of different services into three typical scenarios, corresponding to the following network slice types: eMBB slice, mMTC slice, and (ultra-reliable low-latency communication, uRLLC) slice.

[0125] eMBB Scenario: Leveraging breakthroughs in wireless spectrum utilization and bandwidth technology, 5G can provide transmission speeds more than 10 times faster than 4G. For currently popular applications like AR / VR and high-definition video streaming, only 5G's ultra-high speeds can meet the demands, while 4G's transmission rates are insufficient. For example, when watching high-definition videos or playing large interactive games in VR, a wired network connection is currently necessary to obtain data. However, in the future, with wireless connections via 5G networks, VR / AR can enjoy a much faster experience.

[0126] In mMTC scenarios, through technologies such as multi-user shared access and ultra-dense heterogeneous networks, 5G can support 1 million devices per square kilometer, 10 times that of 4G. With the rapid development of smart cities, public facilities such as streetlights, manhole covers, and water meters already have network connectivity and can be remotely managed, but 5G will bring even greater innovation. Based on the powerful connectivity of 5G networks, public facilities across various sectors of the city can be connected to an intelligent management platform. These public facilities work collaboratively through the 5G network, requiring only a small number of maintenance personnel for unified management, greatly improving the city's operational efficiency.

[0127] uRRLC scenario: The most typical application of 5G in a 5G context is autonomous driving. Common scenarios in autonomous driving include simultaneous multi-channel communication such as emergency braking, vehicle-to-vehicle, vehicle-to-pedestrian, and vehicle-to-infrastructure communication, requiring instantaneous processing of massive amounts of data and decision-making. Therefore, the network needs to possess high bandwidth, low latency, and high reliability, and 5G networks are capable of handling such scenarios.

[0128] In practical applications, application providers, such as those in various vertical industries, can purchase network slicing services from telecom operators to provide network services to users through the operator's network. Correspondingly, application providers can entrust operators to authenticate users based on network slices. In other words, if a user is authenticated through network slices, it can be understood that the user has the right to use the network services provided by the application provider.

[0129] Specifically, when a UE registers with the network, in addition to the initial authentication process for the UE's permanent identifier, it may also determine whether a network slice-specific authentication and authorization (NSSAA) process is needed based on the UE's requested NSSAI and the UE's subscription data. This process can also be simply referred to as the secondary authentication process for network slices. The steps of this process are as follows: Figure 2 and Figure 3 As shown.

[0130] For example, Figure 2 This is a schematic diagram of the existing secondary authentication process based on network slice authentication. Figure 1 .like Figure 2 As shown, the secondary authentication process includes the following steps:

[0131] S201, the UE sends a registration request message to the AMF.

[0132] The registration request message carries the requested NSSAI. In other words, the UE can request the network to perform network slicing authentication for a specific NSSAI during its registration process.

[0133] S202, AMF performs an authentication process.

[0134] The authentication server function (AUSF) is used for one-time authentication of the UE's permanent identifier.

[0135] After successfully performing the permanent identification of the UE, the AMF obtains the UE's subscription data from the UDM. The subscription data contains indication information on whether secondary authentication is required for each S-NSSAI subscribed to by the UE.

[0136] For example, the S-NSSAI signed by the UE is shown in Table 5.

[0137] Table 5

[0138]

[0139] S203, AMF determines that S-NSSAI, which requires secondary authentication, needs to be performed.

[0140] Specifically, the AMF determines, based on the UE's subscription data, whether the S-NSSAI requiring secondary authentication is included in the requested NSSAI. If so, the AMF determines that the UE needs to perform a secondary authentication process after this registration process.

[0141] Example 1: If the NSSAI requested by the UE includes S-NSSAI-1 and S-NSSAI-2 as shown in Table 5, then S-NSSAI-1 needs to perform a secondary authentication process, while S-NSSAI-2 does not need to perform a secondary authentication process.

[0142] S204, AMF sends a registration acceptance message to UE.

[0143] The registration accept message carries the authorized NSSAI and / or the rejected NSSAI and its rejection reason value. The authorized NSSAI only includes S-NSSAIs that do not require secondary authentication, while the rejection reason value of the rejected NSSAI is usually in a pending state, requiring secondary authentication.

[0144] Please continue to refer to Example 1 above. The authorized NSSAI includes S-NSSAI-2, and the rejected S-NSSAI includes S-NSSAI-1. The reason for rejection is that S-NSSAI-1 is in a suspended state. Therefore, secondary authentication needs to be performed on S-NSSAI-1, that is, execute S205 below.

[0145] S205, AMF performs a secondary authentication process on the suspended S-NSSAI.

[0146] Please continue referring to Example 1 above. The AMF can initiate a secondary authentication process for S-NSSAI-1. For details, please refer to... Figure 3 The process shown is not repeated here.

[0147] treat Figure 3 After the secondary authentication shown is completed, the AMF can execute the following S206 based on the authentication result.

[0148] S206, AMF updates the authorized NSSAI based on the secondary authentication result.

[0149] Specifically, if authentication is successful, AMF will add the S-NSSAI to the authorized NSSAI list; if authentication fails, AMF will not need to update the authorized NSSAI list.

[0150] Please continue to refer to Example 1 above. If the secondary authentication of S-NSSAI-1 is successful, the AMF will send an instruction to the UE to update the authorized NSSAI to S-NSSAI-1 and S-NSSAI-2. If the authentication fails, the AMF will not send an instruction to the UE to update the authorized NSSAI.

[0151] For example, Figure 3 This is a schematic diagram of the existing secondary authentication process based on network slice authentication. Figure 2 .like Figure 3 As shown, the authentication process may include the following steps:

[0152] S301, AMF triggers secondary authentication for network slices.

[0153] S302, AMF sends the first NAS MM transmission request to UE.

[0154] The first non-access stratum (NAS) mobility management (MM) transport request carries: an extensible authentication protocol (EAP) identifier (EAP ID request) and single network slice selection assistance information (S-NSSAI). The EAP ID request is used to request secondary authentication for the network slice corresponding to the S-NSSAI.

[0155] S303, the UE sends the first NAS MM transmission response to the AMF.

[0156] The first NAS MM transmission response carries an EAP ID response, an S-NSSAI, and a UE identifier (UE ID). The UE ID is used to identify the UE, and can be the UE's generic public subscription identifier (GPSI). The S-NSSAI refers to the identifier of the network slice that provides network services to the UE.

[0157] Optionally, the content of the EAP ID response and the EAP ID request in S302 can also be carried in other NAS messages, which is not restricted here.

[0158] S304, AMF sends the first NSSAA authentication request to NSSAAF.

[0159] The first NSSAAF is the network slice and SNPN authentication and authorization function. The NNSSAA authentication request (Nnssaaf_NSSAA_Authenticate Req) carries information such as the EAP ID response, the UE's GPSI, and S-NSSAI.

[0160] S305, NSSAAF sends the first AAA protocol request to AAA-P.

[0161] S306, AAA-P sends the first AAA protocol request to AAA-S.

[0162] Among them, AAA-P is the authentication, authorization, and accounting proxy server. The first AAA protocol request message carries the above-mentioned EAP ID response, UE's GPSI, S-NSSAI and other information.

[0163] Specifically, if AAA-P is deployed, NSSAAF can send a first AAA protocol request to AAA-P (S305), and then AAA-P can forward the first AAA protocol request to AAA-S (S306). For example, when AAA-S is deployed by a third party and there is no direct communication link between NSSAAF and AAA-S, NSSAAF can send the AAA protocol message to AAA-S through AAA-P.

[0164] Alternatively, if NSSAAF and AAA-S can communicate directly, S305 and S306 can be replaced by the following steps: NSSAAF sends a first AAA protocol request to AAA-S.

[0165] S307, AAA-S sends the first AAA protocol request to AAA-P.

[0166] S308, AAA-P sends the first AAA protocol response to NSSAAF.

[0167] The first AAA protocol response carries EAP messages, the UE's GPSI, S-NSSAI, and other information. The function and content of the EAP message are similar to those of the EAP ID request and EAP ID response described above, and will not be repeated here.

[0168] Optionally, if NSSAAF and AAA-S can communicate directly, similar to S305-S306, then S307-S308 can also be replaced by the following steps: AAA-S sends an AAA protocol message to NSSAAF.

[0169] S309, NSSAAF sends the first NSSAA authentication response to AMF.

[0170] The first NSAA authentication response (Nnssaaf_NSSAA_Authenticate Resp) carries EAP messages, the UE's GPSI, S-NSSAI, and other information.

[0171] S310, AMF sends a second NAS MM transmission request to UE.

[0172] The second NAS MM transmission request carries information such as EAP messages and S-NSSAI.

[0173] S311, the UE sends a second NAS MM transmission response to the AMF.

[0174] The second NAS MM transmission response carries information such as EAP messages and S-NSSAI.

[0175] S312, AMF sends a second NSSAA authentication request to NSSAAF.

[0176] The second NSAA authentication request (Nnssaaf_NSSAA_Authenticate Resquest) carries EAP messages, the UE's GPSI, S-NSSAI, and other information.

[0177] S313, NSSAAF sends a second AAA protocol request to AAA-P.

[0178] S314, AAA-P sends a second AAA protocol request to AAA-S.

[0179] The second AAA protocol carries EAP messages, the address of AAA-S, the UE's GPSI, S-NSSAI, and other information.

[0180] Optionally, if NSSAAF and AAA-S can communicate directly, similar to S305-S306, then S313-S314 can also be replaced by the following steps: NSSAAF sends a second AAA protocol request to AAA-S.

[0181] The above S307-S314 are used to perform the exchange of EAP messages. This process may be executed once or multiple times, and there is no limit to this.

[0182] After that, AAA-S can perform secondary authentication and return the authentication result to the UE, that is, execute S315-S318 as described below.

[0183] S315, AAA-S sends a second AAA protocol response to AAA-P.

[0184] S316, AAA-P sends a second AAA protocol response to NSSAAF.

[0185] The second AAA protocol response carries information such as EAP authentication success / failure indication, the UE's GPSI, and the authorized S-NSSAI.

[0186] Optionally, if NSSAAF and AAA-S can communicate directly, similar to S307-S308, then S315-S316 can also be replaced by the following steps: AAA-S sends a second AAA protocol response to NSSAAF.

[0187] S317, NSSAAF sends a second NSSAA authentication response to AMF.

[0188] The second NSSAA authentication response carries information such as EAP authentication success / failure indication, the UE's GPSI, and the authorized S-NSSAI.

[0189] S318, AMF sends a second NAS MM transmission response to UE.

[0190] The second NAS MM transmission response carries an EAP authentication success / failure indication.

[0191] The AMF should store the EAP authentication result of each S-NSSAI executing the NSAA procedure in S301-S317. Afterwards, the UE and network can execute the configuration update procedure based on the secondary authentication result, i.e., execute S319-S320 as described below.

[0192] S319, optionally, the AMF triggers the UE configuration update process.

[0193] Specifically, when there is a new allowed NSSAI, or a rejected NSSAI, or when the AMF needs to return a new AMF, the AMF can initiate a UE Configuration update (UCU) procedure. Similarly, when an S-NSSAI authentication related to a PDU session fails, the AMF must trigger the release of the PDU session.

[0194] S320, optionally, the AMF initiates the UE registration process.

[0195] Specifically, when no S-NSSAI authentication is passed and no default S-NSSAI is available, the AMF initiates a network-initiated deregistration process.

[0196] 4. PDU Session Authentication

[0197] After a UE successfully authenticates with the operator's network, if the UE needs to access a specific DN (Data Center), a secondary authentication process is required between the UE and the authentication server deployed in that DN. The establishment of a PDU session can be triggered by the UE or the operator's core network (CN). During or after the PDU session establishment, the operator's network initiates the secondary authentication process. Specifically, the UE sends an authentication request to the operator's network, which forwards the request to the authentication server in the DN to complete the DN's authentication of the UE. The UE server corresponding to the aforementioned DN can be an authentication, authorization, and accounting (AAA) server (AAA-S). The authentication and / or authorization results of this authentication server are sent to the operator's network, which uses the secondary authentication results to determine whether to establish a corresponding PDU session for the UE.

[0198] For example, Figure 4 This is a schematic diagram of the existing secondary authentication process based on PDU session flow. For example... Figure 4 As shown, the process may include the following steps:

[0199] S401, the UE sends a registration request to the AMF.

[0200] S402, the UE performs an authentication with the operator's network.

[0201] Specifically, after the AMF receives the registration request sent by the UE, it can trigger the AMF to perform an authentication between the UE and the operator's network.

[0202] Optionally, during the authentication process between the UE and the operator's network, the AUSF can obtain the authentication information required for the authentication from the UDM, such as the UE's subscription data. Then, based on the authentication information generated or stored in the UDM, the authentication between the UE and the operator's network can be realized.

[0203] S403 establishes NAS security between UE and AMF.

[0204] Specifically, after successful authentication between the UE and the operator's network, the AMF can establish NAS (non-access stratum) security with the UE. NAS exists within the wireless communication protocol stack of the Universal Mobile Telecommunications System (UMTS) as a functional layer between the CN and the UE. NAS supports signaling and / or data transmission between the CN and the UE.

[0205] S404, the UE sends a session establishment request to the AMF.

[0206] Specifically, after the UE establishes NAS security with the AMF, the UE can initiate a session establishment request to the AMF, which carries a NAS message. This session establishment request can specifically be used to request the establishment of a PDU session.

[0207] S405, AMF sends a session establishment request to SMF.

[0208] Specifically, after receiving the NAS message sent by the UE, the AMF can decode the session establishment request in the NAS message and send the session establishment request to the SMF. The SMF mentioned above is the SMF that manages the PDU session requested by the session establishment request.

[0209] S406, SMF verifies contract data.

[0210] Specifically, after receiving a session establishment request, the SMF obtains the subscription data from the UDM. If the subscription data indicates that secondary authentication is required, the following S407 is executed.

[0211] S407, SMF initiates EAP authentication process.

[0212] Optionally, if the session establishment request carries information required for secondary authentication, then S408 and S409 below can be skipped.

[0213] S408, SMF sends an EAP ID request to UE.

[0214] The EAP ID request is used to request the UE's identity information, such as the UE's GPS I.

[0215] S409, the UE sends an EAP ID response to the SMF.

[0216] The EAP ID response carries the UE's identity information, such as the UE's GPSI.

[0217] S410, SMF initiates N4 session establishment procedure to UPF.

[0218] Specifically, if there is no UPF for transmitting messages between SMF and AAA-S, SMF initiates a UPF selection process and establishes an N4 session between SMF and the selected UPF.

[0219] S411, SMF sends EAP ID response and UE identity information to AAA-S.

[0220] Specifically, the SMF can send the EAP ID response and the UE's identity information to the AAA-S via the UPF. Specifically, the SMF can send the EAP ID response and the UE's identity information to the UPF through the N4 session established in S410, and then the UPF sends the received EAP ID response and the UE's identity information to the AAA-S.

[0221] S412 performs secondary authentication on the UE.

[0222] Specifically, the UE and AAA-S can exchange EAP messages multiple times to complete the secondary authentication of the UE by AAA-S.

[0223] The details of the EAP messages exchanged between the UE and AAA-S, such as message type and interaction method, depend on the specific EAP authentication method used and are not limited here.

[0224] S413, AAA-S sends the secondary authentication result to SMF.

[0225] Specifically, if AAA-S successfully authenticates the UE, AAA-S sends an authentication success message to UPF, and then UPF sends an authentication success message to SMF through the N4 session.

[0226] Optionally, AAA-S may also provide authorization information, such as an index of the DN authorization text, allowed media control access (MAC) addresses or virtual local area network identifiers (VIDs), and the aggregate maximum bit rate (AMBR) of the DN authorized sessions.

[0227] S414, SMF triggers the execution of the remaining steps of the PDU session establishment process.

[0228] After AAA-S completes the EAP authentication of the UE, the SMF can continue to initiate the remaining steps in the PDU session establishment process, as shown in S415 below:

[0229] S415, SMF initiates N4 session establishment / modification procedure to UPF.

[0230] S416, SMF sends a PDU session establishment success message to UE.

[0231] Specifically, the SMF sends a PDU session establishment success message to the AMF, the AMF receives the PDU session establishment success message, and then sends it to the UE.

[0232] However, both the secondary authentication based on network slice authentication and the secondary authentication based on PDU sessions have security vulnerabilities. Specifically, when two or more applications associated with a network slice are running, the UE will establish a new PDU session according to URSP rules, or select an existing PDU session to associate with that network slice. An example of a URSP rule is as follows:

[0233] Rule 1: Priority = 1, APP ID = APP1, Network Slice Selection = S-NSSAI-a;

[0234] Rule 2: Priority = 2, APP ID = APP2, Network slice selection = S-NSSAI-a;

[0235] Rule 3: Priority = 3, APP ID = APP3, Network Slice Selection = S-NSSAI-b;

[0236] Both APP1 and APP2 can use network slicing S-NSSAI-a.

[0237] Assuming S-NSSAI-a is included in the allowed NSSAIs, when APP1 runs, secondary authentication for APP1 has been successfully performed, and PDU session 1 has been established for APP1. Then, when APP2 runs, APP2 will directly use S-NSSAI-a by having the UE select the existing PDU session 1, without requiring any further authentication for APP2. In this scenario, it is easy to tamper with the APP ID and abuse network slicing / data network resources during deployment, leading to network security risks and operational inefficiency.

[0238] The technical solutions in this application will now be described with reference to the accompanying drawings.

[0239] The technical solutions of this application embodiment can be applied to various communication systems, such as wireless fidelity (WiFi) systems, vehicle-to-everything (V2X) communication systems, device-to-device (D2D) communication systems, vehicle-to-everything (V2X) communication systems, 4th generation (4G) mobile communication systems, such as long term evolution (LTE) systems, worldwide interoperability for microwave access (WiMAX) communication systems, 5th generation (5G) mobile communication systems, such as new radio (NR) systems, and future communication systems, such as 6th generation (6G) mobile communication systems, etc.

[0240] This application will present various aspects, embodiments, or features relating to systems that may include multiple devices, components, modules, etc. It should be understood and appreciated that individual systems may include additional devices, components, modules, etc., and / or may not include all the devices, components, modules, etc. discussed in conjunction with the accompanying drawings. Furthermore, combinations of these approaches are also possible.

[0241] Furthermore, in the embodiments of this application, words such as "exemplarily" and "for example" are used to indicate that something is an example, illustration, or description. Any embodiment or design that is described as an "example" in this application should not be construed as being better or more advantageous than other embodiments or designs. Rather, the use of the word "example" is intended to present the concept in a specific manner.

[0242] In the embodiments of this application, the terms "information," "signal," "message," "channel," and "singaling" may sometimes be used interchangeably. It should be noted that, without emphasizing their distinction, they all convey the same meaning. Similarly, the terms "of," "corresponding (relevant)," and "corresponding" may sometimes be used interchangeably. It should be noted that, without emphasizing their distinction, they all convey the same meaning.

[0243] In the embodiments of this application, sometimes the subscript such as W1 may be mistakenly written as a non-subscript form such as W1. When the difference is not emphasized, the meaning they express is the same.

[0244] The network architecture and business scenarios described in the embodiments of this application are for the purpose of more clearly illustrating the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions provided in the embodiments of this application. As those skilled in the art will know, with the evolution of network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

[0245] To facilitate understanding of the embodiments of this application, let's first take... Figure 5 The communication system illustrated herein is used as an example to illustrate a communication system applicable to embodiments of this application. For example, Figure 5 Schematic diagram of the communication system architecture to which the authentication method provided in the embodiments of this application is applicable. Figure 1 .

[0246] like Figure 5 As shown, the communication system includes terminal equipment, a first network element, and authentication equipment.

[0247] The aforementioned terminal equipment refers to a terminal that can access the aforementioned communication system and has wireless or wired transceiver functions, or a chip or chip system that can be installed in the terminal. This terminal equipment may also be referred to as user equipment, user device (UE), handheld terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication equipment, user agent, or user device. The terminal devices in the embodiments of this application may be mobile phones, tablets, computers with wireless transceiver capabilities, virtual reality (VR) terminal devices, augmented reality (AR) terminal devices, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical care, wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, wireless terminals in smart homes, vehicle terminals, RSUs with terminal functions, laptops, subscriber units, cellular phones, smartphones, wireless data cards, personal digital assistants (PDAs), computers, tablet computers, wireless modems, handheld devices, laptop computers, cordless phones, or wireless local loop (WLL) stations, machine-type communication devices. Type Communication (MTC) terminals, etc. The terminal device of this application can also be an on-board module, on-board component, on-board chip, or on-board unit built into a vehicle as one or more components or units. The vehicle can implement the authentication method provided in this application through the built-in on-board module, on-board component, on-board chip, or on-board unit.

[0248] The aforementioned first network element is the requester for secondary authentication and can be a core network element in the operator's network, as follows: Figures 6-11 The AMF, SMF, etc. shown are illustrated.

[0249] The aforementioned authentication device is a secondary authentication responder and can be an authentication server deployed by an operator or a third-party content provider, as follows: Figures 6-11 The NSSAAF and AAA-S and AAA-P deployed in the DN are shown.

[0250] Optionally, Figure 5 The communication system shown may also include an access network device, which is a device located on the network side of the communication system and has wireless transceiver capabilities, or a chip or chip system that can be installed in the device. The access network equipment includes, but is not limited to: access points (APs) in wireless fidelity (WiFi) systems, such as home gateways, routers, servers, switches, and bridges; evolved Node Bs (eNBs), radio network controllers (RNCs), Node Bs (NBs), base station controllers (BSCs), base transceiver stations (BTSs), home base stations (e.g., home evolved Node Bs or home Node Bs (HNBs)); baseband units (BBUs); wireless relay nodes, wireless backhaul nodes, and transmission and reception points (TRPs or TPs). It can also be 5G, such as gNBs in new radio (NR) systems, or transmission points (TRPs or TPs); one or a group of antenna panels (including multiple antenna panels) of a base station in a 5G system; or network nodes constituting gNBs or transmission points, such as baseband units (BBUs) or distributed units (DMUs). Units such as DU (Dedicated Unit) and roadside units (RSU) with base station functions.

[0251] The following uses a 5G system as an example to describe in detail the communication system provided in the embodiments of this application.

[0252] Figures 6-11 Examples one through six are examples of 5G systems. Figure 6 For a non-roaming architecture based on service-oriented interfaces, Figure 7In a reference point-based non-roaming architecture, the UE is located in the home public land mobile network (HPLMN), and service offloading is completed by the HPLMMN. That is, both the UE and the DN are located in the HPLMMN. Figure 8 This is a local breakout (LBO) roaming architecture based on service-oriented interfaces. Figure 9 The local roaming architecture is based on reference points. The UE is located in the visited public land mobile network (VPLMN), and the service also needs to be offloaded in the VPLMN. That is, both the UE and the DN are located in the VPLMN. Figure 10 This is a home-routed (HR) roaming architecture based on service-oriented interfaces. Figure 11 In the reference point-based home routing roaming architecture, the UE is located in the VPLMN, but the service needs to be offloaded in the HPLMN, that is, the DN is located in the HPLMN.

[0253] refer to Figures 6-11 The 5G system architecture is divided into two parts: the access network and the core network. The access network is used to implement functions related to radio access. The core network mainly includes the following key network elements: access and mobility management function (AMF), session management function (SMF), user plane function (UPF), policy control function (PCF), and unified data management (UDM).

[0254] (R)AN equipment: Equipment that provides access for terminal devices, including radio access network (RAN) equipment and access network (AN) equipment. RAN equipment is mainly 3GPP-defined wireless network equipment, while AN can be non-3GPP-defined access network equipment. RAN equipment is mainly responsible for functions such as air interface-side radio resource management, quality of service (QoS) management, data compression, and encryption. The RAN equipment can include various forms of base stations, such as macro base stations, micro base stations (also known as small stations), relay stations, and access points. In systems using different radio access technologies, the names of equipment with base station functions may differ. For example, in 5G systems, it is called RAN or g node (5G NodeB, gNB); in LTE systems, it is called evolved Node B (eNB or eNodeB); and in 3G systems, it is called Node B, etc.

[0255] AN equipment: Allows terminal equipment and the 3GPP core network to interconnect using non-3GPP technologies. Examples of non-3GPP technologies include: Wireless Fidelity (Wi-Fi), Worldwide Interoperability for Microwave Access (WiMAX), and Code Division Multiple Access (CDMA) networks.

[0256] AMF: Primarily responsible for mobility management in mobile networks, such as user location updates, user network registration, and user handover.

[0257] SMF (Service Provider Function): Primarily responsible for session management in mobile networks, such as session establishment, modification, and release. Specific functions include assigning IP addresses to users and selecting the UPF (User Provider Function) to provide packet forwarding capabilities.

[0258] UPF: Responsible for forwarding and receiving user data in terminal devices. It can receive user data from the data network and transmit it to the terminal device through the access network equipment; UPF can also receive user data from the terminal device through the access network equipment and forward it to the data network. The transmission resources and scheduling functions that provide services to the terminal device in UPF are managed and controlled by the SMF network element.

[0259] PCF: Primarily supports providing a unified policy framework to control network behavior, provides policy rules to the control layer network functions, and is also responsible for obtaining user subscription information related to policy decisions.

[0260] Network exposure function (NEF): Primarily used to support the exposure of capabilities and events.

[0261] Network slice admission control function (NSACF): Primarily used to support the following functions:

[0262] Supports monitoring and control of the number of registered users for each network slice;

[0263] Supports monitoring and control of the number of PDU sessions established for each network slice;

[0264] Supports event-based network slice status notifications and reporting to other NFs.

[0265] Application function (AF): Primarily supports interaction with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions, or providing third-party services to the network side.

[0266] Unified data management (UDM): Used for generating authentication credentials, user identification processing (such as storing and managing permanent user identities), access authorization control, and contract data management.

[0267] The network slice-specific authentication and authorization function (NSSAAF) is primarily used to perform authentication and authorization functions for network slices and stand-alone non-public networks (SNPNs), specifically including:

[0268] NSSAAF supports the use of an Authentication, Authorization, and Accounting (AAA) server (AAA-server, AAA-S) for specific authentication and authorization of a specified network slice. If AAA-S is a third party, NSSAAF can contact AAA-S through an AAA proxy (AAA-proxy, AAA-P).

[0269] Access to SNPN using AAA-S credentials is supported. If the credential holder is a third party, NSSAAF can contact AAA-S via AAA-P.

[0270] Data network (DN): This refers to a service network that provides data transmission services to users, such as IP multi-media service (IMS) and the Internet. Specifically, the UE accesses the data network through a packet data unit (PDU) session established between the UE and the DN.

[0271] Furthermore, the embodiments of this application involve AAA-P, DN-AAA, and AAA-S, which can be collectively referred to as AAA servers. AAA servers and NSSAAF can be collectively referred to as authentication devices / functions.

[0272] It should be noted that, Figures 6-11 The network element in question can also be referred to as a function or a feature. For example, an AMF network element can also be referred to as an AMF or an AMF function, and an SMF network element can also be referred to as an SMF or an SMF function. This application does not impose any restrictions on this.

[0273] The authentication method provided in this application embodiment can be applied to Figures 5-11 In any of the communication systems shown, secondary authentication of terminal devices is implemented. For specific implementation details, please refer to the following method embodiments, which will not be elaborated here.

[0274] It should be noted that the solutions in the embodiments of this application can also be applied to other communication systems, and the corresponding names can be replaced by the names of the corresponding functions in other communication systems.

[0275] It should be understood that Figures 5-11 This is a simplified diagram for ease of understanding only. The communication system may also include other network devices and / or other terminal devices. Figures 5-11 It was not drawn in the middle.

[0276] The following will combine Figures 12-16 The authentication method provided in the embodiments of this application will be described in detail.

[0277] For example, Figure 12 Flowchart of the authentication method provided in the embodiments of this application Figure 1 This authentication method can be applied to Figure 1 In the communication system shown, a secondary authentication operation is performed on the terminal device.

[0278] like Figure 12 As shown, the authentication method includes the following steps:

[0279] S1201, the terminal device sends application information to the first network element.

[0280] In one possible design, the application information includes application identification information. This application identification information may include one or more of the following: application identifier, Internet Protocol (IP) 5-tuple, application name, etc., which can be used to perform secondary authentication operations on the application. For specific implementation details, please refer to S1203 below; further details will not be provided here.

[0281] Optionally, the application information also includes application authentication information. This application authentication information may include one or more of the following: username, password, certificate information, etc., which can be used together with application identification information for the authentication device to perform authentication operations on the application. For specific implementation details, please refer to S1203 below, which will not be elaborated here.

[0282] Alternatively, please refer to Figures 6-11 The first network element can be the AMF. Specifically, S1201 can be implemented as follows: the terminal device sends application information to the AMF network element through the access network device.

[0283] Alternatively, please refer to Figures 6-11 The first network element can be the SMF. Specifically, S1201 can be implemented as follows: the terminal device sends application information to the SMF network element through the access network equipment and the AMF.

[0284] S1202, the first network element sends application information to the authentication device.

[0285] In one possible design scheme, please refer to Figures 6-11 The first network element can be the AMF (Application Provider Function), and the authentication device can be the NSSAAF (Service-Oriented Automation Authentication and Authentication Center) deployed by the operator. Accordingly, the AMF can send application information to the NSSAAF through the service interface or the N58 interface.

[0286] For another possible design solution, please refer to... Figures 6-11 The first network element can be the AMF (Application Provider Function), and the authentication device can be the NSSAAF (Service-Oriented Automation Authentication and Authentication Center) deployed by the operator. Accordingly, the AMF can send application information to the NSSAAF through the service interface or the N58 interface.

[0287] In another possible design scheme, please refer to... Figure 6 , Figure 8 , Figure 10 The first network element can be the SMF (Service Provider Function), and the authentication device can be the NSSAAF (Service-Oriented Automation Assistance Assistance) deployed by the operator. Accordingly, the SMF can send application information to the NSSAAF through a service-oriented interface.

[0288] In another possible design scheme, please refer to Figure 6 , Figure 8 , Figure 10 The first network element can be the SMF, and the authentication device can be the AAA-S deployed by a third-party application provider. Accordingly, the AMF can send application information to the NSSAAF through a service interface, and then the NSSAAF will forward it to the AAA-S.

[0289] It should be noted that if the third-party application provider has authorized the operator to perform the secondary authentication operation, NSSAAF may not forward the application information to AAA-S, but instead complete the secondary authentication operation itself according to the authorization.

[0290] S1203, the authentication device determines the authentication result based on the application information.

[0291] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0292] Specifically, the authentication device can compare the application information provided by the terminal device with the application information stored locally on the authentication device to determine whether the secondary authentication was successful. The application information stored locally on the authentication device may include: application information of authorized applications, such as a whitelist, and / or application information of prohibited applications, such as a blacklist. For example, if the application information provided by the terminal device exists in the whitelist, the secondary authentication is considered successful; otherwise, it is considered unsuccessful. Similarly, if the application information provided by the terminal device exists in the blacklist, the secondary authentication is considered unsuccessful; otherwise, it is considered successful.

[0293] Furthermore, authentication devices can combine application authentication information, such as username, password, and certificate information, to determine the authentication result. This allows for dual authentication of application and user information, improving the reliability of the authentication result and further enhancing network security and operational efficiency.

[0294] In this application, the authentication result can be indicated implicitly or explicitly. Examples are given below.

[0295] For example, the authentication result also includes authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0296] Alternatively, the authentication result may exclude authentication instruction information and instead include application identification information. In this case, the application identification information in the authentication result can be understood as one of the following: all applications corresponding to all application identification information are assumed to have passed authentication by default; all applications corresponding to all application identification information are assumed to have failed authentication by default; or some applications corresponding to some application identification information are assumed to have passed authentication by default, while others are assumed to have failed authentication by default. These two parts of application identification information can be located in different positions within the authentication result, such as in different fields or information elements (IEs) for distinction.

[0297] S1204, the authentication device sends the authentication result to the first network element.

[0298] The authentication result is determined based on the application information. The authentication result is used to generate detection rules. The detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information, such as forwarding the data of the application that has successfully completed secondary authentication and discarding the data of the application that has failed secondary authentication.

[0299] In one possible design, the first network element can be an access and mobility management network element, such as an AMF. Accordingly, Figure 12 The method shown may further include the following steps: the access and mobility management network element sends the authentication result to the session management network element. For details, please refer to... Figures 6-11 The authentication device can send the authentication result to the AMF through the service interface or the N58 interface.

[0300] Afterwards, the AMF can send the authentication result to the session management network element so that the session management network element can determine the detection rules.

[0301] In another possible design, the first network element can be a session management network element, such as an SMF. Accordingly, Figure 12 The method shown may further include the following steps: the authentication device sends the authentication result to the session management network element. For details, please refer to... Figure 6 , Figure 8 and Figure 10 The authentication device can send the authentication result to SMF through the service interface.

[0302] After the session management network element receives the authentication result, it can also perform the following steps: The session management network element determines the detection rules based on the authentication result and sends them to the user plane network element, so that the user plane network element can perform forwarding operations on the data of applications that have successfully completed secondary authentication, and perform discarding operations on the data of applications that have failed secondary authentication, thereby realizing differentiated data transmission services for applications corresponding to different application information.

[0303] Optionally, the session management network element can determine the detection rules on its own based on the authentication results, or it can send the authentication results to the policy control network element, such as the PCF, and receive the PCC rules determined by the policy control network element based on the authentication results, and then generate detection rules based on the returned PCC rules. This application embodiment does not limit this.

[0304] For example, the detection rules mentioned above may include packet detection rules (PDR) and forwarding action rules (FAR).

[0305] The detection rule can be an N4 rule or a part of an N4 rule; there are no restrictions here.

[0306] The following is combined with Figures 13-16 The following examples illustrate the authentication method provided in the embodiments of this application.

[0307] Figure 13 Flowchart of the authentication method provided in the embodiments of this application Figure 2 This authentication method is implemented based on the network slice authentication process. Among other things, Figure 12 The terminal device in the middle can be Figure 13 UE in Figure 12 The first network element in the network can be Figure 13 AMF in Figure 12 The authentication equipment in the middle can provide Figure 13 In the NSSAAF process, the AMF can determine whether the UE has permission to use network slices purchased from third-party application providers based on the network slice authentication procedure, thus completing the secondary authentication of the UE.

[0308] like Figure 13 As shown, the authentication method may include the following steps:

[0309] S1301, AMF triggers network slice authentication during the registration process initiated by the UE.

[0310] Specifically, the UE sends a registration request to the AMF, and the AMF responds to the UE's registration request by performing an authentication process, namely the operator network authentication process. This registration request carries the NSSAI requested by the UE, which may include one or more S-NSSAIs. For the specific implementation of the registration process, please refer to the above. Figure 2 The related textual explanations will not be elaborated here.

[0311] If the AMF determines that a second authentication is required for a successful S-NSSAI authentication based on the contract data obtained from the UDM, then the following S1302 can be executed.

[0312] S1302, the UE sends application information to the AMF.

[0313] Specifically, the AMF can send a NAS MM transmission request to the UE and receive a NAS MM transmission response from the UE. The NAS MM transmission request is used to request application information for the application corresponding to the network slice requiring secondary authentication, and the NAS MM transmission response carries the application information for the application corresponding to the network slice requiring secondary authentication. For the specific implementation of the NAS MM transmission request and NAS MM transmission response, please refer to the first NAS MM transmission request in S302 and the first NAS MM transmission response in S303; details will not be repeated here.

[0314] The application information includes application identification information and application authentication information. Application identification information can be an IP 5-tuple, application identifier, etc., while application authentication information can be the application's username, password, certificate information, etc.

[0315] It should be noted that if the UE carries the application information corresponding to the requested NSSAI in the registration request it initiates, then S1302 may not be executed, that is, S1302 can be regarded as an optional step in this case.

[0316] S1303, AMF sends application information to NSSAAF.

[0317] Specifically, the AMF can carry application information in the NSSAA authentication request and send it to the AMF. For specific implementation details, please refer to the first NSSAA authentication request and the second NSSAA authentication request in S304 above, which will not be repeated here.

[0318] S1304, NSSAAF sends the authentication result to UE through AMF.

[0319] Specifically, NSSAAF may request AAA-S to perform secondary authentication, or perform secondary authentication itself, depending on the circumstances. Optionally, if the third-party application provider and the network operator have reached a delegation agreement for secondary authentication, NSSAAF may perform secondary authentication itself.

[0320] Alternatively, if the third-party application provider does not entrust the network operator to perform secondary authentication, NSSAAF can send application information to AAA-S and receive authentication results from AAA-S. The authentication results include at least application identification information, such as the S-NSSAI that successfully underwent secondary authentication, which can be transmitted in a container. Optionally, the authentication results may also include authentication indication information, indicating whether secondary authentication for a specific S-NSSAI was successful.

[0321] It should be noted that the AAA-S can also pre-configure the application information that the UE can use, so the UE does not need to report application information in S1301-S1303 above.

[0322] S1305, the UE sends a PDU session establishment request to the SMF through the AMF.

[0323] Specifically, the AMF receives a first PDU session establishment request from the UE and sends a second PDU session establishment request to the SMF. The first PDU session establishment request may include an allowed NSSAI, and the second PDU session establishment request may include the authentication result of the S-NSSAI and the application information corresponding to the S-NSSAI.

[0324] Optionally, the second PDU session establishment request may also include the NSSAAF identifier, the UE identifier, and the network slice identifier. In this way, the SMF can directly obtain the authentication result from the NSSAAF, without the AMF needing to receive the authentication result and then forward it to the SMF.

[0325] Another implementation method is as follows: when the PDU session is established, the AMF sends the identifier of the SMF, the identifier of the UE and the identifier of the network slice to the NSSAAF, and the NSSAF sends the authentication result to the SMF.

[0326] S1306, SMF sends detection rules to UPF.

[0327] Specifically, the SMF can determine the N4 rules itself or request the PCF to determine them based on the secondary authentication results of the S-NSSAI and the application information corresponding to the S-NSSAI, and send the N4 rules to the UPF through an N4 session. The N4 rules include detection rules, which instruct the UPF to forward or discard the data of the application corresponding to the application information. For the specific implementation of the detection rules, please refer to S1204 above, which will not be repeated here.

[0328] Figure 14 Flowchart of the authentication method provided in the embodiments of this application Figure 3 This authentication method is implemented based on the network slice authentication process. Among other things, Figure 12 The terminal device in the middle can be Figure 14 UE in Figure 12 The first network element in the network can be Figure 14 AMF in Figure 12 The authentication equipment in the middle can provide Figure 14 In the NSSAAF process, the AMF can determine whether the UE has permission to use network slices purchased from third-party application providers based on the network slice authentication procedure, thus completing the secondary authentication of the UE.

[0329] like Figure 14 As shown, the authentication method may include the following steps:

[0330] S1401, AMF triggers network slice authentication during the registration process initiated by the UE.

[0331] S1402, the UE sends application information to the AMF.

[0332] S1403, AMF sends application information to NSSAAF.

[0333] S1404, NSSAAF sends the authentication result to UE via AMF.

[0334] The specific implementation of S1401-S1404 can be found in S1301-S1304, and will not be repeated here.

[0335] S1405, the UE sends a PDU session establishment request to the SMF through the AMF.

[0336] The PDU session request may include the identifier of the network slice from which the UE requests to establish a PDU session, such as S-NSSAI. In this case, the AMF can simply perform the forwarding operation of the PDU session establishment request.

[0337] The difference between S1405 and S1305 is that the authentication result may not be included in the second PDU session establishment request sent by the AMF to the SMF. In this case, the SMF can obtain the authentication result from the AMF after receiving the PDU session establishment request, that is, execute S1406-S1407 below.

[0338] S1406, SMF obtains the authentication result from AMF.

[0339] Specifically, the SMF can send an authentication result retrieval request to the AMF and receive the authentication result from the AMF. The authentication result retrieval request may include the S-NSSAI of the network slice carried in the PDU session request.

[0340] Optionally, the SMF can determine whether the S-NSSAI requires secondary authentication for each application based on the contract data in the UDM. If so, the authentication result is obtained from the AMF.

[0341] Alternatively, the SMF can subscribe to information about authenticated applications from the AMF. This way, the SMF will receive an update notification from the AMF whenever an application authentication result is updated (or changed).

[0342] S1407, SMF sends detection rules to UPF.

[0343] For the specific implementation of S1407, please refer to S1306 above, which will not be repeated here.

[0344] Figure 15 Flowchart of the authentication method provided in the embodiments of this application Figure 4 This authentication method is implemented based on the PDU session establishment process. Among other things, Figure 12 The terminal device in the middle can be Figure 15 UE in Figure 12 The first network element in the network can be Figure 15 SMF in Figure 12 The authentication equipment in the middle can provide Figure 15 In the DN-AAA configuration, such as AAA-S deployed within a DN, the SMF can determine whether the UE has access to use network slices purchased from a third-party application provider based on the network slice authentication process, thus completing the secondary authentication of the UE.

[0345] like Figure 15 As shown, the authentication method may include the following steps:

[0346] S1501, SMF sends the first authentication request to DN-AAA.

[0347] Specifically, SMF can send the first authentication request to DN-AAA through UPF during the UE's PDU session establishment process, thereby triggering secondary authentication.

[0348] The first authentication request is used to request DN-AAA to initiate secondary authentication.

[0349] S1502, SMF receives the first authentication response from DN-AAA.

[0350] The first authentication response is used to notify the SMF whether DN-AAA allows the initiation of secondary authentication for the UE. If yes, then S1503 is executed below.

[0351] Afterwards, the SMF can determine whether the DN-AAA requires secondary authentication for the application based on the subscription data. If so, the SMF can send an application information retrieval request to the UE and receive application information from the UE, specifically implemented as follows in S1503-S1504:

[0352] S1503, SMF sends an application information retrieval request to UE.

[0353] The application information retrieval request carries an EAP ID request and the UE's identity information, and is used to request application information that requires secondary authentication.

[0354] S1504, SMF receives application information acquisition response from UE.

[0355] The application information retrieval response includes application information, EAP ID response, and UE identity information. For details regarding the application information, please refer to S1201; it will not be elaborated upon here.

[0356] It should be noted that if the PDU session establishment request initiated by the UE in S1501 already carries application information, then S1503-S1504 can be omitted, and S1505 can be executed instead. In this case, S1503-S1504 can be regarded as optional steps.

[0357] S1505, SMF sends a second authentication request to DN-AAA.

[0358] The second authentication request carries the application information obtained in S1504.

[0359] S1506, DN-AAA sends a second authentication response to SMF.

[0360] The second authentication response carries the authentication result. For details regarding the content of the authentication result, please refer to S1203-S1204; it will not be repeated here.

[0361] S1507, execute the remaining steps in the PDU session establishment process and secondary authentication process.

[0362] S1508, SMF determines the N4 rule based on the authentication result.

[0363] S1509, SMF sends N4 rule to UPF.

[0364] Among them, the N4 rule includes the detection rule. For the specific implementation of the detection rule, please refer to S1306, which will not be elaborated here.

[0365] It should be noted that, Figure 15 The authentication methods shown can be implemented alone or in combination with other methods. Figure 13 or Figure 14 The authentication methods shown are implemented in combination. For example, if both the S-NSSAI of the PDU session initiated by the UE and the PDU session itself require authentication, the SMF can integrate the application information from the authentication results obtained from the AMF and the application information from the authentication results obtained from the AAA-S, such as the intersection of the two types of application information, to generate detection rules.

[0366] Figure 16 Flowchart of the authentication method provided in the embodiments of this application Figure 5 This authentication method can be used with... Figures 13-15The authentication methods shown in any one of the options are combined and implemented. Among them, Figure 12 The terminal device in the middle can be Figure 16 UE in Figure 12 The first network element in the network can be Figure 16 AMF or SMF in Figure 12 The authentication equipment in the middle can provide Figure 16 In this case, PCF can generate detection rules based on the authentication results obtained from AMF and / or NSSAAF / AAA-S.

[0367] like Figure 16 As shown, the authentication method may include the following steps:

[0368] S1601, execute the PDU session establishment process and secondary authentication process.

[0369] S1602, SMF receives authentication results from AMF and / or NSSAAF.

[0370] The authentication results should include at least the application identification information.

[0371] S1603, SMF sends the authentication result to PCF.

[0372] S1604, PCF determines PCC rules based on authentication results.

[0373] S1605, PCF sends PCC rules to SMF.

[0374] S1606, SMF sends detection rules to UPF.

[0375] Specifically, the SMF can generate detection rules, such as the N4 rule, based on the PCC rules and send them to the UPF. The UPF can then implement customized forwarding strategies for the data of applications corresponding to the application identification information based on the detection rules. For example, it can define the gating of the PCC rule for an application that has passed authentication as open, and vice versa, thereby forwarding the data of applications that have successfully undergone secondary authentication, or discarding the data of applications that have failed secondary authentication.

[0376] It should be noted that, Figure 16 The authentication method shown is the same as Figures 13-15 The difference between the authentication methods shown in any one of them is that: Figures 13-15 In any of the authentication methods shown, the PCC rule is determined by the SMF, while... Figure 16 In the authentication method shown, the PCC rule is determined by the PCF.

[0377] Those skilled in the art should understand that the above Figures 13-15The network elements or devices shown are for illustrative purposes only and should not be construed as limiting the scope of protection of the technical solutions provided in this application. Taking authentication equipment as an example, in... Figure 13 and Figure 14 The middle part is NSSAAF, in Figure 15 The middle is DN-AAA, in Figure 16 The two are NSSAAF and AAA-S. In practical applications, there may be more than one device / network element used to perform the secondary authentication function. This application does not limit the type and number of authentication devices.

[0378] In addition, Figures 13-16 In the illustrated embodiment, the PCF can generate URSP rules based on one or more of the following information: contract information (such as whether the slice / DNN needs secondary authentication, whether an application needs secondary authentication of the slice / DNN, etc.), authentication request information reported by the AMF or SMF (such as whether the slice / DNN needs secondary authentication, whether an application needs secondary authentication of the slice / DNN, etc.), and secondary authentication results.

[0379] The path selection descriptors for URSP rules are shown in Table 6 below.

[0380] Table 6

[0381]

[0382] Compared to Table 3, Table 6 differs in the following ways: It adds rules for successful secondary authentication of application slices and successful secondary authentication of application DN. It is important to note that the names in Table 6 are merely examples and do not restrict the use of other names in implementation.

[0383] In other words, the UE can determine whether to use a specific URSP (or path selection descriptor, RSD) based on the returned authentication result. Specifically, the UE only considers the URSP rule (or RSD) of the DNN / S-NSSAI corresponding to the application to be valid when the application's secondary authentication passes. Only when the URSP rule or RSD is valid will the UE use the corresponding URSP rule (RSD), such as initiating a PDU session establishment request based on the corresponding URSP rule.

[0384] The network side (such as AMF or SMF) can send the authentication result to the UE after the (application) secondary authentication (as described in the above embodiments). The UE can then determine whether the above routing selection verification criteria are met based on the authentication result.

[0385] Additionally, when the PCF uses the secondary authentication result as input, specifically as shown in Table 6, it can also use the validation criteria field, such as the routing validation criteria, to directly transmit the authentication result, such as by adding corresponding indication information. In this way, the UE can make a direct judgment without the AMF or SMF sending the authentication result separately.

[0386] based on Figures 12-16 According to any of the authentication methods shown, the authentication device can perform secondary authentication operations on each application corresponding to any application information based on the application information. Thus, the first network element can determine detection rules for each application based on the authentication result and instruct each network node on the data transmission path to perform forwarding or discarding operations on the data of applications corresponding to different application information based on the detection rules. For example, forwarding the data of successfully authenticated applications and discarding the data of applications that failed authentication, ensuring that even if application information is stolen or tampered with, network resources will not be abused, thereby improving network security and operational efficiency.

[0387] The above combination Figures 12-16 The authentication method provided in the embodiments of this application is described in detail below. Figures 17-20 This document describes in detail the authentication apparatus used to execute the authentication method provided in the embodiments of this application.

[0388] For example, Figure 17 This is a schematic diagram of the authentication device provided in the embodiments of this application. Figure 1 .like Figure 17 As shown, the authentication device 1700 includes a receiving module 1701 and a transmitting module 1702. For ease of explanation, Figure 17 Only the main components of the authentication device are shown.

[0389] In some embodiments, the authentication device 1700 may be applicable to Figure 4 In the communication system shown, the execution Figure 12 The function of the first network element in the authentication method shown, or applicable to Figures 6-11 In any of the communication systems shown, the execution Figures 13-16 The functions of AMF or SMF in the authentication methods shown are illustrated.

[0390] The receiving module 1701 is used to receive application information from the terminal device.

[0391] The sending module 1702 is used to send application information to the authentication device.

[0392] The receiving module 1701 is also used to receive authentication results from the authentication device. The authentication results are determined based on application information, and are used to generate detection rules. These detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0393] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0394] Optionally, the application information may also include application authentication information.

[0395] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0396] In one possible design, the sending module 1702 is also used to send the authentication result to the session management network element.

[0397] In another possible design, the authentication device 1700 further includes: a processing module 1703. Figure 17 (Shown in dashed box). The processing module 1703 is used to determine the detection rules based on the authentication results. The sending module 1702 is also used to send the detection rules to the user plane network elements.

[0398] Optionally, the sending module 1702 is further configured to send the authentication result to the policy control network element. The receiving module 1701 is further configured to receive the detection rules from the policy control network element.

[0399] Optionally, the receiving module 1701 and the transmitting module 1702 can also be integrated into a single module, such as a transceiver module. Figure 17 (Not shown in the image). The transceiver module is used to implement the transceiver function of the authentication device 1700.

[0400] Optionally, the authentication device 1700 may also include a storage module. Figure 17 (Not shown in the image), this storage module stores computer programs or instructions. When the processing module 1703 executes the computer program or instructions, it enables the authentication device 1700 to perform operations. Figures 12-16 Any of the authentication methods shown in the table.

[0401] Optionally, the authentication device 1700 may be a first network element, such as an access and mobility management network element or a session management network element, or it may be a chip (system) or other component or assembly that can be set in the first network element, or it may be a device or system that includes the first network element. This application does not limit this.

[0402] It should be understood that the processing module involved in the authentication device 1700 can be implemented by a processor or processor-related circuit components, and can be a processor or processing unit; the transceiver module can be implemented by a transceiver or transceiver-related circuit components, and can be a transceiver or transceiver unit.

[0403] For example, Figure 18 This is a schematic diagram of the authentication device provided in the embodiments of this application. Figure 2 .like Figure 18 As shown, the authentication device 1800 includes: an acquisition module 1801 and a transmission module 1802. For ease of explanation, Figure 18 Only the main components of the authentication device are shown.

[0404] In some embodiments, the authentication device 1800 may be applicable to Figure 4 In the communication system shown, the execution Figure 12 The authentication device in the authentication method shown herein, or applicable to Figures 6-11 In any of the communication systems shown, the execution Figures 13-16 The authentication methods shown include the functions of NSSAAF or DN-AAA.

[0405] The acquisition module 1801 is used to acquire application information. This application information is used to determine the authentication result.

[0406] The sending module 1802 is used to send the authentication result to the first network element. The authentication result is used to determine the detection rules, which are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0407] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0408] Optionally, the application information may also include application authentication information.

[0409] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0410] In one possible design, the authentication device 1800 further includes a receiving module 1803. The receiving module 1803 is used to receive application information from the first network element.

[0411] Optionally, the receiving module 1803 and the transmitting module 1802 can also be integrated into a single module, such as a transceiver module. Figure 18 (Not shown in the image). The transceiver module is used to implement the transceiver function of the authentication device 1800.

[0412] Optionally, the acquisition module 1801 can be integrated with other processing functions of the authentication device 1800 into a single processing module. Figure 18 (Not shown in the image), this processing module is used to implement the processing functions of the authentication device 1800.

[0413] Optionally, the authentication device 1800 may also include a storage module. Figure 18 (Not shown in the image), this storage module stores computer programs or instructions. When the processing module executes the computer program or instructions, the authentication device 1800 can perform [operations]. Figures 12-16 Any of the authentication methods shown in the table.

[0414] Optionally, the authentication device 1800 may be an authentication equipment, such as NSSAAF, AAA-S, AAA-P, DN-AAA, etc., or it may be a chip (system) or other component or assembly that can be set in the authentication equipment, or it may be a device or system that includes the authentication equipment. This application embodiment does not limit this.

[0415] For example, Figure 19 This is a schematic diagram of the authentication device provided in the embodiments of this application. Figure 3 .like Figure 19 As shown, the authentication device 1900 includes: a sending module 1901. For ease of explanation, Figure 19 Only the main components of the authentication device are shown.

[0416] In some embodiments, the authentication device 1900 may be applicable to Figure 4 In the communication system shown, the execution Figure 12 The authentication method shown herein is applicable to the functions of the terminal device, or may be suitable for... Figures 6-11 In any of the communication systems shown, the execution Figures 13-16 The UE function in the authentication method shown.

[0417] The sending module 1901 is used to send application information to the first network element. The application information is used to determine the authentication result, the authentication result is used to generate detection rules, and the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

[0418] In one possible design, the application information includes application identification information, and the authentication result includes application identification information.

[0419] Optionally, the application information may also include application authentication information.

[0420] Optionally, the authentication result may also include authentication indication information, which is used to indicate whether the authentication operation of the application corresponding to the application information was successful.

[0421] In one possible design, the authentication device 1900 further includes a receiving module 1902. The receiving module 1902 is used to receive the authentication result from the first network element.

[0422] Optionally, the transmitting module 1901 and the receiving module 1902 can also be integrated into a single module, such as a transceiver module. Figure 19 (Not shown in the image). The transceiver module is used to implement the transceiver function of the authentication device 1900.

[0423] Optionally, the authentication device 1900 may further include a processing module 1903. The processing module is used to implement the processing functions of the device.

[0424] Optionally, the authentication device 1900 may also include a storage module. Figure 19 (Not shown in the image), this storage module stores computer programs or instructions. When the processing module 1903 executes the computer program or instructions, it enables the authentication device 1900 to perform operations. Figures 12-16 Any of the authentication methods shown in the table.

[0425] Optionally, the authentication device 1900 may be a terminal device, a chip (system) or other component or assembly that can be set in the terminal device, or a device or system that includes the terminal device. This application does not limit this.

[0426] For example, Figure 20 Schematic diagram of the authentication device provided in the embodiments of this application Figure 4 The authentication device can be a terminal device or a network device, or it can be a chip (system) or other component or assembly that can be installed in the terminal device or network device. For example... Figure 20 As shown, the authentication device 2000 may include a processor 2001. Optionally, the authentication device 2000 may also include a memory 2002 and / or a transceiver 2003. The processor 2001 is coupled to the memory 2002 and the transceiver 2003, for example, they may be connected via a communication bus.

[0427] The following is combined with Figure 20 A detailed description of each component of the authentication device 2000 is provided below:

[0428] The processor 2001 is the control center of the authentication device 2000. It can be a single processor or a collective term for multiple processing elements. For example, the processor 2001 can be one or more central processing units (CPUs), application-specific integrated circuits (ASICs), or one or more integrated circuits configured to implement the embodiments of this application, such as one or more digital signal processors (DSPs), or one or more field-programmable gate arrays (FPGAs).

[0429] Optionally, the processor 2001 can perform various functions of the authentication device 2000 by running or executing software programs stored in the memory 2002 and calling data stored in the memory 2002.

[0430] In a specific implementation, as one example, the processor 2001 may include one or more CPUs, for example... Figure 20 CPU0 and CPU1 are shown in the diagram.

[0431] In a specific implementation, as one example, the authentication device 2000 may also include multiple processors, for example... Figure 20 The processors 2001 and 2004 are shown. Each of these processors can be a single-core processor or a multi-core processor. Here, "processor" can refer to one or more devices, circuits, and / or processing cores used to process data (e.g., computer program instructions).

[0432] The memory 2002 is used to store the software program that executes the solution of this application, and is controlled by the processor 2001 to execute it. The specific implementation method can be referred to the above method embodiment, and will not be repeated here.

[0433] Optionally, the memory 2002 may be a read-only memory (ROM) or other type of static storage device capable of storing static information and instructions, random access memory (RAM) or other type of dynamic storage device capable of storing information and instructions, or electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital universal optical discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and accessible by a computer, but not limited thereto. The memory 2002 may be integrated with the processor 2001 or exist independently, and may be accessed through the interface circuit of the authentication device 2000. Figure 20 (Not shown in the image) is coupled to the processor 2001, and this embodiment does not specifically limit this.

[0434] Transceiver 2003 is used for communication with other authentication devices. For example, if authentication device 2000 is a terminal device, transceiver 2003 can be used to communicate with a network device or with another terminal device. As another example, if authentication device 2000 is a network device, transceiver 2003 can be used to communicate with a terminal device or with another network device.

[0435] Alternatively, transceiver 2003 may include a receiver and a transmitter. Figure 20 (Not shown separately). The receiver is used to implement the receiving function, and the transmitter is used to implement the sending function.

[0436] Optionally, the transceiver 2003 can be integrated with the processor 2001, or it can exist independently and be connected to the interface circuit of the authentication device 2000. Figure 20 (Not shown in the image) is coupled to the processor 2001, and this embodiment does not specifically limit this.

[0437] It should be noted that, Figure 20 The structure of the authentication device 2000 shown does not constitute a limitation on the authentication device. An actual authentication device may include more or fewer components than shown, or combine certain components, or have different component arrangements.

[0438] also, Figures 17-20The technical effects of the authentication device shown in any of the above methods can be referred to the technical effects of the authentication method described in the above method embodiments, and will not be repeated here.

[0439] This application provides a communication system. The communication system includes a terminal device, a first network element, and an authentication device.

[0440] It should be understood that the processor in the embodiments of this application can be a central processing unit (CPU), or it can be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor.

[0441] It should also be understood that the memory in the embodiments of this application can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of random access memory (RAM) are available, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate synchronous DRAM (DDR SDRAM), enhanced synchronous DRAM (ESDRAM), synchronous linked DRAM (SLDRAM), and direct rambus RAM (DR RAM).

[0442] The above embodiments can be implemented, in whole or in part, by software, hardware (such as circuits), firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, in the form of a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. A semiconductor medium can be a solid-state drive.

[0443] It should be understood that the term "and / or" in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, or B existing alone. A and B can be singular or plural. Additionally, the character " / " in this article generally indicates an "or" relationship between the preceding and following related objects, but it can also represent an "and / or" relationship. Please refer to the context for a more accurate understanding.

[0444] In this application, "at least one" means one or more, and "more than one" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or multiple items. For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.

[0445] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.

[0446] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0447] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0448] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0449] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0450] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0451] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0452] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. An authentication method, characterized in that, Applied to the first network element, the method includes: Send first information to the terminal device, the first information being used to indicate the network slice that requires secondary authentication; Receive second information from the terminal device, the second information being used to indicate the application that needs to be authenticated, the second information including application information of the application corresponding to the network slice; Send the application information to the authentication device; The authentication result is received from the authentication device; the authentication result is determined based on the application information; the authentication result is used to generate detection rules; the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

2. An authentication method, characterized in that, Applied to the first network element, the method includes: Send third information to the terminal device, the third information being used to indicate a Packet Data Unit (PDU) session that requires secondary authentication; The terminal device receives fourth information in response to the third information. The fourth information is used to indicate the application that needs to be authenticated. The fourth information includes application information of the application corresponding to the network slice associated with the PDU session. Send the application information to the authentication device; The authentication result is received from the authentication device; the authentication result is determined based on the application information; the authentication result is used to generate detection rules; the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

3. The authentication method according to claim 1 or 2, characterized in that, The application information includes application identification information, and the authentication result includes the application identification information.

4. The authentication method according to claim 3, characterized in that, The application information also includes application authentication information.

5. The authentication method according to claim 3 or 4, characterized in that, The authentication result also includes authentication indication information, which is used to indicate whether the authentication operation for the application corresponding to the application information was successful.

6. The authentication method according to any one of claims 1-5, characterized in that, The first network element is the access and mobility management network element; The method further includes: The access and mobility management network element sends the authentication result to the session management network element.

7. The authentication method according to any one of claims 1-5, characterized in that, The first network element is a session management network element; The method further includes: The session management network element determines the detection rule based on the authentication result; The session management network element sends the detection rules to the user plane network element.

8. The authentication method according to claim 7, characterized in that, The session management network element determines the detection rules based on the authentication results, specifically including: The session management network element sends the authentication result to the policy control network element; The session management network element receives detection rules from the policy control network element.

9. An authentication method, characterized in that, Applied to a terminal device, the method includes: Receive first information from the first network element, the first information being used to indicate the network slice that requires secondary authentication; Send second information to the first network element. The second information is used to indicate the application that needs to be authenticated. The second information includes the application information of the application corresponding to the network slice. The application information is used to determine the authentication result. The authentication result is used to generate detection rules. The detection rules are used to perform forwarding or dropping operations on the data of the application corresponding to the application information.

10. An authentication method, characterized in that, Applied to a terminal device, the method includes: Receive third information from the first network element, the third information being used to indicate a Packet Data Unit (PDU) session that requires secondary authentication; A fourth message responding to the third message is sent to the first network element. The fourth message is used to indicate the application that needs to be authenticated. The fourth message includes application information of the application corresponding to the network slice associated with the PDU session. The application information is used to determine the authentication result. The authentication result is used to generate detection rules. The detection rules are used to perform forwarding or dropping operations on the data of the application corresponding to the application information.

11. The method according to claim 9 or 10, characterized in that, The method further includes: Receive the authentication result from the first network element.

12. An authentication device, characterized in that, The device includes: a receiving module and a transmitting module; wherein... The sending module is used to send first information to the terminal device, the first information being used to indicate the network slice that requires secondary authentication; The receiving module is used to receive second information from the terminal device. The second information is used to indicate the application that needs to be authenticated. The second information includes application information of the application corresponding to the network slice. The sending module is also used to send the application information to the authentication device; The receiving module is further configured to receive authentication results from the authentication device; the authentication results are determined based on the application information, the authentication results are used to generate detection rules, and the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

13. An authentication device, characterized in that, The device includes: a receiving module and a transmitting module; wherein... The sending module is used to send third information to the terminal device, the third information being used to indicate a Packet Data Unit (PDU) session that requires secondary authentication; The receiving module is used to receive fourth information from the terminal device. The fourth information is used to indicate the application that needs to be authenticated. The fourth information includes application information of the application corresponding to the network slice associated with the PDU session. The sending module is also used to send the application information to the authentication device; The receiving module is further configured to receive authentication results from the authentication device; the authentication results are determined based on the application information, the authentication results are used to generate detection rules, and the detection rules are used to perform forwarding or discarding operations on the data of the application corresponding to the application information.

14. The authentication device according to claim 12 or 13, characterized in that, The application information includes application identification information, and the authentication result includes the application identification information.

15. The authentication device according to claim 14, characterized in that, The application information also includes application authentication information.

16. The authentication device according to claim 14 or 15, characterized in that, The authentication result also includes authentication indication information, which is used to indicate whether the authentication operation for the application corresponding to the application information was successful.

17. The authentication device according to any one of claims 12-16, characterized in that, The sending module is also used to send the authentication result to the session management network element.

18. The authentication device according to any one of claims 12-16, characterized in that, The device further includes: a processing module; wherein... The processing module is used to determine the detection rules based on the authentication result; The sending module is also used to send the detection rules to the user plane network elements.

19. The authentication device according to claim 18, characterized in that, The sending module is also used to send the authentication result to the policy control network element; The receiving module is also used to receive detection rules from the policy control network element.

20. An authentication device, characterized in that, The device includes: a receiving module and a transmitting module; wherein... The receiving module is used to receive first information from the first network element, the first information being used to indicate the network slice that requires secondary authentication; The sending module is used to send second information to the first network element. The second information is used to indicate the application that needs to be authenticated. The second information includes the application information of the application corresponding to the network slice. The application information is used to determine the authentication result. The authentication result is used to generate detection rules. The detection rules are used to perform forwarding or dropping operations on the data of the application corresponding to the application information.

21. An authentication device, characterized in that, The device includes: a receiving module and a transmitting module; wherein... The receiving module is used to receive third information from the first network element, the third information being used to indicate a Packet Data Unit (PDU) session that requires secondary authentication; The sending module is used to send fourth information to the first network element. The fourth information is used to indicate the application that needs to be authenticated. The fourth information includes application information of the application corresponding to the network slice associated with the PDU session. The application information is used to determine the authentication result. The authentication result is used to generate detection rules. The detection rules are used to perform forwarding or dropping operations on the data of the application corresponding to the application information.

22. The apparatus according to claim 20 or 21, characterized in that, The device further includes: a receiving module; wherein... The receiving module is used to receive the authentication result from the first network element.

23. An authentication device, characterized in that, include: Processor, the processor being coupled to memory; The processor is configured to execute a computer program stored in the memory, so that the authentication device performs the authentication method as described in any one of claims 1-11.

24. A computer-readable storage medium, characterized in that, The computer program or instructions are stored therein, which, when executed on a computer, cause the computer to perform the authentication method as described in any one of claims 1-11.

25. A computer program product, characterized in that, include: A computer program or instruction that, when executed on a computer, causes the computer to perform the authentication method as described in any one of claims 1-11.