Method and apparatus for 5g core network sepp authenticating nf, device and medium
By using access tokens to check the legitimacy of CNFs in the 5G core network, the problem of the complexity and inefficiency of the SEPP authentication method is solved, and the effects of simplifying verification and improving the efficiency of signaling broker are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD
- Filing Date
- 2021-12-21
- Publication Date
- 2026-06-23
AI Technical Summary
The existing SEPP authentication method in the 5G core network is complex and inefficient, which leads to a decrease in the efficiency of the signaling agent.
The identity and legitimacy of a CNF are checked using an access token. The CNF's registration information is synchronized through cNRF, and the access token and its expiration date are cached in the pSEPP's check cache table, simplifying the verification process.
It simplifies the verification process, improves the efficiency of the signaling broker, and avoids the need for authentication messages to be transmitted indirectly between two PLMNs.
Smart Images

Figure CN116321144B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to a method, apparatus, device and medium for SEPP authentication NF in a 5G core network. Background Technology
[0002] The modern information society is becoming increasingly reliant on the internet, placing ever higher demands on network reliability and availability, particularly in fields such as security, finance, and data centers. In the 3GPP standard for 5G, a Security Edge Protection Proxy (SEPP) is added to enhance the security within each Public Lands Mobile Network (PLMN). SEPP ensures the security of control plane messages between 5G network functions (NFs) across PLMNs, thereby protecting the PLMN network where it resides from external attacks.
[0003] The 3GPP TS 33.501 protocol specifies the functions and requirements of SEPP in detail. The existing authentication and authorization methods between SEPP and NF cover the physical layer, network layer and application layer.
[0004] In related technologies, when a consumer-side function (cNF) in a consumer-side cPLMN (consumer's PLMN) needs to obtain services from a producer-side function (pNF) in a producer-side pPLMN (producer's PLMN), the cNF first submits the service request message to the consumer-side service-side service-oriented service provider's (cSEPP). The cSEPP then forwards the service request message to the producer-side service provider's (pSEPP). The pSEPP authenticates and authorizes the message's PLMN ID and IP address. If authentication and authorization are successful, the message is forwarded to the internal pNF, which then provides the requested service to the cNF through a reverse process.
[0005] Among other related technologies, Figure 1 The diagram shows the existing SEPP communication architecture topology, such as... Figure 1As shown, pSEPP sends a discovery request message to the cNRF (Network Repository Function) on the service consumer side. The cNRF checks whether the cNF that sent the service request message exists. If it exists, the cNF is considered valid, and a discovery success message is sent to pSEPP. pSEPP then determines whether to allow the service request message to pass through based on the cache list on the service provider side.
[0006] It is evident that the authentication of the network element identity of the CNF in related technologies is based on the discovery message. The CNF is queried from the cNRF to identify its existence and its legitimacy. Only after the verification is successful can the signaling be released. This method causes the discovery message to be transmitted in a roundabout way between the two PLMNs, which affects efficiency. In addition, pSEPP needs to maintain a signaling check table with many parameters, which greatly reduces the efficiency of the signaling proxy.
[0007] It should be noted that the information disclosed in the background section above is only used to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention
[0008] This disclosure provides a method, apparatus, device, and medium for SEPP authentication of NF in a 5G core network, which at least to some extent overcomes the problems of complex verification and low authentication efficiency of NF authentication methods provided in related technologies.
[0009] Other features and advantages of this disclosure will become apparent from the following detailed description, or may be learned in part from practice of this disclosure.
[0010] According to one aspect of this disclosure, a method for 5G core network SEPP authentication NF is provided, comprising:
[0011] When the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, it performs legality authentication on the network function (cNF) of the service consumer that sent the service request signaling message. The service request signaling message carries an access token (access_token) obtained by the registered cNF.
[0012] If authentication is successful, pSEPP forwards the service request signaling message to the corresponding service provider's network function (pNF) for processing.
[0013] In one embodiment of this disclosure, when the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, the step of authenticating the network function (cNF) of the service consumer that sent the service request signaling message includes:
[0014] Obtain the access_token carried in the service request signaling message and the current time of receiving the service request signaling message;
[0015] The check cache table stored in pSEPP is used to find the expiration date expires_in that matches the obtained access_token. The check cache table stores the correspondence between access_tokens obtained by registered CNFs and expires_in.
[0016] Based on the access_token carried in the service request signaling message and the relationship between the access_token stored in the cache table and the relationship between the current time and expires_in, determine whether the CNF's validity authentication is successful.
[0017] In one embodiment of this disclosure, determining whether the CNF legitimacy authentication is successful based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in, includes:
[0018] If the access_token exists in the check cache table and its current time is less than or equal to expires_in, then the CNF validity authentication is deemed successful.
[0019] In one embodiment of this disclosure, determining whether the CNF legitimacy authentication is successful based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in, includes:
[0020] If the access_token does not exist in the check cache table, then the CNF validity authentication fails.
[0021] In one embodiment of this disclosure, determining whether the CNF legitimacy authentication is successful based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in, includes:
[0022] If the access_token exists in the check cache table and the current time is greater than expires_in, then the CNF validity authentication fails.
[0023] In one embodiment of this disclosure, before the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message and performs legitimacy authentication on the network function (cNF) of the service consumer that sent the service request signaling message, the method further includes:
[0024] When a request is received from a CNF to obtain an access token for accessing a pNF, the service provider's network repository function (pNRF) authenticates the CNF based on the CNF registration information synchronized by the service consumer's network repository function (cNRF), and returns a token to the authenticated CNF to obtain a response message.
[0025] pSEPP intercepts the access_token and expires_in from the token acquisition response message and stores them in the check cache table.
[0026] In one embodiment of this disclosure, the method further includes:
[0027] If the CNF fails to authenticate, the service request signaling message is discarded.
[0028] According to another aspect of this disclosure, an apparatus for 5G core network SEPP certification NF is provided, comprising:
[0029] The authentication module is used to authenticate the legitimacy of the network function (cNF) of the service consumer that sent the service request signaling message when the security edge protection agent (pSEPP) of the service provider receives the service request signaling message. The service request signaling message carries an access token (access_token) obtained by the registered cNF.
[0030] The processing module is used to forward the service request signaling message to the corresponding network function pNF of the service provider if the authentication is successful.
[0031] According to another aspect of this disclosure, an electronic device is provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the above-described method of 5G core network SEPP authentication NF by executing the executable instructions.
[0032] According to another aspect of this disclosure, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the above-described method for 5G core network SEPP authentication NF.
[0033] The embodiments of this disclosure provide a method, apparatus, device, and medium for SEPP authentication of NFs in a 5G core network. The method uses pSEPP to check the identity and legitimacy of the cNF using an access token, replacing the multi-layer parameter combination check method. This greatly simplifies the verification complexity and effectively improves the efficiency of the signaling agent.
[0034] Furthermore, the 5G core network SEPP authentication method, apparatus, device, and medium provided in the embodiments of this disclosure synchronize the registration information of the cNF to the pNRF through the cNRF, enabling the cNF to submit identity authentication to the pNRF. At the same time, the pSEPP intercepts the token and token validity period in the identity authentication return result and caches them in the pSEPP's check cache table for use in verifying the legitimacy of subsequent service request signaling messages initiated by the cNF to the pNF, thereby avoiding the roundabout transmission of authentication messages between the two PLMNs and improving authentication efficiency.
[0035] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description
[0036] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.
[0037] Figure 1 A topology diagram of the existing SEPP communication architecture is shown;
[0038] Figure 2 A topology diagram of the SEPP communication architecture in an embodiment of this disclosure is shown;
[0039] Figure 3 This invention discloses a flowchart of a method for SEPP authentication of NF in a 5G core network according to an embodiment of the present disclosure.
[0040] Figure 4 This diagram illustrates a method for SEPP authentication of the NF in a 5G core network according to yet another embodiment of this disclosure.
[0041] Figure 5 This diagram illustrates a method for SEPP authentication of the NF in a 5G core network according to another embodiment of the present disclosure.
[0042] Figure 6 This diagram illustrates an apparatus for SEPP authentication NF in a 5G core network according to an embodiment of the present disclosure.
[0043] Figure 7A structural block diagram of an electronic device according to an embodiment of the present disclosure is shown. Detailed Implementation
[0044] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, they are provided so that this disclosure will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
[0045] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.
[0046] According to the 5G security architecture and process protocol TS 3GPP 33501-g30, there are a large number of network functions (NFs) in the 5G core network. NFs communicate extensively using the HTTP / 2 protocol. In existing technologies, when the service provider's pSEPP receives a service request message from a service consumer's cNF, it obtains parameters such as the cNF's NF ID, IP address, and slice from the service request message. Based on these parameters, it determines whether the cNF's NF ID exists in the verified NF cache table.
[0047] If it does not exist, pSEPP assembles the obtained parameters into a CNF Nnrf_NFDiscovery_Request message, sends it to the service consumer's cNRF and obtains the discovery result. If a CNF is found, the CNF parameter is stored in the verified NF check cache table.
[0048] If it exists, pSEPP forwards the original message from the cNF to the pNF on the service provider side and refreshes the corresponding timer in the check table.
[0049] In existing technologies, pSEPP needs to send the Discovery request message used for CNF authentication to the cSEPP on the service consumer side, and then forward it to cNRF to obtain the discovery result. If the cNF is found in cNRF, the CNF is considered valid; otherwise, it is invalid. The authentication message is transmitted in a roundabout way between two PLMNs, resulting in a long path. At the same time, pSEPP needs to maintain a multi-layered check cache table with many parameter combinations, which increases the complexity of verification.
[0050] To improve the problems of complex and inefficient authentication in existing technologies Figure 2 A topology diagram of an exemplary SEPP communication architecture that can be applied to the SEPP Authentication NF method or apparatus in embodiments of this disclosure is shown.
[0051] like Figure 2 As shown, the SEPP communication architecture includes PLMN (Public Lands Mobile Network), NRF (Network Repository Function), NF (Network Function), and SEPP (Security Edge Protection Proxy). PLMN includes pPLMN (producer's PLMN) on the service provider side and cPLMN (consumer's PLMN) on the service consumer side. NRF includes pNRF (producer's NRF) on the service provider side and cNRF (consumer's NRF) on the service consumer side. NF includes pNF (producer's NF) on the service provider side and cNF (consumer's NF) on the service consumer side. SEPP includes pSEPP (producer's SEPP) on the service provider side and cSEPP (consumer's SEPP) on the service consumer side.
[0052] Specifically, the NRF acts as the NF registration and discovery center within the 5G system, and also serves as the NF authentication center. On the one hand, the NRF performs registration authentication during NF registration, and on the other hand, it provides access tokens to the requesting NF for authentication during NF discovery.
[0053] As a service provider, pNF provides access tokens to pNRF when registering cNF. After obtaining the access token, cNF performs legality authentication against the check cache table stored in pSEPP, and then processes service request signaling messages based on the authentication result.
[0054] In this application, the registration information of the CNF is synchronized to the pNRF via the cNRF, enabling the CNF to submit identity authentication to the pNRF. At the same time, the pSEPP intercepts the access token and token expiration time (expires_in) in the identity authentication result and caches them in the pSEPP's check cache table. This is used to verify the legitimacy of subsequent service request signaling messages initiated by the CNF to the pNF, thereby avoiding the roundabout transmission of authentication messages between the two PLMNs and improving authentication efficiency.
[0055] The following detailed description of this exemplary implementation method is provided in conjunction with the accompanying drawings and embodiments.
[0056] First, this disclosure provides a method for SEPP authentication of NF, which can be executed by any system with computing power.
[0057] Figure 3 This disclosure illustrates a flowchart of a method for SEPP authentication NF according to an embodiment of the present disclosure, as follows: Figure 3 As shown in the embodiments of this disclosure, the SEPP authentication NF method includes the following steps:
[0058] S302. When the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, it performs legality authentication on the network function (cNF) of the service consumer that sent the service request signaling message. The service request signaling message carries an access token (access_token) obtained by the registered cNF.
[0059] In this embodiment, the cNF uses the standard process of NF Management NF Registration (Nnrf_NFManagement_NFRegister) to apply for registration with the cNRF. After receiving the registration request message sent by the cNF, the cNRF registers the registration information of the cNF, generates a registration information table, and forwards the cNF's Nnrf_NFManagement_NFRegister registration information to the pNRF. At this time, the pNRF stores the registration information of the cNF.
[0060] When a CNF initiates a standard token acquisition request (Nnrf_AccessToken_Get Request) message to obtain an access token (access_token) from a pNF, both the cNRF and pNRF receive the CNF's token acquisition request message and perform standard OAuth2.0 authentication on the CNF. If the CNF already exists in the registration information table, then the CNF has completed registration. The pNRF returns an access token acquisition response (Nnrf_AccessToken_GetReponse) message to the CNF. The token acquisition response message carries the access token (access_token) and the token expiration date (expires_in). Simultaneously, pSEPP intercepts the access token (access_token) and expiration date (expires_in) from the token acquisition response message and saves or updates the access token (expires_in) in the check cache table. At this point, the CNF can initiate a normal service request signaling message to the pNF, carrying the access token obtained by the CNF.
[0061] When pSEPP receives a service request signaling message initiated by a CNF, pSEPP determines the legitimacy of the CNF's identity by comparing the access_token obtained by the CNF carried in the service request signaling message with the access_token of the registered CNF stored in the cache table, and by checking the relationship between the expires_in stored in the table and the current time when the CNF initiated the service request signaling message.
[0062] S304. If authentication is successful, pSEPP forwards the service request signaling message to the corresponding network function pNF of the service provider for processing.
[0063] In this embodiment, if the relationship between the access_token obtained by the CNF carried in the service request signaling information and the access_token obtained by the registered CNF stored in the check cache table, and the relationship between the expires_in stored in the check cache table and the current time when the CNF initiates the service request signaling message, the authentication is deemed successful, meaning the CNF's identity is legitimate. The pSEPP forwards the service request signaling information to the pNF, and the pNF processes the service request signaling message normally. If the relationship between the access_token obtained by the CNF carried in the service request signaling information and the access_token obtained by the registered CNF stored in the check cache table, and the relationship between the expires_in stored in the check cache table and the current time when the CNF initiates the service request signaling message, the authentication is deemed unsuccessful, meaning the CNF's identity is illegitimate. The pSEPP discards the service request signaling message.
[0064] The embodiments of this disclosure provide a method for SEPP authentication of NFs in a 5G core network. This method synchronizes the registration information of the cNF to the pNRF via the cNRF, enabling the cNF to submit identity authentication to the pNRF. Simultaneously, the pSEPP intercepts the access_token and expires_in from the authentication result and caches them in the pSEPP's check cache table. This cache is used for verifying the legitimacy of subsequent service request signaling messages initiated by the cNF to the pNF, thereby avoiding the roundabout transmission of authentication messages between the two PLMNs and improving authentication efficiency. The pSEPP uses a token-based method to check the identity legitimacy of the cNF, replacing the multi-layer parameter combination check method, which greatly simplifies the verification complexity and effectively improves the efficiency of the signaling broker.
[0065] In one embodiment of this disclosure, such as Figure 4 As shown, in step S302, when the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, it performs legitimacy authentication on the network function (cNF) of the service consumer that sent the service request signaling message. Specifically, this includes:
[0066] S402. Obtain the access_token obtained by the registered cNF and the current time of receiving the service request signaling message carried in the service request signaling message;
[0067] S404. According to the check cache table stored in pSEPP, find the expiration date expires_in of the token that matches the obtained access_token. The check cache table stores the correspondence between the access_token obtained by the registered CNF and expires_in.
[0068] S406. Based on the access_token carried in the service request signaling message and the relationship between the access_token stored in the cache table and the relationship between the current time and expires_in, determine whether the CNF validity authentication is successful.
[0069] Specifically, when pSEPP receives a service request signaling message from a CNF, pSEPP obtains the CNF's access_token carried in the service request signaling message and the current time when pSEPP received the service request signaling message. pSEPP then calls the stored check cache table to obtain the lookup result. The lookup result includes whether the access_token does not exist in the check cache table or whether the access_token exists in the check storage table.
[0070] The access_token carried by the obtained service request signaling information already exists in the check cache table. It is also necessary to determine whether the access_token has expired based on the relationship between the current time when the service request signaling message is received and the expires_in stored in the check cache table. By further verifying expires_in, the security of information transmission can be effectively guaranteed.
[0071] Specifically, step S406 determines whether the CNF validity authentication has passed based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in. This includes:
[0072] If the access_token exists in the check cache table and the current time is less than or equal to expires_in, then the CNF validity authentication is considered successful.
[0073] When pSEPP finds the access_token of a CNF in the check cache table, and the current time is less than or equal to the expires_in stored in the check cache table, the access_token is valid and has not expired. This indicates that the CNF's authentication is legitimate, and pSEPP forwards the service request signaling message to the corresponding pNF for processing.
[0074] The 5G core network SEPP authentication method for NFs provided in this embodiment obtains the access_token of the cNF carried in the service request signaling message and the current time when the service request signaling message is received by looking up a table. The identity of the cNF is determined to be legitimate only if the access_token exists in the check cache table and the access_token has not expired, thereby improving the security of information transmission.
[0075] In one embodiment of this disclosure, step S406 determines whether the CNF validity authentication has passed based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in. This includes:
[0076] If the access_token does not exist in the check cache table, then the CNF validity authentication fails.
[0077] Specifically, when a CNF obtains an access_token and immediately sends a service request signaling message, there may be a situation where pSEPP has not yet stored the access_token and expires_in obtained from the CNF in the check cache table, or pSEPP has not had time to update the CNF's access_token. In this case, the access_token not obtained from the table lookup result does not exist in the check cache table. In this case, the CNF's validity authentication is deemed to have failed.
[0078] In one embodiment of this disclosure, step S406 determines whether the CNF validity authentication has passed based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in. This includes:
[0079] If the access_token exists in the check cache table and the current time is greater than expires_in, then the CNF validity authentication fails.
[0080] When the CNF fails the authentication, the CNF re-initiates a standard token acquisition request message to obtain the access token from the pNF. The pNRF then returns a token acquisition response message to the CNF. The pSEPP intercepts the access_token and expires_in from the token acquisition response message and saves or updates the access_token and expires_in in the check cache table. At this point, the CNF can re-initiate a normal service request signaling message to the pNF.
[0081] The 5G core network SEPP authentication method for NFs provided in this embodiment obtains the access_token acquired by the CNF carried in the service request signaling message and the current time when the service request signaling message is received by looking up a table. When the access_token exists in the check cache table but has expired, or when the access_token does not exist in the check cache table, the CNF's authentication is determined to be unsuccessful, the service request signaling message is discarded, and the CNF obtains the access token again. Only after successful authentication can information transmission be carried out, effectively improving the security of information transmission.
[0082] To authenticate the legitimacy of a CNF, this application determines its legitimacy by comparing the access_token carried in the service request signaling message with the access_token and expires_in obtained from registered CNFs stored in pSEPP. In one embodiment of this disclosure, as shown... Figure 5 As shown, before the Security Edge Protection Agent (pSEPP) on the service provider side performs legitimacy authentication on the network function (cNF) of the service consumer side that sent the service request signaling message when it receives the service request signaling message, the method further includes:
[0083] S502. When a request is received from a CNF to obtain an access token for accessing a pNF, the service provider's network repository function pNRF authenticates the CNF based on the CNF registration information synchronized by the CNF, and returns a token acquisition response message to the authenticated CNF.
[0084] S504 and pSEPP intercept the token to obtain the access_token and expires_in from the response message and store them in the inspection cache table.
[0085] Specifically, cNF registers with cNRF using the standard NF Management NF Registration (Nnrf_NFManagement_NFRegister);
[0086] When cNRF receives a registration request from a cNF, it registers the cNF information, generates a registration information table, and forwards the cNF's Nnrf_NFManagement_NFRegister to pNRF. pSEPP allows the signaling messages for the registration process without performing application layer checks.
[0087] When the CNF initiates a standard token acquisition request (Nnrf_AccessToken_Get Request) message to request an access token to access the pNF, both the cNRF and pNRF perform standard OAuth2.0 authentication on the CNF. If the authentication of the CNF is successful, the pNRF returns a token acquisition response (Nnrf_AccessToken_Get Response) message to the CNF. At the same time, pSEPP intercepts the parameters of the token acquisition response message that successfully obtains the access_token, extracts the CNF's access_token and expires_in from the token acquisition response message, and saves or updates the access_token and expires_in in the pSEPP's check cache table for later use.
[0088] The 5G core network SEPP authentication method provided in this embodiment synchronizes the registration information of the cNF to the pNRF, enabling the identity authentication of the cNF to be completed within the pPLMN without the need to forward authentication messages across PLMNs, thus improving authentication efficiency. The pSEPP intercepts the token to obtain the access_token and expires_in parameters in the response message, and uses these two parameters to construct a signaling verification check cache table. The access_token is used as the authentication core to replace the authentication mechanism based on Discovery messages, thereby improving effectiveness.
[0089] In one embodiment of this disclosure, the method further includes:
[0090] If the CNF fails to validate, the service request signaling message is discarded.
[0091] Specifically, if the access_token obtained by CNF does not exist in the pSEPP's check cache table, or if the access_token obtained by CNF exists in the pSEPP's check cache table but has expired, CNF's validity authentication fails, and pSEPP discards the service request signaling message without processing it.
[0092] The embodiments of this disclosure provide a method for SEPP authentication of NFs in a 5G core network. This method synchronizes the registration information of the cNF to the pNRF via the cNRF, enabling the cNF to submit identity authentication to the pNRF. Simultaneously, the pSEPP intercepts the access_token and expires_in from the authentication result and caches them in the pSEPP's check cache table. This cache is used to verify the legitimacy of subsequent service request signaling messages initiated by the cNF to the pNF, thereby avoiding the roundabout transmission of authentication messages between the two PLMNs and improving authentication efficiency. Using pSEPP to check the identity legitimacy of the cNF via the access_token instead of a multi-layer parameter combination check method greatly simplifies the verification complexity and effectively improves the efficiency of the signaling proxy.
[0093] To facilitate a further understanding of the SEPP certification NF method disclosed herein, the following is combined with... Figure 2 Please provide an explanation.
[0094] cNF registers with cNRF using the standard NF Management NF Registration (Nnrf_NFManagement_NFRegister);
[0095] When cNRF receives a registration request from a cNF, it registers the cNF information, generates a registration information table, and forwards the cNF's Nnrf_NFManagement_NFRegister to pNRF. pSEPP allows the signaling messages for the registration process without performing application layer checks.
[0096] When the CNF initiates a standard token retrieval request (Nnrf_AccessToken_Get Request) message to request access_token for accessing the pNF, both the cNRF and pNRF perform standard OAuth2.0 authentication on the CNF. If the authentication of the CNF is successful, the pNRF returns a token retrieval response (Nnrf_AccessToken_Get Response) message to the CNF. At the same time, pSEPP intercepts the parameters of the token retrieval response message that successfully obtains the access_token, extracts the CNF's access_token and expires_in from the token retrieval response message, and saves or updates the access_token and expires_in in the pSEPP's check cache table for later use.
[0097] The cNF sends a service request signaling message to the pNF, carrying the access_token obtained by the registered cNF. pSEPP checks the access_token in the service request signaling message. If the access_token already exists in the check cache table and has not expired, the service request signaling message is forwarded to the pNF. The pNF processes the service request signaling message upon receiving it. If the access_token does not exist in the check cache table, or if the access_token exists in the check cache table but has expired, the service request signaling message is discarded and no further processing is performed.
[0098] Based on the same inventive concept, this disclosure also provides a device for 5G core network SEPP authentication NF, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the above method embodiments, the implementation of this device embodiment can refer to the implementation of the above method embodiments, and repeated details will not be elaborated further.
[0099] Figure 6 This diagram illustrates a device for SEPP authentication NF in a 5G core network according to an embodiment of this disclosure. Figure 6 As shown, the device includes an authentication module 601 and a processing module 602, wherein:
[0100] Authentication module 601 is used to perform legality authentication on the network function (cNF) of the service consumer that sent the service request signaling message when the security edge protection agent (pSEPP) of the service provider receives the service request signaling message. The service request signaling message carries an access token (access_token) obtained by the registered cNF.
[0101] The processing module 602 is used to forward the service request signaling message to the corresponding network function pNF of the service provider if the authentication is successful.
[0102] In one embodiment of this disclosure, the authentication module 601 includes an acquisition module, a matching module, and a comparison module (not shown in the figures), comprising:
[0103] The acquisition module is used to obtain the access_token obtained by the registered CNF and the current time of receiving the service request signaling message carried in the service request signaling message;
[0104] The matching module is used to find the expiration date (expires_in) of the access_token that matches the access_token obtained based on the check cache table stored in pSEPP. The check cache table stores the correspondence between the access_token obtained by the registered CNF and the expiration_in.
[0105] The comparison module is used to determine whether the CNF's validity authentication has passed by checking the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in.
[0106] In one embodiment of this disclosure, the comparison module is specifically used to determine that the CNF validity authentication is successful if the access_token exists in the check cache table and the current time is less than or equal to expires_in.
[0107] In one embodiment of this disclosure, the comparison module is further configured to fail CNF validity authentication if the access_token does not exist in the check cache table.
[0108] In one embodiment of this disclosure, the comparison module is further configured to fail CNF validity authentication if the access_token exists in the check cache table and the current time is greater than expires_in.
[0109] In one embodiment of this disclosure, the apparatus further includes a token acquisition response module and an interception module (not shown in the figures), wherein,
[0110] The token acquisition module is used to authenticate the network repository function pNRF of the service provider based on the cNF registration information synchronized by cNRF when a request is received from the cNF to obtain the access_token for accessing the pNF, and to return a token acquisition response message to the authenticated cNF.
[0111] The interception module is used by pSEPP to intercept the access_token and expires_in in the response message and store them in the inspection cache table.
[0112] In one embodiment of this disclosure, the processing module is further configured to discard the service request signaling message if the CNF's validity authentication fails.
[0113] Those skilled in the art will understand that various aspects of the present invention can be implemented as systems, methods, or program products. Therefore, various aspects of the present invention can be specifically implemented in the following forms: entirely hardware implementations, entirely software implementations (including firmware, microcode, etc.), or implementations combining hardware and software aspects, collectively referred to herein as “circuits,” “modules,” or “systems.”
[0114] This embodiment provides a method and apparatus for SEPP authentication of NFs in a 5G core network. The method synchronizes the registration information of the cNF to the pNRF via the cNRF, enabling the cNF to submit identity authentication to the pNRF. Simultaneously, the pSEPP intercepts the access_token and expires_in from the authentication result and caches them in the pSEPP's check cache table. This is used for verifying the legitimacy of subsequent service request signaling messages initiated by the cNF to the pNF, thereby avoiding the roundabout transmission of authentication messages between the two PLMNs and improving authentication efficiency. Using pSEPP to check the identity legitimacy of the cNF via the access_token method, instead of a multi-layer parameter combination check method, greatly simplifies the verification complexity and effectively improves the efficiency of the signaling proxy.
[0115] The following reference Figure 7 To describe an electronic device 700 according to this embodiment of the present invention. Figure 7 The electronic device 700 shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of the present invention.
[0116] like Figure 7 As shown, the electronic device 700 is manifested in the form of a general-purpose computing device. The components of the electronic device 700 may include, but are not limited to: at least one processing unit 710, at least one storage unit 720, and a bus 730 connecting different system components (including storage unit 720 and processing unit 710).
[0117] The storage unit stores program code that can be executed by the processing unit 710, causing the processing unit 710 to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of the present invention. For example, the processing unit 710 can perform actions such as... Figure 3 As shown, when the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, it performs legitimacy authentication on the network function (cNF) of the service consumer that sent the service request signaling message. The service request signaling message carries an access token (access_token) obtained by the registered cNF. If the authentication is successful, pSEPP forwards the service request signaling message to the corresponding network function (pNF) of the service provider for processing.
[0118] Storage unit 720 may include a readable medium in the form of a volatile storage unit, such as random access memory (RAM) 7201 and / or cache memory 7202, and may further include a read-only memory (ROM) 7203.
[0119] The storage unit 720 may also include a program / utility 7204 having a set (at least one) program module 7205, such program module 7205 including but not limited to: an operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.
[0120] Bus 730 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.
[0121] Electronic device 700 can also communicate with one or more external devices 740 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with system 700, and / or with any device that enables electronic device 700 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 750. Furthermore, system 700 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 760. As shown, network adapter 760 communicates with other modules of electronic device 700 via bus 730. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
[0122] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0123] In exemplary embodiments of this disclosure, a computer-readable storage medium is also provided, on which a program product capable of implementing the methods described above is stored. In some possible embodiments, various aspects of the invention may also be implemented as a program product comprising program code that, when the program product is run on a terminal device, causes the terminal device to perform the steps of the various exemplary embodiments of the invention described in the "Exemplary Methods" section of this specification.
[0124] A program product for implementing the above-described method according to embodiments of the present invention is described. This product may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto. In this document, the readable storage medium may be any tangible medium containing or storing a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.
[0125] The program product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.
[0126] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of sending, propagating, or transmitting programs for use by or in conjunction with an instruction execution system, apparatus, or device.
[0127] The program code contained on the readable medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.
[0128] Program code for performing the operations of this invention can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's computing device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0129] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0130] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.
[0131] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0132] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the appended claims.
Claims
1. A method for SEPP authentication of NF in a 5G core network, characterized in that, include: When a request is received from a CNF to obtain an access token for accessing a pNF, the service provider's network repository function (pNRF) authenticates the CNF based on the CNF registration information synchronized by the service consumer's network repository function (cNRF), and returns a token to the authenticated CNF to obtain a response message. pSEPP intercepts the access_token and expires_in from the token acquisition response message and stores them in the check cache table; When the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, it performs legality authentication on the network function (cNF) of the service consumer that sent the service request signaling message based on the check cache table. The service request signaling message carries an access token (access_token) obtained by the registered cNF. If authentication is successful, pSEPP forwards the service request signaling message to the corresponding service provider's network function (pNF) for processing.
2. The method according to claim 1, characterized in that, When the Security Edge Protection Agent (pSEPP) of the service provider receives a service request signaling message, it performs legitimacy authentication on the network function (cNF) of the service consumer that sent the service request signaling message based on the check cache table, including: Obtain the access_token carried in the service request signaling message and the current time of receiving the service request signaling message; The check cache table stored in pSEPP is used to find the expiration date expires_in that matches the obtained access_token. The check cache table stores the correspondence between access_tokens obtained by registered CNFs and expires_in. Based on the access_token carried in the service request signaling message and the relationship between the access_token stored in the cache table and the relationship between the current time and expires_in, determine whether the CNF's validity authentication is successful.
3. The method according to claim 2, characterized in that, The step of determining whether the CNF validity authentication is successful based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in, includes: If the access_token exists in the check cache table and its current time is less than or equal to expires_in, then the CNF validity authentication is deemed successful.
4. The method according to claim 2, characterized in that, The step of determining whether the CNF validity authentication is successful based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in, includes: If the access_token does not exist in the check cache table, then the CNF validity authentication fails.
5. The method according to claim 2, characterized in that, The step of determining whether the CNF validity authentication is successful based on the relationship between the access_token carried in the service request signaling message and the access_token stored in the cache table, as well as the relationship between the current time and expires_in, includes: If the access_token exists in the check cache table and the current time is greater than expires_in, then the CNF validity authentication fails.
6. The method according to any one of claims 1-5, characterized in that, The method further includes: If the CNF fails to authenticate, the service request signaling message is discarded.
7. A device for SEPP certification of NF in a 5G core network, characterized in that, include: The token acquisition module is used to authenticate the network repository function pNRF of the service provider based on the cNF registration information synchronized by cNRF when a request is received from the cNF to obtain the access_token for accessing the pNF, and to return a token acquisition response message to the authenticated cNF. The interception module is used by pSEPP to intercept the access_token and expires_in in the response message and store them in the inspection cache table; The authentication module is used to perform legality authentication on the network function (cNF) of the service consumer that sent the service request signaling message based on the check cache table when the security edge protection agent (pSEPP) of the service provider receives the service request signaling message. The service request signaling message carries an access token (access_token) obtained by the registered cNF. The processing module is used to forward the service request signaling message to the corresponding network function pNF of the service provider if the authentication is successful.
8. An electronic device, characterized in that, include: processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of 5G core network SEPP authentication NF as described in any one of claims 1-6 by executing the executable instructions.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the 5G core network SEPP authentication NF method as described in any one of claims 1-6.