MEC authentication between an AKMA based edge enabler client and an edge configuration or enabler server

By generating a K-edge key in the UE and combining it with EEC ID and KAKMA, the problem that AKMA authentication cannot support multiple edge enabler clients is solved, enabling flexible and efficient authentication for edge applications.

CN117203999BActive Publication Date: 2026-06-23APPLE INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
APPLE INC
Filing Date
2021-05-10
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In existing wireless communication systems for edge applications, AKMA authentication cannot effectively support the authentication of multiple edge enabler clients, resulting in a complex and inflexible authentication process.

Method used

By introducing the AKMA authentication mechanism, combining the EEC ID and KAKMA, a K-edge key is generated to achieve authentication between the EEC and ECS/EAS, ensuring that each UE has one KAKMA and multiple K-edges, and supporting authentication of multiple edge enabler clients.

Benefits of technology

It simplifies the authentication process for edge applications, improves the flexibility and efficiency of authentication, and supports secure authentication for multiple edge enabler clients.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117203999B_ABST
    Figure CN117203999B_ABST
Patent Text Reader

Abstract

Embodiments of a user equipment (UE) configured to communicate in a 5G network and perform authentication between an edge enabler client (EEC) of the UE and an edge configuration server (ECS) or an edge enabler server (EES) based on an application based authentication and key management (AKMA) framework are disclosed. Techniques include performing primary authentication with the 5G network to obtain K AUSF ; generating K AKMA and an A-KID; providing the K AKMA and an EEC identifier (ID) of the EEC to the EEC to generate K 边缘 , the EEC using the K AKMA and the EEC ID to compute a MAC EEC ; and sending an application registration request to the ECS or the EES, the application registration request including the EEC ID, the MAC EEC , and the A-KID.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates in general to wireless communication systems, including architectures for multi-access edge computing (MEC) authentication and application authentication and key management (AKMA). Background Technology

[0002] Wireless mobile communication technologies use various standards and protocols to transmit data between base stations and wireless communication devices. Wireless communication system standards and protocols can include, for example, 3GPP Long Term Evolution (LTE) (such as 4G), 3GPP New Radio (NR) (such as 5G), and the IEEE 802.11 standard for Wireless Local Area Networks (WLANs) (often referred to within industry organizations as...). ).

[0003] As envisioned by 3GPP, different wireless communication system standards and protocols can use various radio access networks (RANs) to enable RAN base stations (which are sometimes also called RAN nodes, network nodes, or simply nodes) to communicate with wireless communication equipment called user equipment (UEs). 3GPP RANs may include, for example, Global System for Mobile Communications (GSM), Enhanced Data Rate GSM Evolution (EDGE) RAN (GERAN), Universal Terrestrial Radio Access Network (UTRAN), Evolved Universal Terrestrial Radio Access Network (E-UTRAN), and / or Next Generation Radio Access Network (NG-RAN).

[0004] Each RAN can use one or more Radio Access Technologies (RATs) for communication between the base station and the UE. For example, GERAN implements the GSM and / or EDGE RAT, UTRAN implements the Universal Mobile Telecommunications System (UMTS) RAT or other 3GPP RATs, E-UTRAN implements the LTE RAT (sometimes simply referred to as LTE), and NG-RAN implements the NR RAT (sometimes also referred to herein as the 5G RAT, 5G NR RAT, or simply NR). In some deployments, E-UTRAN may also implement the NR RAT. In some deployments, NG-RAN may also implement the LTE RAT.

[0005] The base stations used by a RAN can correspond to that RAN. An example of an E-UTRAN base station is an Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Node B (also commonly referred to as Evolved Node B, Enhanced Node B, eNodeB, or eNB). An example of an NG-RAN base station is a Next Generation Node B (sometimes also called gNodeB or gNB).

[0006] The RAN provides communication services to external entities through its connection with the core network (CN). For example, E-UTRAN can utilize the evolved packet core network (EPC), while NG-RAN can utilize the 5G core network (5GC). Attached Figure Description

[0007] To facilitate identification of any particular element or action being discussed, one or more of the most significant digits in the reference numerals refer to the drawing number in which the element was first introduced.

[0008] Figure 1 This is a block diagram illustrating an exemplary architecture of a wireless communication system according to an embodiment disclosed herein.

[0009] Figure 2 This is a block diagram illustrating an exemplary service-based architecture according to certain implementation schemes.

[0010] Figure 3 This is a message flow diagram illustrating the main authentication procedure of the 5G Authentication and Key Protocol (AKA).

[0011] Figure 4 This is a block diagram illustrating the key hierarchy structure in 5G.

[0012] Figure 5 This shows the message flow diagram of AKMA.

[0013] Figure 6 This is a block diagram illustrating the key hierarchy structure of AKMA.

[0014] Figure 7 This is a block diagram illustrating the architecture used to enable edge applications.

[0015] Figure 8 This is a message sequence diagram illustrating the call flow of MEC authentication.

[0016] Figure 9 It is a flowchart based on an implementation plan.

[0017] Figure 10 This is a block diagram of a system for performing signaling between wireless devices and network devices according to the embodiments disclosed herein. Detailed Implementation

[0018] Various embodiments are described with respect to the UE. However, references to the UE are provided for illustrative purposes only. Exemplary embodiments may be used with any electronic component capable of establishing a connection to a network and configured with hardware, software, and / or firmware for exchanging information and data with the network. Therefore, the UE described herein is used to represent any suitable electronic component.

[0019] Figure 1 An exemplary architecture of a wireless communication system 100 according to an embodiment disclosed herein is shown. The description provided below is for an exemplary wireless communication system 100 operating in conjunction with LTE system standards and / or 5G or NR system standards provided by 3GPP technical specifications.

[0020] like Figure 1 As shown, the wireless communication system 100 includes UE 102 and UE 104 (however, any number of UEs may be used). In this example, UE 102 and UE 104 are shown as smartphones (e.g., handheld touchscreen mobile computing devices capable of connecting to one or more cellular networks), but may also include any mobile or non-mobile computing device configured for wireless communication.

[0021] UE 102 and UE 104 can be configured to communicate with RAN 106. In this implementation, RAN 106 can be NG-RAN, E-UTRAN, etc. UE 102 and UE 104 utilize connections (or channels) with RAN 106 (shown as connection 108 and connection 110, respectively), where each connection (or channel) includes a physical communication interface. RAN 106 may include one or more base stations, such as base station 112 and base station 114, that implement connection 108 and connection 110.

[0022] In this example, Connection 108 and Connection 110 are air interfaces that implement this communication coupling and are compatible with the RAT used by RAN106, such as, for example, LTE and / or NR.

[0023] In some implementations, UE 102 and UE 104 may also exchange communication data directly via sidelink interface 116. UE 104 is shown configured to access an access point (shown as AP 118) via connection 120. For example, connection 120 may include a local wireless connection, such as any connection conforming to the IEEE 802.11 protocol, where AP 118 may include... Router. In this example, AP118 may connect to another network (e.g., the Internet) without using CN 124.

[0024] In the implementation, UE 102 and UE 104 may be configured to communicate with each other or with base station 112 and / or base station 114 on a multi-carrier communication channel using orthogonal frequency division multiplexing (OFDM) communication signals, based on various communication technologies, such as, but not limited to, orthogonal frequency division multiple access (OFDMA) communication technology (e.g., for downlink communication) or single-carrier frequency division multiple access (SC-FDMA) communication technology (e.g., for uplink and ProSe or sidelink communication), although the scope of the implementation is not limited in this respect. The OFDM signal may include multiple orthogonal subcarriers.

[0025] In some implementations, all or part of base station 112 or base station 114 may be implemented as one or more software entities running on a server computer as part of a virtual network. Furthermore, or in other implementations, base station 112 or base station 114 may be configured to communicate with each other via interface 122. In implementations where the wireless communication system 100 is an LTE system (e.g., when CN 124 is an EPC), interface 122 may be an X2 interface. This X2 interface may be defined between two or more base stations (e.g., two or more eNBs, etc.) connected to the EPC and / or between two eNBs connected to the EPC. In implementations where the wireless communication system 100 is an NR system (e.g., when CN 124 is a 5GC), interface 122 may be an Xn interface. This Xn interface may be defined between two or more base stations connected to the 5GC (e.g., two or more gNBs, etc.), between base station 112 (e.g., a gNB) connected to the 5GC and an eNB, and / or between two eNBs connected to the 5GC (e.g., CN 124).

[0026] The diagram illustrates RAN 106 communicatively coupled to CN 124. CN 124 may include one or more network elements 126 configured to provide various data and telecommunications services to customers / subscribers (e.g., users of UE 102 and UE 104) connected to CN 124 via RAN 106. Components of CN 124 may be implemented in a single physical device or in separate physical devices, including components for reading and executing instructions from machine-readable or computer-readable media (e.g., non-transitory machine-readable storage media).

[0027] In this implementation, CN 124 can be an EPC, and RAN 106 can be connected to CN 124 via S1 interface 128. In this implementation, S1 interface 128 can be divided into two parts: an S1 user plane (S1-U) interface, which carries traffic data between base station 112 or 114 and the serving gateway (S-GW); and an S1-MME interface, which is the signaling interface between base station 112 or 114 and the mobility management entity (MME).

[0028] In this implementation, CN 124 can be a 5GC, and RAN 106 can be connected to CN 124 via NG interface 128. In this implementation, NG interface 128 can be divided into two parts: an NG user plane (NG-U) interface, which carries traffic data between base station 112 or 114 and the User Plane Function (UPF); and an S1 control plane (NG-C) interface, which is the signaling interface between base station 112 or 114 and the Access and Mobility Management Function (AMF).

[0029] Generally, application server 130 can be a component (e.g., packet-switched data service) providing resources for applications that use Internet Protocol (IP) bearers with CN 124. Application server 130 can also be configured to support one or more communication services (e.g., VoIP sessions, group communication sessions, etc.) for UE 102 and UE 104 via CN 124. Application server 130 can communicate with CN 124 via IP communication interface 132.

[0030] The AKA procedure involves mutual authentication between the UE and the network to obtain encryption keys that protect user plane and control plane data. Each generation of 3G, 4G, and 5G defines several authentication methods to allow authorized users to access the network and deny unauthorized users access. The 3GPP standard defines Evolved Packet System-AKA (EPS-AKA) for 4G LTE systems. Similarly, for 5G systems, the following three authentication methods are defined: 5G-AKA; Extensible Authentication Protocol-AKA (EAP-AKA); and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).

[0031] Figure 2 A service-based architecture 200 in a 5G system according to one implementation is illustrated. 3GPP has proposed a service-based architecture 200 for core networks with new network entities and services to support a unified authentication framework. This framework uses three authentication methods: 5G-AKA, EAP-AKA', and EAP-TLS, making the 5G-AKA procedure applicable to both open and access network-agnostic environments. The framework allows multiple security contexts to be established through a single authentication execution, thereby allowing UEs to migrate from 3GPP access networks to non-3GPP networks without having to re-authenticate.

[0032] As described in 3GPP TS 23.501, the service-based architecture 200 includes network functions such as NSSF 208, NEF 210, NRF 212, PCF 214, UDM 216, AUSF 220, AMF 222, SMF 224, and AAnF 226 to communicate with UE 218, (R)AN 206, UPF 202, and DN 204. NF and NF services can communicate directly (referred to as direct communication) or indirectly via SCP 228 (referred to as indirect communication). Figure 2 It also shows the corresponding service-based interfaces including Nutm, Naf, Nudm, Npcf, Nsmf, Nnrf, Namf, Nnef, Nnssf, Nausf, and Naanf, as well as reference points N1, N2, N3, N4, and N6. The following describes the service-based interfaces provided by... Figure 2 Some exemplary functions provided by NF are shown in the figure.

[0033] NSSF 208 supports functions such as: selecting the set of network slice instances serving the UE; determining the allowed NSSAIs and, if necessary, the mapping to subscribed S-NSSAIs; determining the configured NSSAIs and, if necessary, the mapping to subscribed S-NSSAIs; and / or determining the set of AMFs to be used to serve the UE, or, based on the configuration, possibly by querying the NRF to determine a list of candidate AMFs.

[0034] Network Exposure Functions (NEFs) (e.g., NEF 210) support the exposure of capabilities and events. NF capabilities and events can be securely exposed by NEF 210 (e.g., for third parties, application functions, and / or edge computing). NEF 210 can use a standardized interface (Nudr) to the UDR to store / retrieve information as structured data. NEF 210 can also securely provide information from external applications to the 3GPP network and can provide application functions to securely provide information to the 3GPP network (e.g., anticipated UE behavior, 5GLAN group information, and service-specific information), where NEF 210 can authenticate and authorize and help restrict application functions. NEF 210 can provide internal-external information translation by translating information exchanged with the AF and information exchanged with internal network functions. For example, NEF 210 translates between the AF service identifier and internal 5G core information (such as DNN and S-NSSAI). NEF 210 can handle the masking of network and user-sensitive information to external AFs according to network policies. The NEF 210 can receive information from other network functions (based on the exposure capabilities of other network functions) and store the received information as structured data using a standardized interface to the UDR. The stored information can then be accessed by the NEF 210 and re-exposed to other network functions and application functions, and used for other purposes such as analysis. For external exposure of services related to a specific UE, the NEF 210 can reside in the Home Public Land Mobile Network (HPLMN). Depending on the operator agreement, the NEF 210 in the HPLMN can have an interface with the NF in the VPLMN. When the UE is able to handover between the EPC and 5GC, the SCEF+NEF can be used for service exposure.

[0035] NRF 212 supports service discovery by receiving NF discovery requests from NF instances or SCPs and providing information about discovered NF instances to the NF instances or SCPs. NRF 212 also supports P-CSCF discovery (a special case of SMF discovery AF), maintaining NF profiles of available NF instances and their supported services, and / or notifying subscribed NF service consumers or SCPs of newly registered / updated / deregistered NF instances along with their NF services. In the context of network slicing, multiple NRFs can be deployed at different levels depending on the network implementation, such as PLMN level (NRFs configured with information for the entire PLMN), shared slice level (NRFs configured with information for a set of network slices), and / or slice-specific level (NRFs configured with information for S-NSSAI). In the context of roaming, multiple NRFs can be deployed in different networks, where the NRF in the visited PLMN (referred to as vNRF) is configured with information about the visited PLMN, and the NRF in the home PLMN (referred to as hNRF) is configured with information about the home PLMN, referenced by the vNRF via the N27 interface.

[0036] PCF 214 supports a unified policy framework for managing network behavior. PCF 214 provides policy rules for control plane functions to enforce them. PCF 214 accesses subscription information related to policy decisions in the Unified Data Repository (UDR). PCF 214 can access the UDR located in the same PLMN as PCF.

[0037] UDM 216 supports the generation of AKA authentication credentials, user identification processing (e.g., storage and management of Subscription Permanent Identifier (SUPI) for each subscriber in a 5G system), dehiding of Privacy-Preserving Subscription Hidden Identifier (SUCI), access authorization based on subscription data (e.g., roaming restrictions), UE service NF registration management (e.g., storing AMF for UE storage services, storing SMF for UE PDU sessions), service / session continuity (e.g., maintaining SMF / DNN allocation for ongoing sessions), MT-SMS delivery, lawful interception functionality (especially in outbound roaming scenarios where the UDM is the only contact point of the LI), subscription management, SMS management, 5GLAN group management processing, and / or external parameter configuration (expected UE behavior parameters or network configuration parameters). To provide these functions, UDM 216 uses subscription data (including authentication data) that can be stored in a UDR. In this case, the UDM implements application logic and may not require internal user data storage, and several different UDMs can provide services to the same user in different transactions. UDM 216 may reside in the HPLMN of its subscribers and can access information of the UDR located in the same PLMN. UDM 216 can be similar to an HSS / HLR entity and host data management-related functions such as the Authentication Credentials Storehouse and Processing Function (ARPF), which in some implementations selects an authentication method based on subscriber identity and configured policies, and calculates authentication data and keys for the Authentication Server Function (AUSF).

[0038] The Subscription Identifier Decryption Function (SIDF) decrypts the SUCI to obtain its long-term identity, known as the SUPI, such as the IMSI. In 5G, the subscriber's long-term identity is transmitted in encrypted form via the radio interface. More specifically, public-key-based encryption is used to protect the SUPI. Therefore, only the SIDF has access to the private key associated with the public key assigned to the UE to encrypt its SUPI.

[0039] The AF 230 interacts with the core network to provide services such as: application-driven traffic routing; access to the NEF 210; interaction with policy frameworks used for policy control; and / or interaction between IMS and 5GC. Based on operator deployment, application functions trusted by the operator can be allowed to interact directly with relevant network functions. Application functions that the operator does not allow direct access to network functions can interact with relevant network functions via the NEF 210 using an external exposure framework.

[0040] The AUSF 220 supports authentication for 3GPP access and untrusted non-3GPP access. The AUSF 220 also supports network slicing-specific authentication and authorization. It performs authentication within the home network and with the UE. It makes decisions regarding UE authentication and can use a backend to calculate authentication data and keys when using 5G-AKA or EAP-AKA.

[0041] AMF 222 supports the termination of the RAN CP interface (N2), the termination of the NAS (N1) for NAS encryption and integrity protection, registration management, connection management, reachability management, mobility management, lawful interception (for AMF events and interfaces to the LI system), transmission of SM messages between the UE and SMF, transparent proxy for routing SM messages, access authentication, access authorization, transmission of SMS messages between the UE and SMSF, Secure Anchoring Function (SEAF), location service management for regulated services, transmission of location service messages between the UE and LMF and between the RAN and LMF, EPS bearer ID allocation for interoperability with EPS, UE mobility event notification, control plane CIoT 5GS optimization, user plane CIoT 5GS optimization, configuration of external parameters (expected UE behavior parameters or network configuration parameters), and / or network slice-specific authentication and authorization. Some or all of the AMF functions can be supported in a single instance of AMF222. Regardless of the number of network functions, in some implementations, only one NAS interface instance per access network between the UE and the CN terminates with one of the network functions that implements at least NAS security and mobility management. AMF 222 may also include policy-related functions. AMF 222 receives connection and session-related information from user equipment (UE) (N1 / N2) to handle connection and mobility management tasks.

[0042] SEAF resides within the serving network (closely related to AMF) and acts as a "middleman" during the authentication process between the UE and its home network. It can reject authentication from the UE, but it relies on the UE's home network to accept authentication.

[0043] Non-3GPP Interoperability Function (N3IWF) is an entity that acts as a VPN server to allow UEs to access the 5G core via an IPsec tunnel through an untrusted non-3GPP network. Multiple security contexts can exist that can be established with a single authentication execution, allowing UEs to migrate from a 3GPP access network to a non-3GPP network without having to re-authenticate.

[0044] In addition to the functions described above, AMF 222 may also include the following functions supporting non-3GPP access networks: support for an N2 interface with N3IWF / TNGF, on which some information (e.g., 3GPP cell identifier) ​​and procedures (e.g., handover related) defined on 3GPP access may not be applicable, and non-3GPP access-specific information not applicable to 3GPP access may be applied; support for NAS signaling by UE via N3IWF / TNGF, where some procedures supported by NAS signaling on 3GPP access may not be applicable to untrusted non-3GPP (e.g., paging) access; support for authentication of UEs connected via N3IWF / TNGF; management of mobility, authentication, and separate security context states for UEs connected via non-3GPP access or simultaneously via 3GPP access or non-3GPP access; support for effective coordination of RM management contexts on both 3GPP and non-3GPP access; and / or support for dedicated CM management contexts for UEs connecting via non-3GPP access. Support for all of the above functions may not be required in network slicing instances.

[0045] SMF 224 supports session management (e.g., session establishment, modification, and publication, including tunnel maintenance between UPF and AN nodes), UE IP address allocation and management (including optional authorization) (where UE IP addresses can be received from the UPF or from an external data network), DHCPv4 (server and client) and DHCPv6 (server and client) functions, the ability to respond to Address Resolution Protocol (ARP) requests and / or IPv6 neighbor request requests with local cached information based on Ethernet PDUs (e.g., the SMF responds to ARP and / or IPv6 neighbor request requests by providing the MAC address corresponding to the IP address sent in the request), selection and control of user plane functions (including controlling the UPF to proxy ARP or IPv6 neighbor discovery or forwarding all ARP / IPv6 neighbor request traffic to the SMF for Ethernet PDU sessions), traffic-directing configuration at the UPF to route traffic to the appropriate destination, and 5G VN group management (e.g., maintaining the topology of the involved PSA UPF, in the PSA...). Establish and publish N19 tunnels between UPFs, configure traffic forwarding at the UPF to apply local handover, and / or N6-based or N19-based forwarding, terminate the interface for policy control functions, lawful interception (for SM events and interfaces to the LI system), charge for data collection and support the charging interface, control and coordinate charging data collection at the UPF, terminate the SM portion of NAS messages, downlink data notification, initiator of AN-specific SM information sent to the AN via the AMF through N2, determination of the SSC mode of the session, control plane CIoT 5GS optimization, header compression, act as an I-SMF in the deployment of insertable / removable / repositionable I-SMFs, configure external parameters (expected UE behavior parameters or network configuration parameters), P-CSCF discovery for IMS services, roaming functions (e.g., handling local implementation to apply QoS). SLA (VPLMN), charging data collection and charging interface (VPLMN) and / or lawful interception (in the VPLMN for SM events and interfaces to the LI system), interaction with external DN to transmit signaling for PDU session authentication / authorization for external DN and / or instructing UPF and NG-RAN to perform redundant transmissions on the N3 / N9 interface. Some or all of the SMF functions may be supported in a single instance of the SMF. However, in some implementations, not all functions need to be supported in instances of network slices. In addition to functionality, SMF 224 may include policy-related functions.

[0046] SCP 228 includes one or more of the following functions: indirect communication; delegated discovery; message forwarding and routing to the destination NF / NF service; communication security (e.g., authorization for NF service consumers to access NF service manufacturer APIs), load balancing, monitoring, overload control, etc.; and / or optionally interacting with a UDR to resolve UDM group ID / UDR group ID / AUSF group ID / PCF group ID / CHF group ID / HSS group ID based on UE identity (e.g., SUPI or IMPI / IMPU). Some or all of the SCP functions may be supported in a single instance of the SCP. In some implementations, SCP 228 may be deployed in a distributed manner and / or more than one SCP may exist in the communication path between NF services. SCPs may be deployed at the PLMN level, shared slice level, and slice-specific level. Carrier deployment may be left to ensure that the SCP can communicate with the relevant NRF.

[0047] UE 218 may include devices with radio communication capabilities. For example, UE 218 may include a smartphone (e.g., a handheld touchscreen mobile computing device that can connect to one or more cellular networks). UE 218 may also include any mobile or non-mobile computing device, such as a personal data assistant (PDA), pager, laptop computer, desktop computer, wireless handheld device, or any computing device that includes a wireless communication interface. UE is also referred to as a client, mobile phone, mobile device, mobile terminal, user terminal, mobile unit, mobile station, mobile user, subscriber, user, remote station, access agent, user agent, receiver, radio equipment, reconfigurable radio equipment, or reconfigurable mobile device. UE 218 may include an IoT UE, which may include a network access layer designed to utilize low-power IoT applications with short-lived UE connections. The IoT UE may exchange data with an MTC server or device via a PLMN, other UEs using ProSe or D2D communication, a sensor network, or an IoT network using technologies such as M2M, MTC, or mMTC. M2M or MTC data exchange may be machine-initiated data exchange. An IoT network describes interconnected IoT UEs, which may include uniquely identifiable embedded computing devices (within the Internet infrastructure). IoT UEs may execute background applications (e.g., keeping track of activity messages, status updates, etc.) to facilitate connectivity within the IoT network.

[0048] UE 218 can be configured to connect or communicatively couple with (R)AN 206 via radio interface 232. This radio interface can be a physical communication interface or layer configured to operate using cellular communication protocols such as GSM, CDMA network protocols, keyless to reach (PTT), cellular PTT (POC), UMTS, 3GPP LTE, 5G, NR, etc. For example, UE 218 and (R)AN 206 can use a Uu interface (e.g., an LTE-Uu interface) to exchange control plane data via a protocol stack including PHY, MAC, RLC, PDCP, and RRC layers. DL transmissions can be made from (R)AN 206 to UE 218, and UL transmissions can be made from UE 218 to (R)AN 206. UE 218 can also use a sidelink to communicate directly with another UE (not shown) for D2D, P2P, and / or ProSe communication. For example, the ProSe interface may include one or more logical channels, including but not limited to the Physical Side Link Control Channel (PSCCH), Physical Side Link Shared Channel (PSSCH), Physical Side Link Discovery Channel (PSDCH), and Physical Side Link Broadcast Channel (PSBCH).

[0049] (R)AN 206 may include one or more access nodes, which may be referred to as a base station (BS), node B, evolved Node B (eNB), next-generation Node B (gNB), RAN node, controller, transport receiving point (TRP), etc., and may include ground stations (e.g., terrestrial access points) or satellite stations that provide coverage within a geographic area (e.g., a cell). (R)AN 206 may include one or more RAN nodes for providing coverage of macro cells, pico cells, femto cells, or other types of cells. Macro cells may cover a relatively large geographic area (e.g., with a radius of several kilometers) and may allow UEs to have unrestricted access with a service subscription. Pico cells may cover a relatively small geographic area and may allow UEs to have unrestricted access with a service subscription. Femto cells may cover a relatively small geographic area (e.g., a home) and may allow restricted access for UEs associated with a femto cell (e.g., a UE in a closed subscriber group (CSG), a UE of a user in a home, etc.).

[0050] Although not shown, multiple RAN nodes (such as (R)AN 206) may be used, with Xn interfaces defined between two or more nodes. In some implementations, the Xn interface may include an Xn user plane (Xn-U) interface and an Xn control plane (Xn-C) interface. Xn-U provides non-guaranteed delivery of user plane PDUs and supports / provides data forwarding and flow control functions. Xn-C provides management and error handling functions for managing the functionality of the Xn-C interface; mobility support for UE 218 in connected modes (e.g., CM-CONNECTED) includes functions for managing UE mobility in connected modes between one or more (R)AN nodes. This mobility support may include context transfer from the old (source) serving (R)AN node to the new (destination) serving (R)AN node; and control of user plane tunnels between the old (source) serving (R)AN node and the new (destination) serving (R)AN node.

[0051] UPF 202 can serve as an anchor point for mobility within and between RATs, an external PDU session point interconnected with DN 204, and a branch point supporting multi-homed PDU sessions. UPF 202 can also perform packet routing and forwarding, packet inspection, enforce policy rules in the user plane portion, legally intercept packets (UP collection), traffic usage reporting, perform QoS processing on the user plane (e.g., packet filtering, gating, UL / DL rate enforcement), perform uplink traffic authentication (e.g., SDF to QoS flow mapping), transport-level packet marking in uplink and downlink, and downlink packet buffering and downlink data notification triggering. UPF 202 may include an uplink classifier to support traffic routing to the data network. DN 204 may represent various network operator services, Internet access, or third-party services. DN 204 may include, for example, an application server.

[0052] Figure 2 The network model for AKMA and examples of interfaces between network functions and nodes are also shown. The AKMA anchoring function (AAnF), namely AAnF 226, is shown as a standalone function deployment. Depending on the operator's deployment scenario, other implementations may juxtapose AAnF with AUSF 220 or NEF 210. AAnF 226 is the anchoring function in HPLMN that generates key material to be used between UE 218 and AF230 and maintains the UE AKMA context. AAnF 226 enables the AKMA anchoring key (K) for AKMA services. AKMA Export. Before invoking the AKMA service, UE 218 should have successfully registered with the 5G core, which causes K... AUSFFollowing successful 5G primary certification, it is stored in AUSF 220 and UE 218. See later. Figure 5 and Figure 6 Additional details about AKMA are described.

[0053] Figure 3 The main authentication procedure for 5G-AKA is shown. There are two phases in '5G AKA / EAP-AKA': the initiation procedure and the authentication procedure.

[0054] During the initiation procedure, the UE sends an identifier to the SEAF in the VPLMN. The SEAF sends an authentication request to the AUSF in the HPLMN. The AUSF provides an authorization request to the UDM / ARPF / SIDF.

[0055] The authentication process requires authentication vector generation, where AV includes RAND, authentication token (AUTN), expected response (XRES*), and K. AUSF K can be based on policies regarding the home operator using such keys. AUSF Securely stored in AUSF. AUSF according to K AUSF Export K SEAF (Anchor key) and send a challenge message to SEAF. Upon receiving RAND and AUTN, the Universal User Identity Module (USIM) calculates the response RES and returns RES, CK, and IK to the UE. The Mobile Equipment (ME) calculates RES* based on RES and sends it back. SEAF calculates HRES* based on RES* and compares HRES* with HXRES*. If successful, it forwards RES* to AUSF. AUSF compares the received RES* with the stored XRES*; if successful, authentication is successful and AUSF instructs SEAF.

[0056] UE generates K itself AUSF If the UE is a true UE, then it can generate the correct K. AUSF This is consistent with the K generated by the network (UDM / ARPF). AUSF Same. Regarding K AUSF The detailed information generated is provided in Clause 6.1.3.2.0 of 3GPP TS 33.501, whereby the UE generates K after receiving the necessary parameters from the network. AUSF .

[0057] Figure 4 The key hierarchy structure in 5G is shown. K AUSF It is universal between the UE and AUSF in the home network and forms the basis for subsequent key hierarchy structures. K AUSFIt was not delivered, but was generated separately by the UE and the network. Since the UE and the network have the same root key, they generate the same K. AUSF And it is used to calculate K. AUSF The parameters are delivered from the network to the UE.

[0058] Figure 5 The following diagram illustrates the use of primary authentication (see example). Figure 3 Then export K AKMA The message sequence 500 is as described in 3GPP TS 33.535. AKMA is based on K. AUSF Furthermore, after the AKMA procedure, both UE 502 and AAnF 504 will have K AKMA And A-KID information.

[0059] Figure 6 The AKMA key hierarchy structure is shown. This key hierarchy structure includes the following keys: K AUSF K AKMA and K AF K AUSF Generated by AUSF. K AKMA By ME and according to K AUSF AUSF export. K AF It is by ME and according to K AKMA The key exported from AAnF.

[0060] Figure 7 An architecture 700 for enabling edge applications is shown, as described in 3GPP TS 23.558. The Edge Data Network (EDN), i.e., EDN 702, is the local data network. The Edge Application Server (EAS), i.e., EAS 704, and the Edge Enabler Server (EES) 706 are contained within EDN 702. The Edge Configuration Server (ECS), i.e., ECS 708, provides configuration related to EES 706, including details of EDN 702 hosting EES 706. The UE 710 includes an Application Client 712 and an Edge Enabler Client (EEC), i.e., EEC 714. EAS 704, EES 706, and ECS 708 can interact with the 3GPP core network 716.

[0061] ECS 708 provides the support functions required for EEC 714 to connect to EES 706. ECS 708's functions include allocating edge configuration information to EEC 714. This edge configuration information includes: information for EEC 714 to connect to EES 706, such as service area information applicable to Local Area Data Networks (LADN); and information for establishing a connection with EES 706, such as Uniform Resource Identifiers (URIs).

[0062] EEC 714 provides the support functions required by application clients. The functions of EEC 714 include: retrieving and configuring configuration information to enable the exchange of application data traffic with EAS 704; and discovering EASes 704 provided in EDN 702.

[0063] The EEC ID is a globally unique value that identifies an EEC. One or more EECs can reside in the UE.

[0064] This disclosure also addresses some technical and security issues related to AKMA in edge applications. Initially, it should be noted that EEC IDs can be assigned by global organizations such as GSMA, ITU, 3GPP, etc. It is assumed that the EES has stored all EEC IDs under its control and delivers those EEC IDs to each EEC during the registration process in the application layer. When the NEF has an interface with those EDNs, the NEF has access to some EEC IDs under the EES. In the current SA3 3GPP TR 33.839, there exists an AKMA-based solution for authentication between the EEC and ECS / EES. The security issue is that AKMA is UE-based, meaning that a UE only has one AKMA with AKMA. AKMA However, a UE will have more than one EEC, therefore, when AKMA is used for EEC authentication, some adjustments are described for implementing authentication. This disclosure proposes a technique for AKMA-based authentication between the EEC and ECS / EAS, which in some implementations functionally requires a combination of EEC ID and AKMA.

[0065] Figure 8 The 800 certification between the EEC and ECS / EES based on AKMA via AAnF is shown. The " / " indicates that the functions described below for ECS can also be performed by EES.

[0066] Initially, UE 802 utilizes the network to perform primary authentication 804. AUSF This information is obtained from UE 802 and AUSF 806 in the home network. UE 802 generates the 808K according to the AKMA procedure in 3GPP TS 33.535. AKMA And A-KID, and store them securely.

[0067] AAnF 810 generates 812K according to the AKMA procedure in 3GPP TS 33.535. AKMA And A-KID, and store them securely.

[0068] EEC 814, for example, obtains 816K. AKMA And according to K AKMAGenerate K with EEC ID 边缘 Thus, there exists a K in each UE. AKMA and multiple K 边缘 EEC also uses K AKMA Calculate 818MAC using EEC ID EEC .

[0069] UE 802 sends an 820 application registration request message (including EEC ID, MAC address, etc.) to ECS 822. EEC (A-KID parameters). Whether this message is sent using NAS or the user plane is optional. It should also be noted that the EES 824 can perform authentication functions similar to those described for the ECS 822.

[0070] ECS 822 sends 826 authentication verification (including EEC ID, MAC address) to AAnF 810. EEC (A-KID parameters) are used for verification.

[0071] AAnF 810 uses A-KID to retrieve 828K AKMA And calculate K 边缘 Then use K 边缘 Verify MAC with EEC ID parameters EEC .

[0072] If AAnF 810 has successful authentication, AAnF 810 will send an authentication authentication response (success) message back to ECS 822 from 830; otherwise, AAnF 810 will send an authentication authentication response (failure) message to ECS 822.

[0073] Based on the verification result, ECS 822 decides whether to accept or reject the authentication request and sends an 832 authentication request accept / reject message to EEC 814 in UE802.

[0074] UE 802 and AAnF 810 have K-based AKMA Generate K 边缘 The same method. In deriving K 边缘 In some implementations, it is generated using the Key Derivation Function (KDF) defined in Appendix B.2.0 of 3GPP TS 33.220 (V17.0.0), and Appendix B is incorporated herein by reference. AKMA Export K 边缘When using this parameter, the following parameters are used to form the input string S of KDF:FC=xxxx, which is assigned by the 3GPP specification (B 2.2 in Appendix B of TS 33.220); P0=EEC ID; L0=<EEC ID> The length of the input key, i.e., the key, should be K in some implementations. AKMA In exporting K 边缘 In another implementation, it is equal to (K) AKMA ||EEC ID), which is the concatenation of these two parameters. For example, K AKMA If the value is 100 (binary) and the EEC ID is 111 (binary), then K... AKMA The EEC ID will be 100111. (In exporting K...) 边缘 In the third implementation scheme, it is equal to (K) AKMA XOREEC ID), that is, the XOR calculation of these two parameters. In K... 边缘 The length of K AKMA Under the same circumstances, other logical operations ("OR") are also possible.

[0075] To calculate MAC EEC When exported in UE and AAnF, the following parameters are used to form the input string S for the SHA-256 hash algorithm: P0 = K AKMA And P1 = EEC ID. The input string S is equal to the concatenation of (P0 and P1) P0||P1. MAC EEC The least significant bit of N in the output of the SHA-256 function is used for identification. In some implementations, N can be 32 bits or 64 bits, or other lengths.

[0076] Figure 9 A method 900 is illustrated that performs an application-based authentication and key management (AKMA) architecture by a UE configured to communicate in a 5G network to authenticate between the UE's EEC and ECS or EAS (ECS / EAS). In block 902, method 900 utilizes the 5G network to perform primary authentication to obtain the K... AUSF In box 904, method 900 generates K. AKMA And A-KID. In box 906, method 900 provides K to the EEC. AKMA And the EEC identifier (ID) of the EEC to generate K 边缘 EEC uses K AKMA Calculate MAC with EEC ID EEC In box 908, method 900 sends an application registration request to the ECS or EAS, the application registration request including the EEC ID, MAC address, etc. EEC And A-KID.

[0077] The embodiments contemplated herein include an apparatus comprising means for performing one or more elements of method 900. This apparatus may be, for example, a UE (such as wireless device 1002 as a UE, as described herein).

[0078] The embodiments contemplated herein include one or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of an electronic device, cause the electronic device to perform one or more elements of method 900. The non-transitory computer-readable medium may be, for example, the memory of a UE (such as memory 1006 of a wireless device 1002 serving as a UE, as described herein).

[0079] The embodiments contemplated herein include an apparatus comprising logic, modules, or circuitry for performing one or more elements of method 900. This apparatus may be, for example, a device of a UE (such as wireless device 1002 as a UE, as described herein).

[0080] The embodiments contemplated herein include an apparatus comprising: one or more processors and one or more computer-readable media, the computer-readable media including instructions that, when executed by the one or more processors, cause the one or more processors to perform one or more elements of method 900. The apparatus may be, for example, a UE (such as wireless device 1002 as a UE, as described herein).

[0081] The implementation scheme envisioned herein includes a signal as described in or in connection with one or more elements of method 900.

[0082] The embodiments contemplated herein include a computer program or computer program product having instructions, wherein, when executed by a processor, the program causes the processor to perform one or more elements of method 900. The processor may be a processor of the UE (such as processor 1004 as a wireless device 1002 of the UE, as described herein). These instructions may, for example, reside in the processor of the UE and / or in memory (such as memory 1006 as a wireless device 1002 of the UE, as described herein).

[0083] Figure 10 A system 1000 for performing signaling 1034 between a wireless device 1002 and a network device 1018, according to an embodiment disclosed herein, is illustrated. System 1000 may be part of a wireless communication system as described herein. Wireless device 1002 may be, for example, a UE (User Equipment) of a wireless communication system. Network device 1018 may be, for example, a base station (e.g., an eNB or gNB) of a wireless communication system.

[0084] Wireless device 1002 may include one or more processors 1004. Processor 1004 may execute instructions to perform various operations of wireless device 1002 as described herein. Processor 1004 may include one or more baseband processors implemented using, for example, a central processing unit (CPU), a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a controller, a field-programmable gate array (FPGA) device, another hardware device, a firmware device, or any combination thereof for performing the operations described herein.

[0085] Wireless device 1002 may include memory 1006. Memory 1006 may be a non-transitory computer-readable storage medium that stores instructions 1008 (which may include, for example, instructions executed by processor 1004). Instructions 1008 may also be referred to as program code or computer program. Memory 1006 may also store data used by processor 1004 and results calculated by the processor.

[0086] Wireless device 1002 may include one or more transceivers 1010, which may include radio frequency (RF) transmitter and / or receiver circuitry that uses antenna 1012 of wireless device 1002 to facilitate the transmission or receipt of signaling (e.g., signaling 1034) between wireless device 1002 and other devices (e.g., network device 1018) in accordance with a corresponding RAT.

[0087] Wireless device 1002 may include one or more antennas 1012 (e.g., one, two, four, or more). For implementations with multiple antennas 1012, wireless device 1002 can fully utilize the spatial diversity of these multiple antennas 1012 to transmit and / or receive multiple different data streams on the same time-frequency resource. This practice may be referred to, for example, as a multiple-input multiple-output (MIMO) approach (referring to multiple antennas used separately on the transmitting and receiving sides to implement this aspect). MIMO transmissions performed by wireless device 1002 can be achieved according to precoding (or digital beamforming) applied to wireless device 1002, which multiplexes data streams among antennas 1012 based on known or assumed channel characteristics, such that each data stream is received with appropriate signal strength relative to the other streams at a desired location in the spatial domain (e.g., the location of the receiver associated with that data stream). Some implementations may use a single-user MIMO (SU-MIMO) method (where the entire data stream is directed to a single receiver) and / or a multi-user MIMO (MU-MIMO) method (where individual data streams may be directed to individual (different) receivers at different locations in the airspace).

[0088] In some implementations with multiple antennas, the wireless device 1002 may implement analog beamforming technology, whereby the phase of the signal transmitted by the antenna 1012 is relatively adjusted, making the (joint) transmission of the antenna 1012 directional (this is sometimes referred to as beam control).

[0089] Wireless device 1002 may include one or more interfaces 1014. Interface 1014 can be used to provide input to or from wireless device 1002. For example, wireless device 1002 as a UE may include interface 1014, such as a microphone, speaker, touchscreen, button, etc., to allow a user of the UE to input to and / or output to the UE. Other interfaces of such UEs may consist of transmitters, receivers, and other circuitry (e.g., in addition to the transceiver 1010 / antenna 1012 already described), allowing the UE to communicate with other devices and according to known protocols (e.g., ...). (etc.) to perform the operation.

[0090] Wireless device 1002 may include authentication module 1016. Authentication module 1016 may be implemented via hardware, software, or a combination thereof. For example, authentication module 1016 may be implemented as a processor, circuitry, and / or instructions 1008 stored in memory 1006 and executed by processor 1004. In some examples, authentication module 1016 may be integrated within processor 1004 and / or transceiver 1010. For example, authentication module 1016 may be implemented via a combination of software components (e.g., executed by a DSP or general-purpose processor) and hardware components (e.g., logic gates and circuitry) within processor 1004 or transceiver 1010.

[0091] The authentication module 1016 can be used in various aspects of this disclosure, for example, Figures 1 to 9 In various aspects. For example, authentication module 1016 is configured to execute method 900.

[0092] Network device 1018 may include one or more processors 1020. Processor 1020 may execute instructions to perform various operations of network device 1018 as described herein. Processor 1004 may include one or more baseband processors, which are implemented using, for example, a CPU, DSP, ASIC, controller, FPGA device, another hardware device, firmware device, or any combination thereof for performing the operations described herein.

[0093] Network device 1018 may include memory 1022. Memory 1022 may be a non-transitory computer-readable storage medium that stores instructions 1024 (which may include, for example, instructions executed by processor 1020). Instructions 1024 may also be referred to as program code or a computer program. Memory 1022 may also store data used by processor 1020 and results calculated by the processor.

[0094] Network device 1018 may include one or more transceivers 1026, which may include RF transmitter and / or receiver circuitry that uses the antenna 1028 of network device 1018 to facilitate the transmission or receipt of signaling (e.g., signaling 1034) between network device 1018 and other devices (e.g., wireless device 1002) in accordance with a corresponding RAT.

[0095] Network device 1018 may include one or more antennas 1028 (e.g., one, two, four or more). In embodiments with multiple antennas 1028, network device 1018 may perform MIMO, digital beamforming, analog beamforming, beam control, etc., as already described.

[0096] Network device 1018 may include one or more interfaces 1030. Interface 1030 can be used to provide input to or from network device 1018. For example, network device 1018 as a base station may include interface 1030 consisting of transmitters, receivers and other circuitry (e.g., in addition to the transceiver 1026 / antenna 1028 already described), enabling the base station to communicate with other equipment in the core network, and / or enabling the base station to communicate with external networks, computers, databases, etc., for the purpose of operating, managing and maintaining the base station or other equipment operablely connected to it.

[0097] Network device 1018 may include authentication module 1032. Authentication module 1032 may be implemented via hardware, software, or a combination thereof. For example, authentication module 1032 may be implemented as a processor, circuitry, and / or instructions 1024 stored in memory 1022 and executed by processor 1020. In some examples, authentication module 1032 may be integrated within processor 1020 and / or transceiver 1026. For example, authentication module 1032 may be implemented via a combination of software components (e.g., executed by a DSP or general-purpose processor) and hardware components (e.g., logic gates and circuitry) within processor 1020 or transceiver 1026.

[0098] The authentication module 1032 can be used in various aspects of this disclosure, for example, Figures 1 to 9In various aspects. For example, the authentication module 1032 is configured to perform any of the functions of ANFO 810, ECS 822, or EES 824.

[0099] For one or more embodiments, at least one of the components shown in one or more of the foregoing figures may be configured to perform one or more operations, techniques, processes, and / or methods as described herein. For example, the baseband processor described herein in conjunction with one or more of the foregoing figures may be configured to operate according to one or more examples of the examples described herein. Similarly, the circuitry associated with the UE, base station, network element, etc., described above in conjunction with one or more of the foregoing figures may be configured to operate according to one or more examples of the examples shown herein.

[0100] Unless otherwise expressly stated, any of the above embodiments may be combined with any other embodiment (or combination of embodiments). The foregoing description of one or more specific embodiments provides illustration and description, but is not intended to be exhaustive or to limit the scope of the embodiments to the precise form disclosed. In view of the teachings above, modifications and variations are possible, or modifications and variations may be derived from practice of various embodiments.

[0101] Implementations and specific embodiments of the systems and methods described herein may include various operations embodied in machine-executable instructions to be executed by a computer system. The computer system may include one or more general-purpose or special-purpose computers (or other electronic devices). The computer system may include hardware components, including specific logical components for performing the operations, or may include a combination of hardware, software, and / or firmware.

[0102] It should be recognized that the systems described herein include descriptions of specific implementations. These implementations may be combined into a single system, partially integrated into other systems, divided into multiple systems, or otherwise partitioned or combined. Furthermore, it is conceivable to use parameters, attributes, aspects, etc., of one implementation in another implementation. For clarity, these parameters, attributes, aspects, etc., are described only in one or more implementations, and it should be recognized that unless specifically stated herein, these parameters, attributes, aspects, etc., may be combined with or substituted for parameters, attributes, aspects, etc., of another implementation.

[0103] As is widely recognized, the use of personally identifiable information should comply with privacy policies and practices that are generally accepted to meet or exceed industry or governmental requirements for protecting user privacy. Specifically, personally identifiable information data should be managed and processed to minimize the risk of unintentional or unauthorized access or use, and the nature of authorized use should be clearly explained to users.

[0104] Although the foregoing has been described in considerable detail for clarity, it will be apparent that certain changes and modifications can be made without departing from the principles of the invention. It should be noted that many alternative ways exist to implement both the processes and apparatus described herein. Therefore, embodiments of the invention should be considered illustrative rather than restrictive, and this specification is not limited to the details given herein, but can be modified within the scope of the appended claims and their equivalents.

Claims

1. A method for authenticating between an edge-enabled client (EEC) of a user equipment (UE) configured to communicate in a 5G network and an edge configuration server (ECS) or edge-enabled server (EES) based on an application-based authentication and key management (AKMA) architecture, the method being performed by the UE, the method comprising: Performing primary authentication using the 5G network to obtain K AUSF ; Generate K AKMA And A-KID; Provide the K to the EEC AKMA and the EEC identifier (ID) of the EEC to generate K 边缘 The EEC uses the K AKMA MAC is calculated using the EEC ID. EEC ; as well as Send an application registration request to the ECS or the EES, the application registration request including the EECID and the MAC address. EEC And the aforementioned A-KID.

2. The method of claim 1, wherein the sending includes sending a Non-Access Stratum (NAS) message.

3. The method of claim 1, wherein the sending includes sending a user plane message.

4. The method of claim 1 further includes receiving an authentication request acceptance or rejection from the ECS or the EES.

5. The method according to claim 1, further comprising generating the K based on a key derivation function (KDF). 边缘 The input string S of the KDF includes FC parameters, P0 parameters and L0 parameters. The FC parameters are assigned according to the 3GPP specification, the P0 parameters are equal to the EEC ID, and the L0 parameters are equal to the length of the EEC ID.

6. The method of claim 5, wherein the key of the KDF is equal to the K AKMA .

7. The method according to claim 1, wherein K 边缘 equal to the K AKMA A concatenation or logical operation with the EEC ID.

8. The method according to claim 1, wherein the MAC EEC Based on the equality of K AKMA The P0 parameter.

9. The method of claim 1, wherein the MAC EEC Based on the P1 parameter, which is equal to the EECID.

10. The method of claim 1, wherein the MAC EEC The input string is based on the SHA-256 hash algorithm, and the input string is the K... 边缘 .

11. The method of claim 10, wherein the MAC EEC It is the N bits based on the SHA-256 hash algorithm.

12. The method of claim 11, wherein the N bits comprise the least significant number of bits selected according to the SHA-256 hash algorithm.

13. A non-transitory computer-readable storage medium for a user equipment (UE) configured to communicate in a 5G network and perform authentication between an edge-enabled client (EEC) and an edge configuration server (ECS) or edge-enabled server (EES) based on an application-based authentication and key management (AKMA) architecture, the computer-readable storage medium comprising instructions that, when executed by the UE, cause the UE to: Performing primary authentication using the 5G network to obtain K AUSF ; Generate K AKMA And A-KID; Provide the K to the EEC AKMA and the EEC identifier (ID) of the EEC to generate K 边缘 The EEC uses the K AKMA MAC is calculated using the EEC ID. EEC ;as well as Send an application registration request to the ECS or the EES, the application registration request including the EECID and the MAC address. EEC And the aforementioned A-KID.

14. The computer-readable storage medium of claim 13, wherein the instructions further configure the UE to send a non-access stratum (NAS) message including the application registration request.

15. The computer-readable storage medium of claim 13, wherein the instructions further configure the UE to send a user plane message including the application registration request.

16. The computer-readable storage medium of claim 13, wherein the instructions further configure the UE to receive an authentication request acceptance or rejection from the ECS or the EES.

17. The computer-readable storage medium of claim 13, wherein the instructions further configure the UE to generate the K according to the key derivation function (KDF). 边缘 The input string S of the KDF includes FC parameters, P0 parameters and L0 parameters. The FC parameters are assigned according to the 3GPP specification, the P0 parameters are equal to the EEC ID, and the L0 parameters are equal to the length of the EEC ID.

18. The computer-readable storage medium of claim 17, wherein the key of the KDF is equal to the K... AKMA .

19. The computer-readable storage medium of claim 13, wherein the K 边缘 equal to the K AKMA The concatenation or logical operation with the EECID.

20. The computer-readable storage medium of claim 13, wherein the MAC EEC Based on the equality of K AKMA The P0 parameter.

21. The computer-readable storage medium of claim 13, wherein the MAC EEC Based on the P1 parameter, which is equal to the EEC ID.

22. The computer-readable storage medium of claim 13, wherein the MAC EEC The input string is based on the SHA-256 hash algorithm, and the input string is the K... 边缘 .

23. The computer-readable storage medium of claim 22, wherein the MAC EEC It is the N bits based on the SHA-256 hash algorithm.

24. The computer-readable storage medium of claim 23, wherein the N bits comprise the least significant number of bits selected according to the SHA-256 hash algorithm.