Systems and methods for supporting ue authentication and security
Patent Information
- Authority / Receiving Office
- EP · EP
- Patent Type
- Applications
- Current Assignee / Owner
- ZTE CORP
- Filing Date
- 2023-09-08
- Publication Date
- 2026-07-08
Smart Images

Figure CN2023117793_24102024_PF_FP_ABST
Abstract
Description
SYSTEMS AND METHODS FOR SUPPORTING UE AUTHENTICATION AND SECURITYTECHNICAL FIELD
[0001] The disclosure relates generally to wireless communications, including but not limited to systems and methods for supporting user equipment (UE) authentication and / or security.BACKGROUND
[0002] The standardization organization Third Generation Partnership Project (3GPP) is currently in the process of specifying a new Radio Interface called 5G New Radio (5G NR) as well as a Next Generation Packet Core Network (NG-CN or NGC) . The 5G NR will have three main components: a 5G Access Network (5G-AN) , a 5G Core Network (5GC) , and a User Equipment (UE) . In order to facilitate the enablement of different data services and requirements, the elements of the 5GC, also called Network Functions, have been simplified with some of them being software based, and some being hardware based, so that they could be adapted according to need.SUMMARY
[0003] The example embodiments disclosed herein are directed to solving the issues relating to one or more of the problems presented in the prior art, as well as providing additional features that will become readily apparent by reference to the following detailed description when taken in conjunction with the accompany drawings. In accordance with various embodiments, example systems, methods, devices and computer program products are disclosed herein. It is understood, however, that these embodiments are presented by way of example and are not limiting, and it will be apparent to those of ordinary skill in the art who read the present disclosure that various modifications to the disclosed embodiments can be made while remaining within the scope of this disclosure.
[0004] The present disclosure defines an interface between a radio access network (RAN) and a core network (CN) as a service-based interface (SBI) . The RAN may terminate a non-access stratum (NAS) interface N1 to improve flexibility and scalability of a next generation network.
[0005] At least one aspect is directed to a system, method, apparatus, or a computer-readable medium of the following. A wireless communication node (e.g., a base station (BS) or a radio access network (RAN) node) may send a first message (e.g., a Nausf_UEAuthentication_Authenticate Request message) to request authentication of a wireless communication device (e.g., a user equipment (UE) ) , to an authentication server function (AUSF) . The wireless communication node may receive a second message (e.g., a Nausf_UEAuthentication_Authenticate Response message) in response to the first message, from the AUSF. The first message may comprise at least one of: a subscription concealed identifier (SUCI) , a subscription permanent identifier (SUPI) , or a name or identifier of a serving network.
[0006] In some embodiments, the wireless communication node may determine / select the AUSF according to a configuration or a discovery process (e.g., based on a local configuration or invoking Nnrf_NFDiscovery_Request to a NRF) . The wireless communication node may send a discovery request message to a network repository function (NRF) . The discovery request message may comprise at least one of: a subscription concealed identifier (SUCI) , a subscription permanent identifier (SUPI) , a AUSF group identifier to which the wireless communication device’s SUPI belongs, routing indicator information, a home network public key identifier, or a home network identifier of the SUCI or the SUPI. The wireless communication node may receive a discovery response message in response to the discovery request message from the NRF. The discovery response message may comprise information for selecting the AUSF, including at least one addressing parameter of the AUSF. In some embodiments, the wireless communication node may send the first message to the AUSF (e.g., the AUSF that is selected according to the information) .
[0007] In some embodiments, the AUSF may generate authentication information associated with the authentication according to information from a unified data management (UDM) . The AUSF may send the second message with the generated authentication information to the wireless communication node. The wireless communication node may send a request for authentication to the wireless communication device (e.g., a UE) . The wireless communication node may receive a response with the authentication information from the wireless communication device responsive to the request.
[0008] In some embodiments, the wireless communication node may determine whether the authentication is successful according to the authentication information from the wireless communication device and the authentication information from the AUSF. The wireless communication node may send the authentication information from the wireless communication device to the AUSF. The wireless communication node may receive at least one message comprising an indication of whether the authentication is successful, from the AUSF.
[0009] When the authentication is successful, at least one of: the at least one message may comprise security related information; the at least one message may comprise a subscription permanent identifier (SUPI) ; the AUSF may store a key according to a policy of a home network operator; or the AUSF may send to the UDM an indication that the authentication is successful.
[0010] In some embodiments, the wireless communication node may initiate a security mode command procedure with the wireless communication device, when the AUSF indicates that the authentication is successful. The wireless communication node may activate integrity protection prior to sending a security mode command message to the wireless communication device. The wireless communication node may activate uplink deciphering after sending the security mode command message to the wireless communication device. The wireless communication node may send the security mode command message to the wireless communication device. The security mode command message may comprise at least one of: the wireless communication device’s security capabilities, a security context, an integrity algorithm, a ciphering algorithm, a Key Set Identifier for identifying a key of a radio access network (RAN) , or a flag indicating to the wireless communication device to send a complete initial message in a security mode complete message. The wireless communication node may receive the security mode complete message from the wireless communication device. The security mode complete message can be ciphered and integrity protected.
[0011] In some embodiments, the wireless communication node may check integrity protection on the security mode complete message, using information included in the security mode command message. The security context can be stored in the RAN, or stored in a data function (DF) determined / selected via a configuration or a network repository function (NRF) . The wireless communication node may send a discovery request message to the NRF. The discovery request message may comprise at least one of: a network function (NF) type of the DF, a subscription permanent identifier (SUPI) , a globally unique temporary identifier (GUTI) , an identifier of the RAN, a tracking area identity (TAI) , or an identifier of a cell.
[0012] In some embodiments, the wireless communication node may receive a discovery response message from the NRF in response to the discovery request message. The discovery response message may comprise information about the DF that is selected, for example including at least one addressing parameter of the DF that is selected. The wireless communication node may send a request message to the DF. The request message may comprise at least one of: the SUPI, the GUTI, the identifier of the RAN, the TAI, or the identifier of the cell, the security context, the wireless communication device’s security capabilities, the integrity algorithm, or the ciphering algorithm. The DF may store / maintain at least one of: the security context, or information received from the wireless communication node. The DF may (e.g., in response to the request message) send a storage response message to the wireless communication node, to indicate successful storage of the security context.
[0013] In some embodiments, the DF may send a request message to the NRF to register with the NRF. The request message can be indicative of a network function (NF) profile of the DF. The NF profile may comprise at least one of: a NF type of the DF, an indication of a supported DF service for management of information of the wireless communication device, supported identifiers or range of identifiers of the wireless communication device, a list of at least one supported public land mobile network (PLMN) , at least one supported TAI, a list of at least one supported single network slice selection assistance information (S-NSSAI) , at least one supported identifier of the RAN, at least one supported ID of the cell, or a callback uniform resource identifier (URI) . The NRF may store the NF profile of the DF. The NRF may indicate that the DF is available to provide service. The NRF may send a response message, responsive to the request message, to accept registration of the DF with the NRF. The DF may provide service for management of information of the wireless communication device. The service may comprise at least one of: storing, retrieving, updating or deleting, of the information of the wireless communication device.
[0014] In some embodiments, an authentication server function (AUSF) may receive a first message (e.g., a Nausf_UEAuthentication_Authenticate Request message) to request authentication of a wireless communication device (e.g., a UE) , from a wireless communication node (e.g., a base station (BS) or a radio access network (RAN) node) . The AUSF may send a second message (e.g., a Nausf_UEAuthentication_Authenticate Response message) in response to the first message, to the wireless communication node.BRIEF DESCRIPTION OF THE DRAWINGS
[0015] Various example embodiments of the present solution are described in detail below with reference to the following figures or drawings. The drawings are provided for purposes of illustration only and merely depict example embodiments of the present solution to facilitate the reader's understanding of the present solution. Therefore, the drawings should not be considered limiting of the breadth, scope, or applicability of the present solution. It should be noted that for clarity and ease of illustration, these drawings are not necessarily drawn to scale.
[0016] FIG. 1 illustrates an example cellular communication network in which techniques disclosed herein may be implemented, in accordance with an embodiment of the present disclosure;
[0017] FIG. 2 illustrates a block diagram of an example base station and a user equipment device, in accordance with some embodiments of the present disclosure;
[0018] FIG. 3 illustrates an example 5G system architecture, in accordance with some embodiments of the present disclosure;
[0019] FIG. 4 illustrates an example control plane protocol stack, in accordance with some embodiments of the present disclosure;
[0020] FIG. 5 illustrates an example next generation network architecture, in accordance with some embodiments of the present disclosure;
[0021] FIG. 6 illustrates an example data function (DF) service registration procedure, in accordance with some embodiments of the present disclosure;
[0022] FIG. 7A illustrates an example UE authentication and / or security procedure, in accordance with some embodiments of the present disclosure;
[0023] FIG. 7B illustrates an example UE authentication and / or security procedure, in accordance with some embodiments of the present disclosure; and
[0024] FIG. 8 illustrates a flow diagram of an example method for supporting user equipment (UE) authentication and / or security, in accordance with an embodiment of the present disclosure.DETAILED DESCRIPTION
[0025] 1. Mobile Communication Technology and Environment
[0026] FIG. 1 illustrates an example wireless communication network, and / or system, 100 in which techniques disclosed herein may be implemented, in accordance with an embodiment of the present disclosure. In the following discussion, the wireless communication network 100 may be any wireless network, such as a cellular network or a narrowband Internet of things (NB-IoT) network, and is herein referred to as “network 100. ” Such an example network 100 includes a base station 102 (hereinafter “BS 102” ; also referred to as wireless communication node) and a user equipment device 104 (hereinafter “UE 104” ; also referred to as wireless communication device) that can communicate with each other via a communication link 110 (e.g., a wireless communication channel) , and a cluster of cells 126, 130, 132, 134, 136, 138 and 140 overlaying a geographical area 101. In FIG. 1, the BS 102 and UE 104 are contained within a respective geographic boundary of cell 126. Each of the other cells 130, 132, 134, 136, 138 and 140 may include at least one base station operating at its allocated bandwidth to provide adequate radio coverage to its intended users.
[0027] For example, the BS 102 may operate at an allocated channel transmission bandwidth to provide adequate coverage to the UE 104. The BS 102 and the UE 104 may communicate via a downlink radio frame 118, and an uplink radio frame 124 respectively. Each radio frame 118 / 124 may be further divided into sub-frames 120 / 127 which may include data symbols 122 / 128. In the present disclosure, the BS 102 and UE 104 are described herein as non-limiting examples of “communication nodes, ” generally, which can practice the methods disclosed herein. Such communication nodes may be capable of wireless and / or wired communications, in accordance with various embodiments of the present solution.
[0028] FIG. 2 illustrates a block diagram of an example wireless communication system 200 for transmitting and receiving wireless communication signals (e.g., OFDM / OFDMA signals) in accordance with some embodiments of the present solution. The system 200 may include components and elements configured to support known or conventional operating features that need not be described in detail herein. In one illustrative embodiment, system 200 can be used to communicate (e.g., transmit and receive) data symbols in a wireless communication environment such as the wireless communication environment 100 of FIG. 1, as described above.
[0029] System 200 generally includes a base station 202 (hereinafter “BS 202” ) and a user equipment device 204 (hereinafter “UE 204” ) . The BS 202 includes a BS (base station) transceiver module 210, a BS antenna 212, a BS processor module 214, a BS memory module 216, and a network communication module 218, each module being coupled and interconnected with one another as necessary via a data communication bus 220. The UE 204 includes a UE (user equipment) transceiver module 230, a UE antenna 232, a UE memory module 234, and a UE processor module 236, each module being coupled and interconnected with one another as necessary via a data communication bus 240. The BS 202 communicates with the UE 204 via a communication channel 250, which can be any wireless channel or other medium suitable for transmission of data as described herein.
[0030] As would be understood by persons of ordinary skill in the art, system 200 may further include any number of modules other than the modules shown in FIG. 2. Those skilled in the art will understand that the various illustrative blocks, modules, circuits, and processing logic described in connection with the embodiments disclosed herein may be implemented in hardware, computer-readable software, firmware, or any practical combination thereof. To clearly illustrate this interchangeability and compatibility of hardware, firmware, and software, various illustrative components, blocks, modules, circuits, and steps are described generally in terms of their functionality. Whether such functionality is implemented as hardware, firmware, or software can depend upon the particular application and design constraints imposed on the overall system. Those familiar with the concepts described herein may implement such functionality in a suitable manner for each particular application, but such implementation decisions should not be interpreted as limiting the scope of the present disclosure
[0031] In accordance with some embodiments, the UE transceiver 230 may be referred to herein as an "uplink" transceiver 230 that includes a radio frequency (RF) transmitter and a RF receiver each comprising circuitry that is coupled to the antenna 232. A duplex switch (not shown) may alternatively couple the uplink transmitter or receiver to the uplink antenna in time duplex fashion. Similarly, in accordance with some embodiments, the BS transceiver 210 may be referred to herein as a "downlink" transceiver 210 that includes a RF transmitter and a RF receiver each comprising circuity that is coupled to the antenna 212. A downlink duplex switch may alternatively couple the downlink transmitter or receiver to the downlink antenna 212 in time duplex fashion. The operations of the two transceiver modules 210 and 230 may be coordinated in time such that the uplink receiver circuitry is coupled to the uplink antenna 232 for reception of transmissions over the wireless transmission link 250 at the same time that the downlink transmitter is coupled to the downlink antenna 212. Conversely, the operations of the two transceivers 210 and 230 may be coordinated in time such that the downlink receiver is coupled to the downlink antenna 212 for reception of transmissions over the wireless transmission link 250 at the same time that the uplink transmitter is coupled to the uplink antenna 232. In some embodiments, there is close time synchronization with a minimal guard time between changes in duplex direction.
[0032] The UE transceiver 230 and the base station transceiver 210 are configured to communicate via the wireless data communication link 250, and cooperate with a suitably configured RF antenna arrangement 212 / 232 that can support a particular wireless communication protocol and modulation scheme. In some illustrative embodiments, the UE transceiver 210 and the base station transceiver 210 are configured to support industry standards such as the Long Term Evolution (LTE) and emerging 5G standards, and the like. It is understood, however, that the present disclosure is not necessarily limited in application to a particular standard and associated protocols. Rather, the UE transceiver 230 and the base station transceiver 210 may be configured to support alternate, or additional, wireless data communication protocols, including future standards or variations thereof.
[0033] In accordance with various embodiments, the BS 202 may be an evolved node B (eNB) , a serving eNB, a target eNB, a femto station, or a pico station, for example. In some embodiments, the UE 204 may be embodied in various types of user devices such as a mobile phone, a smart phone, a personal digital assistant (PDA) , tablet, laptop computer, wearable computing device, etc. The processor modules 214 and 236 may be implemented, or realized, with a general purpose processor, a content addressable memory, a digital signal processor, an application specific integrated circuit, a field programmable gate array, any suitable programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, designed to perform the functions described herein. In this manner, a processor may be realized as a microprocessor, a controller, a microcontroller, a state machine, or the like. A processor may also be implemented as a combination of computing devices, e.g., a combination of a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other such configuration.
[0034] Furthermore, the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in firmware, in a software module executed by processor modules 214 and 236, respectively, or in any practical combination thereof. The memory modules 216 and 234 may be realized as RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. In this regard, memory modules 216 and 234 may be coupled to the processor modules 210 and 230, respectively, such that the processors modules 210 and 230 can read information from, and write information to, memory modules 216 and 234, respectively. The memory modules 216 and 234 may also be integrated into their respective processor modules 210 and 230. In some embodiments, the memory modules 216 and 234 may each include a cache memory for storing temporary variables or other intermediate information during execution of instructions to be executed by processor modules 210 and 230, respectively. Memory modules 216 and 234 may also each include non-volatile memory for storing instructions to be executed by the processor modules 210 and 230, respectively.
[0035] The network communication module 218 generally represents the hardware, software, firmware, processing logic, and / or other components of the base station 202 that enable bi-directional communication between base station transceiver 210 and other network components and communication nodes configured to communication with the base station 202. For example, network communication module 218 may be configured to support internet or WiMAX traffic. In a typical deployment, without limitation, network communication module 218 provides an 802.3 Ethernet interface such that base station transceiver 210 can communicate with a conventional Ethernet based computer network. In this manner, the network communication module 218 may include a physical interface for connection to the computer network (e.g., Mobile Switching Center (MSC) ) . The terms “configured for, ” “configured to” and conjugations thereof, as used herein with respect to a specified operation or function, refer to a device, component, circuit, structure, machine, signal, etc., that is physically constructed, programmed, formatted and / or arranged to perform the specified operation or function.
[0036] The Open Systems Interconnection (OSI) Model (referred to herein as, “open system interconnection model” ) is a conceptual and logical layout that defines network communication used by systems (e.g., wireless communication device, wireless communication node) open to interconnection and communication with other systems. The model is broken into seven subcomponents, or layers, each of which represents a conceptual collection of services provided to the layers above and below it. The OSI Model also defines a logical network and effectively describes computer packet transfer by using different layer protocols. The OSI Model may also be referred to as the seven-layer OSI Model or the seven-layer model. In some embodiments, a first layer may be a physical layer. In some embodiments, a second layer may be a Medium Access Control (MAC) layer. In some embodiments, a third layer may be a Radio Link Control (RLC) layer. In some embodiments, a fourth layer may be a Packet Data Convergence Protocol (PDCP) layer. In some embodiments, a fifth layer may be a Radio Resource Control (RRC) layer. In some embodiments, a sixth layer may be a Non Access Stratum (NAS) layer or an Internet Protocol (IP) layer, and the seventh layer being the other layer.
[0037] Various example embodiments of the present solution are described below with reference to the accompanying figures to enable a person of ordinary skill in the art to make and use the present solution. As would be apparent to those of ordinary skill in the art, after reading the present disclosure, various changes or modifications to the examples described herein can be made without departing from the scope of the present solution. Thus, the present solution is not limited to the example embodiments and applications described and illustrated herein. Additionally, the specific order or hierarchy of steps in the methods disclosed herein are merely example approaches. Based upon design preferences, the specific order or hierarchy of steps of the disclosed methods or processes can be re-arranged while remaining within the scope of the present solution. Thus, those of ordinary skill in the art will understand that the methods and techniques disclosed herein present various steps or acts in a sample order, and the present solution is not limited to the specific order or hierarchy presented unless expressly stated otherwise.
[0038] 2. Systems and Methods for Supporting User Equipment (UE) Authentication and Security
[0039] Service-Based Interface N2
[0040] A service-based architecture (SBA) can be implemented in 5G core network. The SBA architecture can improve the flexibility and scalability of 5G Core network. The network functions (NFs) can provide one or more services (e.g., registration service, or communication service) . An NF service can be one type of capability exposed by an NF (e.g., NF service producer) to other authorized NF (e.g., NF service consumer) through a service-based interface. NFs can offer different capabilities and different NF services to distinct consumers. Thus, NFs communication based on service interface is more flexible and scalable.
[0041] In 5G System, the interface N2 between NG-RAN and AMF may not be a service-based interface. The interface between RAN and core network functions can be configured / implemented as a service-based interface, in order to further improve the flexibility and scalability of the next generation network, especially the flexibility and scalability of RAN provided services. Therefore, the present disclosure describes the interface between a RAN and a core network as a service-based interface.
[0042] RAN Performing UE Authentication and Security
[0043] In a 5G System, a N1 NAS signaling connection can be established between a UE and an access and mobility management function (AMF) . The NAS messages exchanged between the UE and the network can be ciphered and integrity protected between the UE and the AMF. The AMF may de-cipher and may check the integrity of the message received from the UE and then may invoke other NF’s service to forward the integrity checked and de-ciphered message to other NF.
[0044] If the interface between a RAN and core network functions is a service-based interface, the messages exchanged between a UE and the network can be ciphered and integrity protected between the UE and the RAN. The RAN may de-cipher and may check the integrity of the message received from the UE and then the RAN may invoke other NF’s service to forward the integrity checked and de-ciphered message to other NF. Therefore, the present disclosure can support UE authentication procedure and security mode command procedure initiated and performed by the RAN.
[0045] Data Function
[0046] There can be a unified data function in a next generation network to store and manage all the data in the network, including UE data, network function data, performance data, and / or policy data. Therefore, the present disclosure proposes a network function (e.g., a data function, a data center, or a data repository function) to store and / or manage (e.g., organize, track) all the data in the network, including UE data, Network Function data, performance data, or policy data.
[0047] FIG. 3 illustrates an example 5G system architecture, in accordance with some embodiments of the present disclosure. The 5G system architecture may comprise following network functions (NFs) .
[0048] (1) UE: user equipment.
[0049] (2) RAN: radio access network.
[0050] (3) AMF: access and mobility management function. This NF may include a number of functionalities. For example, the functionalities may include at least one of: a UE mobility management, a reachability management, a connection management, or a registration management. The AMF may terminate the RAN control plane (CP) interface N2 and non-access stratum (NAS) interface N1, and / or NAS ciphering and integrity protection. The AMF may distribute the session management (SM) NAS to the proper session management functions (SMFs) via N11 interface.
[0051] (4) UDM: unified data management. This NF may manage the subscription profile for the UEs. The subscription data can be stored in a unified data repository (UDR) . The subscription information may include a network slice related subscription data used for mobility management and / or session management. The AMF and SMF may retrieve the subscription data from the UDM.
[0052] (5) NSSF: network slice selection function. This NF may support the following functionality: selecting the set of Network Slice instances serving the UE; determining the allowed NSSAI and, if needed, the mapping to the HPLMN S-NSSAIs; determining the configured NSSAI and, if needed, the mapping to the HPLMN S-NSSAIs; determining the AMF set to be used to serve the UE, or, based on configuration, a list of candidate AMF (s) , possibly by querying the network repository function (NRF) .
[0053] (6) SMF: session management function. This NF may include the following functionalities: session establishment, modification and release, UE IP address allocation and management, or selection and control of user plane (UP) function.
[0054] (7) UPF: user plane function. This NF may serve as an anchor point for intra- / inter-radio access technology (RAT) mobility and / or as the external PDU session point of interconnect to data network (DN) . The UPF may also route and forward the data packet according to the indication from the SMF. The UPF may buffer the downlink (DL) data when the UE is in an idle mode.
[0055] (8) PCF: policy control function. This NF may support unified policy framework to govern network behavior. The PCF may provide an access management policy to the AMF, or a session management policy to the SMF, or a UE policy to the UE. The PCF can access the unified data repository (UDR) to obtain the subscription information relevant for policy decisions.
[0056] FIG. 4 illustrates an example control plane protocol stack between a UE and an AMF, in accordance with some embodiments of the present disclosure.
[0057] NAS-MM: The NAS protocol for mobility management (MM) functionality may support a registration management functionality, a connection management functionality and user plane connection activation and deactivation. The NAS-MM can be responsible for ciphering and integrity protection of NAS signaling.
[0058] 5G-AN Protocol layer: This set of protocols / layers may depend on the 5G-access network (AN) . In the case of next generation-radio access network (NG-RAN) , the radio protocol between the UE and the NG-RAN node (e.g., eNodeB or gNodeB) may include an access stratum (AS) layer and lower layers.
[0059] Implementation Example 1: Next generation network architecture
[0060] FIG. 5 illustrates an example next generation network architecture, in accordance with some embodiments of the present disclosure.
[0061] A (R) AN may terminate a NAS interface N1 and may support NAS ciphering and integrity protection. A UE authentication procedure and a security mode command procedure can be initiated and performed by the (R) AN. The (R) AN de-ciphers and checks the integrity protection of the NAS message using the UE security context created at the (R) AN and stored at the (R) AN / DF.
[0062] The interface between the (R) AN and the core network can be defined as a service-based interface. The (R) AN may distribute / send a registration message to the proper AMF via a Namf service-based interface. The (R) AN may distribute / send a session management message to the proper SMF via a Nsmf service-based interface.
[0063] Data function can be dedicated for data storage and / or management, to store and manage all the data in the network, including at least one of: UE data, network function data, performance data, or policy data. The name of the data function can be a data function, a data center, a data repository function, a data storage function, or any other name with the same functionality.
[0064] If data function (DF) is deployed, all UE information including UE security context can be stored in the DF. The (R) AN may select the DF based on a local configuration or obtained information from the NRF.
[0065] Implementation Example 2: DF service registration procedure
[0066] FIG. 6 illustrates an example data function (DF) service registration procedure, in accordance with some embodiments of the present disclosure.
[0067] The DF may send a Nnrf_NFManagement_NFRegister Request message to the NRF to inform the NRF of its NF profile when the DF becomes operative for the first time. The profile of DF may include at least one of: a NF type as DF, supported DF service (s) for management (e.g., including store, retrieve, update and delete) of UE information including UE security context and protocol data unit (PDU) session information, a supported UE ID range (UE ID , e.g., a subscription permanent identifier (SUPI) , a globally unique temporary identifier (GUTI) ) , a supported public land mobile network (PLMN) list, supported tracking area identities (TAIs) , a supported single-network slice selection assistant information (S-NSSAI) list, one or more supported RAN IDs, one or more supported Cell IDs, or a callback uniform resource identifier (URI) .
[0068] The NRF may store the DF profile and may mark / indicate that the DF service is available.
[0069] The NRF may acknowledge that DF registration is accepted via a Nnrf_NFManagement_NFRegister response message.
[0070] Implementation Example 3: UE authentication and security procedure
[0071] FIGs. 7A and 7B illustrate an example UE authentication and / or security procedure, in accordance with some embodiments of the present disclosure.
[0072] RRC connection establishment procedure
[0073] Step 1 (from a UE to a RAN) : The UE in an idle state may initiate a radio resource control (RRC) connection establishment procedure before the UE sends an initial message (e.g., an initial registration request message) to the network. The UE may send RRC setup request message including for instance an establishment cause and / or a UE identity to the RAN.
[0074] Step 2 (from the RAN to the UE) : The RAN may respond with a RRC setup message to the UE.
[0075] Step 3 (from the UE to the RAN) : The UE may enter a connected state and may send a RRC setup complete message to the RAN to confirm the successful completion of an RRC connection establishment. The UE may include an initial message in the RRC setup complete message. If the UE has no security context, the initial message may include the cleartext information elements (IEs) (e.g., subscription identifiers (e.g., a subscription concealed identifier (SUCI) or a globally unique temporary identity (GUTI) ) , UE security capabilities, and / or key set identifier.
[0076] Identity request procedure
[0077] Step 4 (from the RAN to the UE) : If the subscription concealed identifier (SUCI) is not provided by the UE, the RAN may initiate an identity request procedure by sending an identity request message to the UE requesting the SUCI.
[0078] Step 5 (from the UE to the RAN) : The UE may respond (e.g., to the identity request message) with an identity response message including the SUCI.
[0079] UE authentication procedure
[0080] Step 6: The RAN may decide / determine to initiate a UE authentication procedure. The RAN may select an authentication server function (AUSF) instance based on local configuration or may invoke a Nnrf_NFDiscovery_Request to a NRF.
[0081] Step 7 (from the RAN to the NRF) : The Nnrf_NFDiscovery_Request message may include at least one of: a NF Type of the AUSF, a SUPI / SUCI, an AUSF group identifier the UE's SUPI belongs to, routing indicator information that may allow to route network signaling with SUCI to an AUSF, a home network public key identifier which may be able to be served by the AUSF instance, or a home network identifier (e.g., mobile network code (MNC) and mobile country code (MCC) , realm) of SUCI / SUPI. The home network public key identifier can be provided when a routing indicator is not enough to provide SUPI range granularity. The home network public key identifier can be provided together with a routing indicator.
[0082] Step 8 (from the NRF to the RAN) : The NRF may send a Nnrf_NFDiscovery_Response message to the RAN. The response message may include the selected AUSF information for the SUPI / SUCI. At least one of the addressing parameters (e.g., fully qualified domain name (FQDN) , IPv4 address or IPv6 address) can be included.
[0083] Step 9 (from the RAN to an AUSF) : The RAN may invoke / initiate / activate the Nausf_UEAuthentication service by sending a Nausf_UEAuthentication_Authenticate Request message to the selected AUSF. The request message may include at least one of: a SUCI / SUPI, or a serving network name.
[0084] Step 10: Upon request from the RAN, the AUSF can execute authentication of the UE. The AUSF may select a UDM based on a local configuration or obtained information from the NRF.
[0085] Step 11 (from the AUSF to a UDM) : The AUSF may send a Nudm_UEAuthentication_Get Request message to the selected UDM to get the authentication data from the UDM. The request message may include at least one of a SUCI / SUPI, or a serving network name.
[0086] Step 12: Upon reception of the Nudm_UEAuthentication_Get Request, the UDM may de-conceal SUCI to gain SUPI before the UDM can process the request. Based on SUPI, the UDM may choose / determine an authentication method (e.g., EAP-AKA' or 5G AKA) .
[0087] Step 13 (from the UDM to the AUSF) : The UDM may return a Nudm_UEAuthentication_Get Response message to the AUSF. In case SUCI was included in the Nudm_UEAuthentication_Get Request, the UDM may include the SUPI in the Nudm_UEAuthentication_Get Response after deconcealment of SUCI. The response message may include authentication related information (e.g., key (s) , or algorithm (s) ) .
[0088] Step 14 (from the AUSF to the RAN) : The AUSF may generate an authentication related information based on the authentication related information received from the UDM and then may return a Nausf_UEAuthentication_Authenticate Response message to the RAN.
[0089] Step 15 (from the RAN to the UE) : The RAN may send an authentication request message to the UE. The request message may include authentication related information that can be used by the UE. For example, the message may include a key set Identifier that can be used by the UE and the RAN to identify the KRAN and the security context that is created if the authentication is successful.
[0090] Step 16 (from the UE to the RAN) : The UE may return an authentication response message to the RAN.
[0091] Step 17 (from the RAN to the AUSF) : Based on authentication information received from the AUSF and the UE, the RAN may determine whether the authentication is successful or not from the serving network point of view. The RAN may forward the authentication related information received from the UE to the AUSF in a Nausf_UEAuthentication_Authenticate Request message to the AUSF.
[0092] Step 18 (from the AUSF to the RAN) : The AUSF may determine whether the authentication is successful or not from the home network point of view and may indicate the result to the RAN in a Nausf_UEAuthentication_Authenticate Response message. If the authentication is successful, the AUSF may provide relevant security related information including security context and KRAN to the RAN. If the RAN provided a SUCI to AUSF, the AUSF may return the SUPI to RAN only after the authentication is successful. Upon successful authentication, the AUSF may store the KAUSF based on the home network operator's policy. The AUSF may also inform the UDM about the authentication result.
[0093] Security mode command procedure
[0094] Step 19: If the AUSF indicates that the authentication was successful from the home network point of view, the RAN may initiate a security mode command procedure with the UE, to take the newly generated security context into use. The RAN may activate the integrity protection before sending the security mode command message to the UE. The RAN may activate uplink deciphering after sending the Security Mode Command message.
[0095] Step 20 (from the RAN to the UE) : The RAN may send a security mode command message to the UE. The message may include at least one of: replayed UE security capabilities, security context, an integrity algorithm, a ciphering algorithm, a Key Set Identifier for identifying the KRAN, or a flag requesting the UE to send the complete initial message in the security mode complete message.
[0096] Step 21: Upon receiving the valid security mode command message from the RAN, the UE may consider the performed primary authentication as successful. The UE may verify the security mode command message (e.g., the UE security capabilities sent by the RAN match the ones stored in the UE to ensure that these were not modified by an attacker, and / or verifies the integrity protection using the indicated integrity algorithm and the integrity key) . If the verification of the integrity of the security mode command message is successful, the UE can start integrity protection and ciphering / deciphering with the security context indicated by the RAN.
[0097] Step 22 (from the UE to the RAN) : The UE may send the security mode complete message to the RAN in response to a security mode command message. The security mode complete message can be ciphered and integrity protected. The security mode complete message may include the complete initial message in a container if either requested by the RAN or the UE sent the initial message unprotected. The RAN may use the complete initial message that is in the container as the message to respond to.
[0098] Step 23: The RAN may de-cipher and may check the integrity protection on the security mode complete message using the key and algorithm indicated in the security mode command message. Downlink ciphering at the RAN with this security context may start after receiving the security mode complete message. The UE security context which can include at least one of: a Key Set Identifier, security key (s) , KRAN, UE security capabilities, or an integrity algorithm and ciphering algorithm is either stored in the RAN or stored in a dedicated data function. The data function can alternatively be referred to as a data center, a data repository function, a data storage function, or have any other name with the same functionality to store and manage all the data in the network. The data may include at least one of: UE data, network function data, performance data, or policy data. If a data function (DF) is deployed, all UE information can be stored in the DF. The RAN may select DF based on local configuration or information obtained from the NRF.
[0099] Step 24 (from the RAN to the NRF) : The RAN may invoke a NRF service to discover and select DF. The RAN may send a Nnrf_NFDiscovery_Request message to the NRF. The message may include at least one of: a NF type as DF, a SUPI, a GUTI, a RAN ID, a TAI, or a cell ID.
[0100] Step 25 (from the NRF to the RAN) : The NRF may discover and may select a DF. The NRF may respond a Nnrf_NFDiscovery_Response message including selected DF information to the RAN. At least one of the addressing parameters for the selected DF (e.g., FQDN, IPv4 address or IPv6 address) can be included.
[0101] Step 26 (from the RAN to the DF) : The RAN may invoke a UE data storage service of the selected DF. The RAN may send a Ndf_UEData_storage request message to the DF. The request message may include at least one of: a SUPI, a GUTI, a RAN ID, a TAI, a cell ID, UE security context including a Key Set Identifier, security key (s) , KRAN, UE security capabilities, an integrity algorithm, or a ciphering algorithm.
[0102] Step 27: The DF may store the UE security context associated with the UE identifier (e.g., SUPI or GUTI) and other information received from the RAN.
[0103] Step 28 (from the DF to the RAN) : The DF may respond with a Ndf_UEData_storage response message to the RAN to acknowledge the successful storage the UE security context information.
[0104] Step 29: After handling of the initial message and possibly interactions with other network functions, the RAN may send a response to the initial message to the UE. This message can be ciphered and integrity protected.
[0105] It should be understood that one or more features from the above / following implementation examples are not exclusive to the specific implementation examples, but can be combined in any manner (e.g., in any priority and / or order, concurrently or otherwise) .
[0106] FIG. 8 illustrates a flow diagram of a method 800 for supporting user equipment (UE) authentication and / or security. The method 800 may be implemented using any one or more of the components and devices detailed herein in conjunction with FIGs. 1 to 7B. In overview, the method 800 may be performed by a wireless communication node (e.g., a base station (BS) or a radio access network (RAN) node) , in some embodiments. Additional, fewer, or different operations may be performed in the method 800 depending on the embodiment. At least one aspect of the operations is directed to a system, method, apparatus, or a computer-readable medium.
[0107] A wireless communication node (e.g., a base station (BS) or a radio access network (RAN) node) may send a first message (e.g., a Nausf_UEAuthentication_Authenticate Request message) to request authentication of a wireless communication device (e.g., a user equipment (UE) ) to an authentication server function (AUSF) . The wireless communication node may receive a second message (e.g., a Nausf_UEAuthentication_Authenticate Response message) in response to the first message from the AUSF. The first message may comprise at least one of: a subscription concealed identifier (SUCI) , a subscription permanent identifier (SUPI) , or a name or identifier of a serving network.
[0108] In some embodiments, the wireless communication node may determine / select the AUSF according to a configuration or a discovery process (e.g., based on a local configuration or invoking Nnrf_NFDiscovery_Request to a NRF) . The wireless communication node may send a discovery request message to a network repository function (NRF) . The discovery request message may comprise at least one of: a subscription concealed identifier (SUCI) , a subscription permanent identifier (SUPI) , a AUSF group identifier to which the wireless communication device’s SUPI belongs, routing indicator information, a home network public key identifier, or a home network identifier of the SUCI or the SUPI. The wireless communication node may receive a discovery response message in response to the discovery request message from the NRF. The discovery response message may comprise information for selecting the AUSF, including at least one addressing parameter of the AUSF. In some embodiments, the wireless communication node may send the first message to the AUSF that is selected according to the information.
[0109] In some embodiments, the AUSF may generate / output authentication information associated with the authentication according to information from a unified data management (UDM) . The AUSF may send the second message with the authentication generated information to the wireless communication node. The wireless communication node may send a request for authentication to the wireless communication device (e.g., a UE) . The wireless communication node may receive a response with the authentication information from the wireless communication device responsive to the request.
[0110] In some embodiments, the wireless communication node may determine whether the authentication is successful according to the authentication information from the wireless communication device and the authentication information from the AUSF. The wireless communication node may send the authentication information from the wireless communication device to the AUSF. The wireless communication node may receive at least one message comprising an indication of whether the authentication is successful from the AUSF. When the authentication is successful, at least one of: the at least one message may comprise security related information; the at least one message may comprise a subscription permanent identifier (SUPI) ; the AUSF may store a key according to a policy of a home network operator; or the AUSF may send to the UDM an indication that the authentication is successful.
[0111] In some embodiments, the wireless communication node may initiate a security mode command procedure with the wireless communication device, when the AUSF indicates that the authentication is successful. The wireless communication node may activate integrity protection prior to sending a security mode command message to the wireless communication device. The wireless communication node may activate uplink deciphering after sending the security mode command message to the wireless communication device. The wireless communication node may send the security mode command message to the wireless communication device. The security mode command message may comprise at least one of: the wireless communication device’s security capabilities, a security context, an integrity algorithm, a ciphering algorithm, a Key Set Identifier for identifying a key of a radio access network (RAN) , or a flag indicating to the wireless communication device to send an complete initial message in a security mode complete message. The wireless communication node may receive the security mode complete message from the wireless communication device. The security mode complete message can be ciphered and integrity protected.
[0112] In some embodiments, the wireless communication node may check integrity protection on the security mode complete message, using information included in the security mode command message. The security context can be stored in the RAN, or stored in a data function (DF) determined via a configuration or a network repository function (NRF) . The wireless communication node may send a discovery request message to the NRF. The discovery request message may comprise at least one of: a network function (NF) type of the DF, a subscription permanent identifier (SUPI) , a globally unique temporary identifier (GUTI) , an identifier of the RAN, a tracking area identity (TAI) , or an identifier of a cell.
[0113] In some embodiments, the wireless communication node may receive a discovery response message from the NRF in response to the discovery request message. The discovery response message may comprise information about the DF that is selected, including at least one addressing parameter of the DF that is selected. The wireless communication node may send a request message to the DF. The request message may comprise at least one of: the SUPI, the GUTI, the identifier of the RAN, the TAI, or the identifier of the cell, the security context, the wireless communication device’s security capabilities, the integrity algorithm, or the ciphering algorithm. The DF may store at least one of: the security context, or information received from the wireless communication node. The DF may send a storage response message to the wireless communication node, to indicate successful storage of the security context.
[0114] In some embodiments, the DF may send a request message to the NRF to register with the NRF. The request message can be indicative of a network function (NF) profile of the DF. The NF profile may comprise at least one of: a NF type of the DF, an indication of a supported DF service for management of information of the wireless communication device, supported identifiers or range of identifiers of the wireless communication device, a list of at least one supported public land mobile network (PLMN) , at least one supported TAI, a list of at least one supported single network slice selection assistance information (S-NSSAI) , at least one supported identifier of the RAN, at least one supported ID of the cell, or a callback uniform resource identifier (URI) . The NRF may store the NF profile of the DF. The NRF may indicate that the DF is available to provide service. The NRF may send a response message, responsive to the request message, to accept registration of the DF with the NRF. The DF may provide service for management of information of the wireless communication device. The service may comprise at least one of: storing, retrieving, updating or deleting, of the information / data of the wireless communication device.
[0115] In some embodiments, an authentication server function (AUSF) may receive a first message (e.g., a Nausf_UEAuthentication_Authenticate Request message) to request authentication of a wireless communication device (e.g., a UE) , from a wireless communication node (e.g., a base station (BS) or a radio access network (RAN) node) . The AUSF may send a second message (e.g., a Nausf_UEAuthentication_Authenticate Response message) in response to the first message to the wireless communication node.
[0116] While various embodiments of the present solution have been described above, it should be understood that they have been presented by way of example only, and not by way of limitation. Likewise, the various diagrams may depict an example architectural or configuration, which are provided to enable persons of ordinary skill in the art to understand example features and functions of the present solution. Such persons would understand, however, that the solution is not restricted to the illustrated example architectures or configurations, but can be implemented using a variety of alternative architectures and configurations. Additionally, as would be understood by persons of ordinary skill in the art, one or more features of one embodiment can be combined with one or more features of another embodiment described herein. Thus, the breadth and scope of the present disclosure should not be limited by any of the above-described illustrative embodiments.
[0117] It is also understood that any reference to an element herein using a designation such as "first, " "second, " and so forth does not generally limit the quantity or order of those elements. Rather, these designations can be used herein as a convenient means of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements can be employed, or that the first element must precede the second element in some manner.
[0118] Additionally, a person having ordinary skill in the art would understand that information and signals can be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits and symbols, for example, which may be referenced in the above description can be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
[0119] A person of ordinary skill in the art would further appreciate that any of the various illustrative logical blocks, modules, processors, means, circuits, methods and functions described in connection with the aspects disclosed herein can be implemented by electronic hardware (e.g., a digital implementation, an analog implementation, or a combination of the two) , firmware, various forms of program or design code incorporating instructions (which can be referred to herein, for convenience, as "software" or a "software module) , or any combination of these techniques. To clearly illustrate this interchangeability of hardware, firmware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware, firmware or software, or a combination of these techniques, depends upon the particular application and design constraints imposed on the overall system. Skilled artisans can implement the described functionality in various ways for each particular application, but such implementation decisions do not cause a departure from the scope of the present disclosure.
[0120] Furthermore, a person of ordinary skill in the art would understand that various illustrative logical blocks, modules, devices, components and circuits described herein can be implemented within or performed by an integrated circuit (IC) that can include a general purpose processor, a digital signal processor (DSP) , an application specific integrated circuit (ASIC) , a field programmable gate array (FPGA) or other programmable logic device, or any combination thereof. The logical blocks, modules, and circuits can further include antennas and / or transceivers to communicate with various components within the network or within the device. A general purpose processor can be a microprocessor, but in the alternative, the processor can be any conventional processor, controller, or state machine. A processor can also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other suitable configuration to perform the functions described herein.
[0121] If implemented in software, the functions can be stored as one or more instructions or code on a computer-readable medium. Thus, the steps of a method or algorithm disclosed herein can be implemented as software stored on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that can be enabled to transfer a computer program or code from one place to another. A storage media can be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer.
[0122] In this document, the term "module" as used herein, refers to software, firmware, hardware, and any combination of these elements for performing the associated functions described herein. Additionally, for purpose of discussion, the various modules are described as discrete modules; however, as would be apparent to one of ordinary skill in the art, two or more modules may be combined to form a single module that performs the associated functions according embodiments of the present solution.
[0123] Additionally, memory or other storage, as well as communication components, may be employed in embodiments of the present solution. It will be appreciated that, for clarity purposes, the above description has described embodiments of the present solution with reference to different functional units and processors. However, it will be apparent that any suitable distribution of functionality between different functional units, processing logic elements or domains may be used without detracting from the present solution. For example, functionality illustrated to be performed by separate processing logic elements, or controllers, may be performed by the same processing logic element, or controller. Hence, references to specific functional units are only references to a suitable means for providing the described functionality, rather than indicative of a strict logical or physical structure or organization.
[0124] Various modifications to the embodiments described in this disclosure will be readily apparent to those skilled in the art, and the general principles defined herein can be applied to other embodiments without departing from the scope of this disclosure. Thus, the disclosure is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the novel features and principles disclosed herein, as recited in the claims below.
Claims
1.A method comprising:sending, by a wireless communication node to an authentication server function (AUSF) , a first message to request authentication of a wireless communication device; andreceiving, by the wireless communication node from the AUSF, a second message in response to the first message.2.The method of claim 1, wherein the first message comprises at least one of: a subscription concealed identifier (SUCI) , a subscription permanent identifier (SUPI) , or a name or identifier of a serving network.3.The method of claim 1, comprising:determining, by the wireless communication node, the AUSF according to a configuration or a discovery process.4.The method of claim 3, comprising:sending, by the wireless communication node to a network repository function (NRF) , a discovery request message comprising at least one of: a subscription concealed identifier (SUCI) , a subscription permanent identifier (SUPI) , a AUSF group identifier to which the wireless communication device’s SUPI belongs, routing indicator information, a home network public key identifier, or a home network identifier of the SUCI or the SUPI.5.The method of claim 4, comprising:receiving, by the wireless communication node from the NRF in response to the discovery request message, a discovery response message comprising information for selecting the AUSF, including at least one addressing parameter of the AUSF.6.The method of claim 5, comprising:sending, by the wireless communication node, the first message to the AUSF that is selected according to the information.7.The method of claim 1, wherein the AUSF generates authentication information associated with the authentication according to information from a unified data management (UDM) , and sends the second message with the authentication information to the wireless communication node.8.The method of claim 7, comprising:sending, by the wireless communication node to the wireless communication device, a request for authentication.9.The method of claim 8, comprising:receiving, by the wireless communication node from the wireless communication device responsive to the request, a response with authentication information.10.The method of claim 9, comprising at least one of:determining, by the wireless communication node according to the authentication information from the wireless communication device and the authentication information from the AUSF, whether the authentication is successful; orsending, by the wireless communication node, the authentication information from the wireless communication device to the AUSF.11.The method of claim 10, comprising:receiving, by the wireless communication node from the AUSF, at least one message comprising an indication of whether the authentication is successful.12.The method of claim 11, wherein when the authentication is successful, at least one of:the at least one message comprises security related information;the at least one message comprises a subscription permanent identifier (SUPI) ;the AUSF stores a key according to a policy of a home network operator; orthe AUSF sends to the UDM an indication that the authentication is successful.13.The method of claim 1, comprising at least one of:initiating, by the wireless communication node with the wireless communication device, a security mode command procedure, when the AUSF indicates that the authentication is successful;activating, by the wireless communication node, integrity protection prior to sending a security mode command message to the wireless communication device; oractivating, by the wireless communication node, uplink deciphering after sending the security mode command message to the wireless communication device.14.The method of claim 13, comprising:sending, by the wireless communication node to the wireless communication device, the security mode command message, which comprises at least one of:the wireless communication device’s security capabilities, a security context, an integrity algorithm, a ciphering algorithm, a Key Set Identifier for identifying a key of a radio access network (RAN) , or a flag indicating to the wireless communication device to send an complete initial message in a security mode complete message.15.The method of claim 14, comprising:receiving, by the wireless communication node from the wireless communication device, the security mode complete message, which is ciphered and integrity protected.16.The method of claim 15, comprising:checking, by the wireless communication node, integrity protection on the security mode complete message, using information included in the security mode command message.17.The method of claim 16, wherein the security context is stored in the RAN, or stored in a data function (DF) determined via a configuration or a network repository function (NRF) .18.The method of claim 17, comprising:sending, by the wireless communication node to the NRF, a discovery request message comprising at least one of: a network function (NF) type of the DF, a subscription permanent identifier (SUPI) , a globally unique temporary identifier (GUTI) , an identifier of the RAN, a tracking area identity (TAI) , or an identifier of a cell.19.The method of claim 18, comprising:receiving, by the wireless communication node from the NRF in response to the discovery request message, a discovery response message comprising information about the DF that is selected, including at least one addressing parameter of the DF that is selected.20.The method of claim 19, comprising:sending, by the wireless communication node to the DF, a request message comprising at least one of:the SUPI, the GUTI, the identifier of the RAN, the TAI, or the identifier of the cell, the security context, the wireless communication device’s security capabilities, the integrity algorithm, or the ciphering algorithm.21.The method of claim 20, wherein at least one of:the DF stores at least one of: the security context, or information received from the wireless communication node;the DF sends a storage response message to the wireless communication node, to indicate successful storage of the security context.22.The method of claim 17, wherein the DF sends a request message to the NRF to register with the NRF, the request message indicative of a network function (NF) profile of the DF.23.The method of claim 22, wherein the NF profile comprises at least one of:a NF type of the DF, an indication of a supported DF service for management of information of the wireless communication device, supported identifiers or range of identifiers of the wireless communication device, a list of at least one supported public land mobile network (PLMN) , at least one supported TAI, a list of at least one supported single network slice selection assistance information (S-NSSAI) , at least one supported identifier of the RAN, at least one supported ID of the cell, or a callback uniform resource identifier (URI) .24.The method of claim 23, wherein at least one of:the NRF stores the NF profile of the DF;the NRF indicates that the DF is available to provide service; orthe NRF sends a response message, responsive to the request message, to accept registration of the DF with the NRF.25.The method of claim 17, wherein the DF provides service for management of information of the wireless communication device, comprising at least one of: storing, retrieving, updating or deleting, of the information of the wireless communication device.26.A method comprising:receiving, by an authentication server function (AUSF) from a wireless communication node, a first message to request authentication of a wireless communication device; andsending, by the AUSF to the wireless communication node, a second message in response to the first message.27.A non-transitory computer readable medium storing instructions, which when executed by at least one processor, cause the at least one processor to perform the method of any one of claims 1-26.28.An apparatus comprising:at least one processor configured to perform the method of any one of claims 1-26.