WO2022057736A1 - Procédé et dispositif d'autorisation - Google Patents

Procédé et dispositif d'autorisation Download PDF

Info

Publication number
WO2022057736A1
WO2022057736A1 PCT/CN2021/117644 CN2021117644W WO2022057736A1 WO 2022057736 A1 WO2022057736 A1 WO 2022057736A1 CN 2021117644 W CN2021117644 W CN 2021117644W WO 2022057736 A1 WO2022057736 A1 WO 2022057736A1
Authority
WO
WIPO (PCT)
Prior art keywords
edge
server
terminal
authorization information
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2021/117644
Other languages
English (en)
Chinese (zh)
Inventor
李飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2022057736A1 publication Critical patent/WO2022057736A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Definitions

  • the present application relates to the field of communication technologies, and in particular, to an authorization method and apparatus.
  • MEC mobile edge computing
  • RAN wireless access network
  • the edge here refers to the mobile communication base station itself and various servers in the wireless network.
  • the mobile edge computing server deployed at the edge of the wireless access network exposes real-time wireless and network information to various upper-layer applications and services (such as the real-time specific location of the mobile user, the real-time load of the base station, etc.) Provides a variety of context-related services.
  • ETSI European Telecommunications Standards Institute
  • an edge data network includes an edge enabler server (EES) and an edge configuration server (ECS), and an edge enabler client (edge enabler client) in the terminal , EEC) need to obtain information from ECS and EES respectively, so as to complete the discovery of edge applications, but the authorization between EEC and ECS is not defined in the existing standard, and the authorization between EEC and EES is also undefined. If there is no authorization, ECS or EES cannot confirm whether the corresponding EEC has permission to access the corresponding service, and there is a problem of permission theft.
  • EES edge enabler server
  • EES edge configuration server
  • EEC client edge enabler client
  • the embodiments of the present application provide an authorization method and apparatus to solve the authorization problem when a terminal requests an edge service.
  • an authorization method includes: a terminal sends a first configuration request to an edge configuration server, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server; the terminal receives the edge configuration server The first authorization information is generated according to the first configuration request, where the first authorization information includes the edge configuration server identifier and the terminal identifier; the terminal generates and sends the first request to the edge enabling server, where the first request carries the first authorization information; the terminal receives the first authorization information.
  • the first response includes information indicating whether the terminal is authorized to access the edge-enabled server.
  • the terminal is authorized by the edge configuration server, and the first authorization information of the terminal is generated, and then the terminal requests the edge enabling server for access verification according to the obtained first authorization information, so that the edge enabling server Determine whether the terminal has permission to access the corresponding service according to the first authorization information.
  • the edge configuration server authorizes the terminal to access the edge enabling server, which reduces the resource overhead of the edge enabling server authorizing each terminal and reduces the terminal authority The possibility of misappropriation ensures the communication security during the edge service process.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes the edge-enabled service key Kees.
  • the first authorization information is encrypted by a first key
  • the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server.
  • sending Kees through the first authorization information can reduce the number of signaling interactions between the terminal and the edge-enabled server.
  • Kees is the key for the secure communication between the edge-enabled server and the terminal. Before it is determined that the edge-enabled server authorizes the terminal to access, the security of the communication between the two cannot be guaranteed. Therefore, the first authorization information including Kees is encrypted. , which can improve the security of Kees transmission.
  • the terminal is further configured to receive Kees from the edge configuration server, or receive the parameters used for deriving Kees from the edge configuration server, and derive Kees according to the parameters used for deriving Kees; the terminal sends the Kees to the edge to enable server.
  • the method further includes: when the terminal is authorized to access the edge-enabled server, the terminal and the edge-enabled server communicate using Kees, or use a derived key of Kees to communicate.
  • the edge configuration server may also send Kees to the terminal through other messages. After the terminal is authorized to access the edge-enabled server, the terminal performs secure communication with the edge-enabled server through Kees. This process The process of encrypting the first authorization information by the terminal and decrypting the encrypted first authorization information by the edge enabling server can be omitted, thereby reducing communication complexity.
  • the first authorization information is signed by the edge configuration server private key.
  • This process can prevent the first authorization information from being tampered with by other illegal users.
  • an authorization method includes: the edge configuration server receives a first configuration request sent by the terminal, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server; The first configuration request generates first authorization information, where the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes the edge-enabled service key Kees.
  • the method further includes: the edge configuration server encrypts the first authorization information with a first key, where the first key is a shared key of the edge configuration server and the edge enablement server; or the first key The public key of the edge-enabled server.
  • the method further includes: the edge configuration server sends Kees to the terminal, or sends a parameter for deriving Kees to the terminal.
  • the method further includes: the edge configuration server pushes Kees to the edge enabled server, or the edge configuration server sends Kees to the edge enabled server according to the key request information of the edge enabled server.
  • the method further includes: the edge configuration server signs the first authorization information by using the edge configuration server private key.
  • the edge enabling server may obtain Kees from the edge configurator, and then perform matching verification with the Kees obtained from the terminal, thereby ensuring the security of communication with the terminal.
  • the edge configuration server actively pushes Kees to the edge enabling server, which can ensure the timeliness of the edge enabling server to obtain Kees; the edge configuration server requests the edge enabling server to obtain Kees, which can ensure the pertinence of the edge enabling server to obtain Kees and reduce the number of edges. Enables redundancy for servers to store non-essential Kees.
  • an authorization method comprising: an edge enabling server receives a first request sent by a terminal, the first request includes first authorization information, and the first authorization information includes an edge configuration server identifier and a terminal identifier; The edge enabling server verifies the first authorization information; the edge enabling server generates a first response after verification, and the first response includes indication information of whether the terminal is authorized to access the edge enabling server; the edge enabling server sends the first response to the terminal. a response.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes the edge-enabled service key Kees; the method further includes: acquiring Kees in the first authorization information.
  • the first authorization information is encrypted by a first key
  • the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server;
  • Obtaining Kees in the first authorization information includes: the edge enabling server decrypts the encrypted first authorization information by using the shared key or the private key corresponding to the public key to obtain the first authorization information, and obtains the first authorization information. Kees.
  • the method further includes: the edge enablement server receives Kees from the edge configuration server;
  • the edge enabling server sends key request information to the edge configuration server, and receives Kees from the edge configuration server.
  • the first authorization information is signed with the private key of the edge configuration server; the edge enabling server verifies the first authorization information, including:
  • the edge enabling server verifies the first authorization information using the edge configuration server public key.
  • a communication device applied to a terminal, and the device includes:
  • a sending module configured to send a first configuration request to the edge configuration server ECS, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server EES;
  • a receiving module configured to receive first authorization information generated by the ECS according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • a processing module configured to generate a first request, where the first request carries the first authorization information
  • a sending module for sending a first request to the EES
  • a receiving module configured to receive a first response, where the first response includes indication information of whether the terminal is authorized to access the EES.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes the edge-enabled service key Kees.
  • the first authorization information is encrypted by a first key
  • the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server.
  • the receiving module is further configured to receive Kees from the edge configuration server, or receive parameters used for deriving Kees from the edge configuration server, and the processing module is further configured to derive Kees according to the parameters used for deriving Kees; the sending module Also used to send this Kees to edge enabled servers.
  • the processing module uses Kees to communicate with the edge-enabled server, or uses a derived key of Kees to communicate.
  • the first authorization information is signed by the edge configuration server private key.
  • a communication device applied to an edge configuration server, the server comprising:
  • a receiving module configured to receive a first configuration request sent by the terminal, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server;
  • a processing module configured to generate first authorization information according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • the sending module is used for sending the first authorization information to the terminal.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes the edge-enabled service key Kees.
  • the processing module is further configured to: encrypt the first authorization information with a first key, where the first key is a shared key of the edge configuration server and the edge enablement server; or the first key is the edge Enable the public key of the server.
  • the sending module is further configured to: send Kees to the terminal, or send parameters used for deriving Kees to the terminal.
  • the sending module is further configured to: push Kees to the edge-enabled server, or send Kees to the edge-enabled server according to the key request information of the edge-enabled server.
  • the processing module is further configured to: use the private key of the edge configuration server to sign the first authorization information.
  • a communication device applied to an edge-enabled server, the server comprising:
  • a receiving module configured to receive a first request sent by the terminal, where the first request includes first authorization information, and the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • the processing module is further configured to generate a first response after verification, where the first response includes indication information of whether the terminal is authorized to access the edge-enabled server;
  • the sending module is used for sending the first response to the terminal.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes the edge-enabled service key Kees; the processing module is further configured to: acquire Kees in the first authorization information.
  • the first authorization information is encrypted by a first key
  • the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server;
  • Obtaining Kees in the first authorization information includes: the edge enabling server decrypts the encrypted first authorization information by using the shared key or the private key corresponding to the public key to obtain the first authorization information, and obtains the first authorization information. Kees.
  • the edge-enabled server receives Kees from the terminal.
  • the receiving module is further configured to: receive Kees from the edge configuration server; or, the sending module sends key request information to the edge configuration server, and the receiving module receives Kees from the edge configuration server.
  • the processing module is further configured to perform security authentication according to the Kees acquired from the terminal and the Kees acquired from the edge configuration server, and perform secure communication with the terminal after the authentication is passed.
  • the first authorization information is signed with the private key of the edge configuration server; the processing module is further configured to: verify the first authorization information by using the public key of the edge configuration server.
  • an embodiment of the present application provides a communication device, the device has the function of implementing the terminal in any possible implementation manner of the first aspect or the first aspect, or has the function of implementing the second aspect or the second aspect.
  • the device may be a terminal, or may be a chip included in the terminal.
  • the functions of the above-mentioned communication equipment can be implemented by hardware or by executing corresponding software in hardware, and the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the device may be a server or a chip included in the server.
  • the functions of the above communication equipment may be implemented by hardware or by executing corresponding software in hardware, and the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the apparatus includes a processing module, a receiving module and a sending module, wherein the processing module is configured to support the apparatus to perform the first aspect or any possible implementation of the first aspect
  • the method in the above-mentioned second aspect or the method in any possible implementation manner of the second aspect, or the method in the above-mentioned third aspect or any possible implementation manner of the third aspect is performed.
  • the structure of the apparatus includes a processor and may also include a memory.
  • the processor is coupled to the memory and can be used to execute computer program instructions stored in the memory, so that the apparatus executes the method in the above-mentioned first aspect or any possible implementation manner of the first aspect, or performs the above-mentioned second aspect or the first aspect.
  • the method in any possible implementation manner of the second aspect, or the method in any possible implementation manner of the third aspect or the third aspect.
  • the apparatus further includes a communication interface to which the processor is coupled.
  • the communication interface may be a transceiver or an input/output interface; when the device is a chip included in the terminal or server, the communication interface may be an input/output interface of the chip.
  • the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.
  • an embodiment of the present application provides a chip system, including: a processor, where the processor is coupled to a memory, and the memory is used to store a program or an instruction, and when the program or instruction is executed by the processor , so that the chip system implements the first aspect or the method in any possible implementation manner of the first aspect, or executes the second aspect or the method in any possible implementation manner of the second aspect, or executes the The third aspect or the method in any possible implementation manner of the third aspect.
  • the chip system further includes an interface circuit, and the interface circuit is used to exchange code instructions to the processor.
  • processors in the chip system, and the processors may be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor may be a general-purpose processor implemented by reading software codes stored in memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory can be a non-transitory processor, such as a read-only memory ROM, which can be integrated with the processor on the same chip, or can be provided on different chips.
  • the setting method of the processor is not particularly limited.
  • an embodiment of the present application provides a computer-readable storage medium on which a computer program or instruction is stored, and when the computer program or instruction is executed, causes the computer to execute the first aspect or any one of the first aspects.
  • a method in a possible implementation manner, or performing the method in the above-mentioned second aspect or any one of the possible implementation manners of the second aspect, or performing the above-mentioned second aspect or any one of the possible implementation manners of the second aspect Methods.
  • an embodiment of the present application provides a computer program product that, when a computer reads and executes the computer program product, causes the computer to execute the method in the first aspect or any possible implementation manner of the first aspect , or execute the method in the second aspect or any possible implementation manner of the second aspect, or execute the method in the second aspect or any possible implementation manner of the second aspect.
  • an embodiment of the present application provides a communication system, where the communication system includes a terminal corresponding to the fourth aspect, an edge configuration server corresponding to the fifth aspect, and/or an edge enabling server corresponding to the sixth aspect.
  • FIG. 1A is a schematic diagram of a network architecture of an AKMA provided by an embodiment of the present application.
  • FIG. 1B is a flowchart of a secondary authentication provided by an embodiment of the present application.
  • FIG. 1C is a diagram of an AKMA key architecture provided by an embodiment of the present application.
  • 1D is a schematic diagram of key negotiation when a UE accesses an AF according to an embodiment of the present application
  • FIG. 1E is a flowchart of interaction between a UE and a NAF according to an embodiment of the present application
  • FIG. 1F is a schematic diagram of a MEC architecture provided by an embodiment of the present application.
  • 3A is a flowchart of another application authorization method provided by an embodiment of the present application.
  • FIG. 3B is a schematic flowchart of another EEC subscription information query process provided by an embodiment of the present application.
  • 3C is another flow chart of the verification process of EEC authorization information provided by the embodiment of the present application.
  • FIG. 5 is a structural block diagram of a communication device provided by an embodiment of the present application.
  • FIG. 6 is a structural block diagram of another communication device provided by an embodiment of the present application.
  • FIG. 7 is a structural block diagram of another communication device provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of a hardware structure of a communication device according to an embodiment of the present application.
  • "Plural” means two or more. "And/or”, which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character “/" generally indicates that the associated objects are an "or" relationship.
  • FIG. 1A is a schematic diagram of an AKMA network architecture provided by an embodiment of the application.
  • an AKMA anchor function (AKMA anchor function) is added.
  • AAnF can either be a single deployed NF, or it may be co-located with other NFs.
  • AAnF is used to support AKMA anchor keys (K AKMA ), and to generate application keys (K AF ).
  • K AKMA AKMA anchor keys
  • K AF application keys
  • User equipment may also be referred to as a terminal, terminal equipment, and the like.
  • the terminal is a device with a wireless transceiver function, which can communicate with one or more core networks (core network, CN) through the access network equipment in the (Radio) Access Network ((R)AN) 120. ) to communicate.
  • core network CN
  • R Radio Access Network
  • It can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; it can also be deployed on water, such as ships; it can also be deployed in the air, such as on airplanes, balloons, or satellites.
  • the terminal can be a mobile phone (Mobile Phone), a tablet computer (Pad), a computer with a wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) terminal.
  • Wireless terminal wireless terminal in self driving, wireless terminal in remote medical, wireless terminal in smart grid, wireless terminal in transportation safety, smart city (smart city) wireless terminal, smart home (smart home) wireless terminal and so on.
  • the (radio) access network ((R)AN) 120 is used to provide network access functions for authorized user equipment in a specific area, and can use different quality transmissions according to the level of user equipment, service requirements, etc. tunnel.
  • (R)AN can manage radio resources, provide access services for user equipment, and then complete the forwarding of control information and/or data information between user equipment and a core network (core network, CN).
  • the access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device.
  • the access network equipment may include: next generation node basestation (gNB) in 5G system, evolved node B (evolved node B, eNB) in long term evolution (LTE), wireless Network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB , or Home Node B, HNB), Base Band Unit (BBU), transmission point (ransmitting and receiving point, TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, Or network equipment in the future network, etc.
  • gNB next generation node basestation
  • eNB evolved node B
  • LTE long term evolution
  • RNC wireless Network controller
  • node B node B
  • base station controller base station controller
  • BTS base transceiver station
  • home base station for example, home evolved nodeB , or Home
  • the access and mobility management function (AMF) network function 130 is mainly used for mobility management and access management, etc., and can be used to implement the mobility management entity (mobility management entity, MME) function in addition to the session Other functions other than management, such as lawful interception and access authorization/authentication functions. It can be understood that the AMF network function is hereinafter referred to as AMF.
  • the authentication server function (authentication server function, AUSF) 140 is used to authenticate services, generate keys, realize two-way authentication of user equipment, and support a unified authentication framework. In this embodiment of the present application, it is mainly used for mutual authentication between the UE and the network, and to generate a security key for use in subsequent procedures.
  • the application function (application function, AF) 150 is used to perform data routing affected by the application, access the network opening function, interact with the policy framework to perform policy control, and the like.
  • a network exposure function (NEF) 160 is used to collect, analyze and reorganize network capabilities, and to open network capabilities. AF can access the 5G core network through NEF.
  • Unified data management (UDM) 170 network functions, which can be used to handle user equipment identification, access authentication, registration, and mobility management. It can be understood that the UDM network function is hereinafter referred to as UDM.
  • SEAF Security anchor function
  • the embodiments of the present application take the access and mobility management function AMF network function 130 as an example for description.
  • the AMF network function 130 is referred to as AMF for short
  • the terminal device 110 is referred to as UE, that is, the AMF described later in the embodiments of this application can be replaced by the access and mobility management network function, and the UE can be replaced by Terminal Equipment.
  • the UE will perform primary authentication when accessing the 3GPP network, that is, the mutual authentication between the UE and the core network is completed.
  • the SMF network element on the core network side will trigger the authentication of the UE according to the subscription and other information.
  • This authentication is different from the primary authentication and is named secondary authentication.
  • the purpose of this authentication is to complete the authentication of the UE by the DN-AAA, and the UE is allowed to access the corresponding service only if the authentication passes the DN.
  • FIG. 1B is a flowchart of a secondary authentication provided by this embodiment of the application. As shown in FIG. 1B , the specific processes of primary authentication and secondary authentication include the following steps:
  • the UE registers with the core network, and the network will trigger the main authentication with the UE during the registration process;
  • non-access stratum non-access stratum, NAS, that is, between the UE and the AMF
  • the UE starts to access the DN and initiates a session establishment request for the corresponding DN to the core network;
  • SMF triggers secondary authentication for the UE
  • the SMF requests the UE for an EAP identity (identity, ID) for secondary authentication (extensible authentication protocol, EAP), and the EAP ID is used by DN-AAA to identify the UE (the dotted line in the figure). Indicates that the UE may carry the ID in step 4, and a separate ID acquisition process is not required);
  • SMF triggers DN-AAA to initiate EAP authentication to UE
  • the DN-AAA completes standard EAP authentication with the UE.
  • via N4 and NAS refers to DN-AAA through UPF-SMF, then SMF-AMF-UE.
  • the interface between the former is the N4 interface, and the SMF to the UE via the AMF is the NAS.
  • the DN-AAA can further authenticate the UE when the UE attempts to establish a session to the DN, thereby preventing non-subscribed users from accessing the corresponding DN resources.
  • 3GPP proposes a method to generate a shared key between UE and AF using the primary authentication result: application authentication and key management for applications (AKMA).
  • AKMA application authentication and key management for applications
  • the AKMA key K AKMA is obtained between the UE and AAnF ;
  • the AF key K AF is obtained between the UE and the AF .
  • FIG. 1C is an AKMA key architecture diagram provided by an embodiment of the present application.
  • the UE and the network side complete primary authentication, and generate a security key for use in subsequent processes.
  • the main authentication also involves AMF/SEAF on the network side (in this application, AMF/SEAF is used to mean AMF, SEAF or SEAF and AMF co-located), AUSF, and UDM.
  • AMF/SEAF is used to mean AMF, SEAF or SEAF and AMF co-located
  • AUSF a shared key between the AUSF and the UE.
  • the UE and the AUSF can also derive an AKMA key K AKMA according to the K AUSF , so that the UE and the AF perform traffic protection before the UE and the AF according to the K AF generated by the K AKMA .
  • A-KID is a unique key identifier corresponding to K AKMA .
  • FIG. 1D is a schematic diagram of key negotiation when the UE accesses the AF provided by the embodiment of the present application.
  • the UE initiates the AF to the AF.
  • Service session request message the service session request message includes A-KID; after receiving the service session request message, the AF sends an application key request message to AAnF to obtain K AF , and the application key request message also includes the receiving The received A-KID; after receiving the application key request, the AAnF checks whether there is a K AF generated by the K AKMA corresponding to the A-KID locally.
  • AAnF sends the K AF to the AF , if not The K AF , the AAnF checks whether there is a K AKMA corresponding to the A-KID locally. If there is K AKMA , AAnF generates K AF according to K AKMA , and sends K AF to AF; if there is no K AKMA , AAnF sends an AKMA key request message to AUSF, and the AKAM key request message carries the received key A-KID. After the AUSF receives the AKMA key request message carrying the A-KID, the AUSF returns the K AKMA corresponding to the A-KID to the AAnF . AAnF calculates K AF according to the received K AKMA and sends K AF to AF. The AF and the UE can then protect the communication based on the K AF .
  • GBA generic bootstrapping architecture
  • NAF network application function
  • 1E is a flowchart of interaction between a UE and a NAF provided by an embodiment of the present application, in which a shared bootstrapping session identifier ( bootstrapping transaction identifier, B-TID) (this identifier is used for BSF to index Ks, because Ks is generated in the bootstrapping process before UE and BSF, so the name here is not the key identifier of Ks but the bootstrap session identifier) and Ks (similar to AKMA after UE and Aanf have K AMKA ), then the interaction between UE and NAF includes the following steps:
  • bootstrapping transaction identifier bootstrapping transaction identifier, B-TID
  • Ks similar to AKMA after UE and Aanf have K AMKA
  • the UE sends an application request to the NAF, carrying the B-TID (similar to the AKMA application session establishment request);
  • the NAF sends an authentication request to the BSF, and the request carries the B-TID obtained from the UE and its own ID;
  • the BSF indexes the UE's key Ks and other information according to the B-TID, and then derives Ks_NAF and returns it to the NAF, and can also carry parameters such as boot time and key validity period;
  • the NAF returns an application response to the UE.
  • Ks_NAF The deduction parameters about Ks_NAF include the key Ks, random number RAND, intelligent platform management interface (IMPI), NAF_Id and other parameters.
  • FIG. 1F is a schematic diagram of a MEC architecture provided by the embodiment of the present application.
  • the architecture includes user equipment (user equipment, UE), EDN and ECS,
  • the UE consists of application clients (AC) and EEC.
  • the EDN includes edge application servers (EAS) and EES.
  • the UE and EDN are connected through a 3GPP core network (3GPP CN).
  • 3GPP CN 3GPP core network
  • the process of the AC discovering the corresponding EAS includes the following steps:
  • EEC obtains ECS address information through configuration, etc.
  • EEC obtains EES information (such as address information) from ECS through EDGE-4 interface; in this step, EEC will carry information such as application client type (such as V2X type), EEC location and other information for ECS to select appropriate EES for EEC;
  • EES information such as address information
  • EEC will carry information such as application client type (such as V2X type), EEC location and other information for ECS to select appropriate EES for EEC;
  • the EEC obtains EAS information (such as address information) from the EES through the EDGE-1 interface; in this step, the EEC will carry the application client and other information for the EES to select the appropriate EAS;
  • EAS information such as address information
  • EEC provides the obtained EAS information to AC via EDGE-5;
  • the AC can access the corresponding EAS.
  • the authentication and authorization between the EEC and the ECS are defined, and the authentication and authorization between the EEC and the EES are not defined, which may cause the ECS or the EES to fail to confirm the identity of the EEC, and there is a malicious third party forging EEC identity to access ECS or EES attack; or ECS or EES cannot confirm whether the corresponding EEC has permission to access the corresponding service, and there is a problem of permission theft.
  • FIG. 2 is a flowchart of an application authorization method provided by an embodiment of the present application. As shown in FIG. 2, the method includes the following steps:
  • a terminal sends a first configuration request to an edge configuration server, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server;
  • the edge configuration server receives a first configuration request, and generates first authorization information according to the first configuration request;
  • the edge configuration server sends the first authorization information to the terminal
  • the terminal receives the first authorization information, and sends a first request to the edge enabling server, where the first request carries the first authorization information;
  • the edge enabling server receives the first request, verifies the first authorization information, and generates a first response after verification, where the first response includes whether the terminal is authorized to access the EES instructions;
  • the edge-enabled server sends the first response to the terminal
  • the terminal receives the first response, and determines whether it is authorized to access the edge-enabled server according to the first response.
  • the operations performed by the terminal may be specifically performed by the edge-enabled client, therefore, the operations performed by the terminal are described as being performed by the EEC.
  • the edge enablement server is abbreviated as EES
  • the edge configuration server is abbreviated as ECS.
  • the edge enablement client, edge enablement server, and edge configuration server may also correspond to other names or abbreviations, which are also applicable to this application.
  • the method of the embodiment in the abbreviation of the embodiment of the present application, does not limit the execution object of the method.
  • the above-described process of the AC discovering the corresponding EAS includes the step that the EEC obtains the EAS information from the EES so that the AC can access the corresponding EAS. Therefore, the EEC needs to obtain the authorization of the EES in order to obtain the EAS information.
  • the authorization requester sends an authorization request to the authorizer, and then the authorizer verifies the authorization requester to determine whether to authorize the authorization requester. If so, send an authorization notification or authorization information to the authorization requester.
  • the authorization requester communicates with the authorizer based on its own identity or authorization information. This process is the interaction between the authorization requester and the authorizer. This authorization method requires each EES to authorize the EEC.
  • the EDN includes a large number of EESs, which may cause a large amount of data processing overhead and reduce authorization efficiency. Therefore, in this embodiment of the present application, the ECS authorizes the EEC, the EEC initiates a registration request to the EES according to the authorization information issued by the ECS, and the EES determines whether to allow the EEC to access or access according to the verification result of the authorization information.
  • the ECS may authenticate the identity of the EEC.
  • the identity of the EEC may be authenticated through secondary authentication or other application layer authentication, such as certificate authentication.
  • the shared key Kecs between the EEC and the ECS is generated based on the authentication process.
  • the Kecs can be generated according to the extended master session key (extended master session key, EMSK) generated by the EAP authentication in the secondary authentication.
  • EMSK extended master session key
  • the parameters for generating Kecs can contain ECS ID or EEC ID, etc.
  • the EEC obtains authorization information for the EES by sending a first configuration request to the ECS.
  • the first configuration request may include terminal information, such as the EEC ID or the information of the application client AC, to indicate the identity of the client requesting authorization information, and the information of the AC may be the application client AC ID, so as to uniquely identify the client identity.
  • ECS has completed EEC certification
  • ECS can confirm the legal identity of EEC based on information such as EEC ID or AC ID, and then ECS determines whether to authorize EEC.
  • the first authorization information is generated.
  • the first authorization information may include an edge configuration server identifier (ECS ID) and a terminal identifier, where the ECS ID is used to determine the identity of the ECS, and the terminal identifier is used to determine the identity of the terminal, so that after receiving the first authorization information, the EES determines Authorizer and Authorization Requester, and determine whether the Authorization Requester is allowed to register with EES.
  • EES ID edge configuration server identifier
  • the terminal identification can be EEC ID or GPSI.
  • the first authorization information may also include one or more of the following information: an edge-enabled server identifier (EES ID), an edge-enabled server provider identifier (EES provider ID), an edge computing service provider (edge computing service provider, ECSP) ID, edge application server identification (EAS ID).
  • EES ID can be used to determine the authorization scope of the first authorization information, that is, the EES objects that the EEC is authorized to access;
  • the EES provider ID represents an identifier including one or more EES objects (for example, an EES group identifier), ECSP ID and EAS ID are associated with EES and can be used to indirectly determine EES ID. All of the above IDs can be a list of IDs.
  • the ECS may also use the private key to sign the first authorization information, so as to prevent the first authorization information from being tampered with.
  • the EEC sends the first authorization information signed by the private key to the EES, and the EES uses the public key of the ECS for signature verification, which ensures the reliability of the authorization information.
  • EES After EES obtains the first authorization information, it verifies the information, including verifying whether the EES ID in the first authorization information matches its own ID, or verifying whether the EES provider ID in the first authorization information is its own provider , or check whether the EEC ID matches the EEC ID in the first request, etc. If all the first authorization information passes the verification, the EES may generate a first response to indicate whether the terminal is authorized to access the EES. The terminal may determine whether to access the EES according to the received first response.
  • the first authorization information may further include an edge-enabled service key, which may be identified as Kees, for secure communication between the EEC and the EES.
  • Kees an edge-enabled service key
  • the ECS authorizes the EEC to access the EES, it needs to notify the Kees to the EEC and the EES respectively, so that the two can communicate securely according to the Kees.
  • Kees can be obtained by Kecs deduction, or generated according to parameters such as EEC ID and EES ID.
  • the ECS may send Kees to the EEC, or the ECS may send the parameters used to derive Kees, and the EEC obtains Kees according to the parameters used to derive Kees and the same derivation method as ECS.
  • the first authorization information can be encrypted to ensure the security of Kees during transmission .
  • the first authorization information may be encrypted by the shared key of the ECS and the EES, or the first authorization information may be encrypted by the public key of the EES.
  • the EEC After obtaining the encrypted first authorization information from the ECS, the EEC sends the encrypted first authorization information to the EES to perform a registration request.
  • the EES decrypts the encrypted first authorization information through the symmetric key with the ECS, or decrypts the encrypted first authorization information through the private key stored by itself, to obtain Kees and other authorization information.
  • the EEC may send the Kees to the EES, and the EES may obtain the Kees.
  • EES After the EES obtains the Kees sent by the EEC, it can also obtain the Kees from the ECS.
  • the process that EES obtains Kees from ECS includes that ECS actively pushes to EES, or EES sends key request information to ECS to request to obtain Kees.
  • GPSI can also be used to uniquely identify terminals.
  • the terminal is authorized by the ECS, and the first authorization information of the terminal is generated, and then the terminal requests the EES for access verification according to the obtained first authorization information, so that the EES determines according to the first authorization information.
  • the edge configuration server authorizes the terminal to access the edge enabling server, which reduces the resource overhead of the edge enabling server authorizing each terminal, and reduces the possibility of terminal authority theft, ensuring that Communication security during edge service.
  • FIG. 3A is a flowchart of another application authorization method provided by an embodiment of the present application. As shown in FIG. 3A , the method includes the following steps:
  • the terminal sends a second configuration request to the edge configuration server, for requesting to obtain second authorization information, where the second configuration information includes a security identifier, and the security identifier is used for AUSF verification;
  • the edge configuration server receives the second configuration request, and queries the subscription information of the terminal according to the second configuration request;
  • the edge configuration server sends the second authorization information to the terminal
  • the terminal receives the second authorization information, generates and sends a second request to the edge enabling server, and the second request carries the second authorization information;
  • the edge enabling server receives the second request, verifies the second request, and generates a second response after verification, where the second response includes indication information of whether the terminal is authorized to access the EES;
  • the edge enabling server sends a second response to the terminal
  • the terminal receives the second response, and determines whether it is authorized to access the edge-enabled server according to the second response.
  • the terminal is referred to by EEC
  • the edge configuration server is referred to as ECS for short
  • the edge enabling server is referred to as EES for short.
  • UDM can preset subscription information, including subscription permanent identifier (SUPI), such as EEC ID, or include generic public subscription identifier (GPSI), and ECS ID or EES provider ID, etc., with It is used to identify the terminal and ECS (or EES) that have completed the contract.
  • SUPI subscription permanent identifier
  • GBA generic public subscription identifier
  • ECS ID or EES provider ID etc.
  • the terminal requests the ECS for AKMA authentication, and generates a K AKMA and an A-KID for identifying the key.
  • the ECS and the terminal obtain the A-KID respectively, and the terminal can also initiate a service session establishment request to the ECS according to the A-KID.
  • the terminal requests the ECS for GBA authentication.
  • the A-KID and the corresponding SUPI generated by the terminal and the ECS after completing the AKMA authentication are stored in the AUSF.
  • the B-TID and the corresponding SUPI generated by the terminal and the ECS after completing the GBA authentication are stored in the BSF.
  • the EEC can communicate with the ECS.
  • the EEC sends a second configuration request to the ECS, for requesting to acquire second authorization information, so that the EEC is authorized to access the EES.
  • the second configuration request may include the EEC ID or AC information, etc., so that the ECS can identify the identity of the EEC.
  • the second configuration request may include the security identifier secure ID, and the security identifier may be calculated and generated by the EEC using the Kausf generated by performing primary authentication with the AUSF, and the deduction parameter may include the EEC ID in addition to the Kausf .
  • the ECS may send a subscription information query request to the UDM to determine that the EEC has subscribed to the relevant edge computing service. If yes, then ECS is EEC authorized.
  • the subscription information query request sent by the ECS includes the security identifier. Since the AUSF stores Kausf , the UDM sends the security identifier to the AUSF for verification. After the security identifier passes the verification of the AUSF, the UDM queries the edge computing subscription corresponding to the EEC, and sends the queried EEC subscription data to the ECS through the edge computing service subscription query response.
  • the contract information query request also includes information such as EEC ID and/or ECS ID to identify the contract information query object and the identity of the contract information query object.
  • the ECS After the ECS receives the EEC contract information, it can determine to authorize the EEC and generate the second authorization information of the EEC; or it can also generate other authorization responses when it is determined not to authorize the EEC (receives a notification that the EEC contract data has not been obtained). message indicating that authorization failed.
  • the EEC When the EEC receives the second authorization information, it may generate a second request carrying the second authorization information for requesting access to the EES.
  • the second authorization information may include ECS ID and EEC ID, and optionally, the second authorization information may also include one of EES ID, EES provider ID, ECSP ID or EAS ID.
  • the second authorization information may further include an expiration date, which is used by the EES to determine whether the authorization of the ECS to the EEC is within the available period.
  • the ECS may use the private key to sign the second authorization information to prevent the first authorization information from being tampered with.
  • the EEC sends the second authorization information signed by the private key to the EES, and the EES uses the public key to perform signature verification to ensure the reliability of the authorization information.
  • EES After EES obtains the second authorization information, it checks the information, including: checking whether the ECS ID is a trusted ECS, and then using the public key of the corresponding ECS to check whether the signature of the second authorization information is legal; Whether the second authorization information is still within the validity period; verifying whether the EES information matches itself; verifying whether the EEC ID in the second request is consistent with the EEC ID in the second authorization information, and so on. If all the second authorization information passes the verification, the EES may generate a second response to indicate whether the terminal is authorized to access the EES. The terminal may determine whether to access the EES according to the received second response.
  • Kees may be generated according to the terminal subscription information queried by the ECS from the UDM, and specifically may be generated according to K AF , or generated according to Ks_NAF.
  • the second authorization information may include Kees, and the EES obtains Kees according to the received second authorization information (encrypted by a symmetric key or a private key), or the ECS sends Kees to the EEC or derives parameters used for Kees (for example, K AF or Ks_NAF), if ECS receives Kees, it can directly send Kees to EES for secure communication. If ECS receives the parameters used to derive Kees, it uses the same derivation method as ECS to obtain Kees, and sends Kees to EES for secure communication.
  • the ECS when the EEC requests authorization from the ECS, the ECS queries the contract information generated by the terminal during AKMA authentication or GBA authentication to complete the authentication of the terminal, which simplifies the authentication process and prevents non-contracted users. Access to EDN avoids attacks by malicious third parties forging EEC identities to access ECS or EES.
  • the terminal is authorized through the ECS, and the second authorization information of the terminal is generated, which reduces the resource overhead of the edge enabling server to authorize each terminal; the terminal requests the EES for access verification according to the obtained second authorization information, so that EES determines whether the terminal has permission to access the corresponding service according to the second authorization information.
  • the edge configuration server third-party server
  • the process of obtaining the subscription information by the ECS can also refer to FIG. 3B , which is a schematic diagram of another EEC subscription information query process provided by the embodiment of the present application.
  • the UDM can preset the subscription information, including the ECS. ID, EES provider ID and User ID, etc.
  • the EEC ID and EES provider ID are preset in the ECS to indicate the EES subscribed by the EEC.
  • the terminal requests the ECS for AKMA authentication, and generates K AKMA and an A-KID for identifying the key.
  • the ECS, AAnF and the terminal obtain the A-KID respectively, and the AAnF also obtains the terminal identity corresponding to the A-KID, For example SUPI.
  • the terminal may also initiate a service session establishment request to the ECS according to the A-KID.
  • the EEC initiates a second configuration request to the ECS.
  • the K AF is used for protection during the communication between the EEC and the ECS
  • the ECS can learn the A-KID corresponding to the EEC, and check whether it has saved the A-KID corresponding to the EEC. If there is, the ECS can directly initiate a subscription information query request to the UDM through the User ID. If not, the ECS needs to query the AAnF for the SUPI of the terminal through the A-KID, and then the AAnF queries the UDM for the subscription through the SUPI. information. After UDM queries the contract information, it feeds it back to ECS.
  • ECS saves the mapping relationship between A-KID and User ID, so that the contract information can be directly obtained through User ID next time (if ECS has saved the mapping relationship, this step is omitted), and finally The ECS then selects an appropriate EES from the group corresponding to the EES provider ID to authorize the EEC, so that the EEC is authorized to access the EES.
  • the contract information can be directly obtained from the UDM according to the User ID, which improves the accuracy of obtaining the contract information.
  • the verification process of the second authorization information can be completed by the ECS.
  • FIG. 3C provides another EEC authorization information verification process flowchart in the embodiment of the present application. As shown in FIG. 3C, after the EEC obtains the second authorization information from the ECS, it sends a second request to the EES, and the second request carries the first request.
  • Second authorization information the EES receives the second request, and sends the second authorization information to the ECS for verification, including verifying the identity of the authorizer ECS and the identity of the authorized person EEC, or the second request may also include K AF , It is used to verify the legitimacy of the EEC identity, and the second request may further include an effective time, so as to determine whether the second authorization information is within the validity period.
  • the second request may further include the EES ID, which is used to determine the authorization object, or other verification information such as the random number RAND.
  • the ECS can complete the verification of the EEC authorization information, and then the EES completes the authorization of the EEC according to the verification result of the ECS on the authorization information, thereby reducing the data processing amount of the EES.
  • FIG. 4 is a flowchart of another application authorization method provided by an embodiment of the present application. As shown in FIG. 4 , the method includes the following steps:
  • the terminal sends a third request to an authentication and authorization function network element for requesting to obtain third authorization information
  • the authentication and authorization function network element receives the third request, and confirms the identity of the terminal according to the third configuration request;
  • the authentication and authorization function network element After the confirmation is completed, the authentication and authorization function network element generates third authorization information
  • the authentication and authorization function network element sends the third authorization information to the terminal.
  • the terminal is referred to by EEC
  • the edge configuration server is referred to as ECS for short
  • the edge enabling server is referred to as EES for short
  • a network element is introduced in the embodiment of the present application, which is specially used for authentication and authorization of the terminal, and can be named as an authentication and authorization function (authentication and authorization function, AAF) network element.
  • AAF authentication and authorization function
  • the AAF function is integrated in the ECS, and the process between the EEC and the AAF described below is also the process between the EEC and the ECS.
  • EEC and AAF perform AKMA authentication to generate K AKMA and A-KID for identifying the key, and AAF and EEC obtain the A-KID respectively.
  • EEC and AAF perform GBA authentication to generate a B-TID, and AAF and EEC obtain the B-TID respectively.
  • the EEC can communicate securely with the AAF.
  • the EEC sends a third request to the AAF for requesting to obtain third authorization information, so that the EEC is authorized to access the ECS or the EES.
  • the third request may carry EEC ID and/or GPSI to identify the identity of the terminal applying for authorization information, and may also carry ECS ID or EES information to identify the object the terminal requests to authorize access to.
  • the third request may also include It can carry the information obtained by Kausf (or the derivation key of Kausf ) and EEC ID or GPSI, and can be named as MAC-I.
  • the AAF After the AAF receives the third configuration request, it can confirm the identity of the EEC, that is, determine that the EEC is a terminal that has completed AKMA or GBA authentication. First, the correspondence between A-KID (or B-TID) and EEC ID (or GPSI) can be checked to prevent the mismatch between A-KID (or B-TID) sent by the terminal and EEC ID (or GPSI) , and the A-KID (or B-TID) is the key identifier obtained by the AAF and correspondingly generated by the terminal that has completed the authentication. Specifically, the verification process has the following methods:
  • Mode 1 can be verified by AAF according to the local configuration.
  • AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to NEF
  • NEF can send SUPI and A-KID (or B-TID) to AAnF (or BSF) after obtaining SUPI
  • AAnF (or BSF) verifies the correspondence between SUPI and A-KID (or B-TID), and returns the verification result to NEF
  • NEF returns the verification result to AAF.
  • AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to NEF, and NEF sends A-KID (or B-TID) to AAnF (or BSF) to request to obtain SUPI, AAnF (or BSF) ) returns SUPI to NEF, NEF compares the received SUPI with the SUPI obtained according to the EEC ID (or GPSI), and returns the verification result to AAF.
  • Method 4 AAF sends EEC ID (or GPSI) and A-KID (or B-TID) to AAnF for verification, AAnF obtains SUPI and sends SUPI and EEC ID (or GPSI) to NEF or UDM for verification, NEF or UDM After verifying the correspondence between SUPI and EEC ID (or GPSI), return the verification result to AAnF, and AAnF returns the verification result to AAF.
  • EEC ID or GPSI
  • A-KID or B-TID
  • AAF sends EEC ID (or GPSI) and A-KID (or B-TID) to AAnF for verification, and sends EEC ID (or GPSI) to NEF or UDM to request SUPI, NEF or UDM returns SUPI to AAnF, AAnF Compare whether the received SUPI is consistent with the SUPI obtained from A-KID (or B-TID), and return the verification result to AAF.
  • EEC ID or GPSI
  • A-KID or B-TID
  • AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to UDM to request verification. After UDM obtains SUPI, it sends SUPI and A-KID (or B-TID) to AUSF for verification. After AUSF verifies the correspondence between SUPI and A-KID (or B-TID), it returns the verification result to UDM, and UDM returns the verification result to AAF.
  • EEC ID or GPSI
  • A-KID or B-TID
  • AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to UDM to request verification, UDM sends A-KID (or B-TID) to AUSF or AAnF to request to obtain SUPI, UDM compares and receives Check whether the received SUPI is consistent with the SUPI obtained according to the EEC ID (or GPSI), and return the verification result to AAF.
  • EEC ID or GPSI
  • A-KID or B-TID
  • AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to AUSF for verification. After AUSF obtains SUPI from UDM or NEF, AUSF verifies SUPI and A-KID (or B-TID) The corresponding relationship of , returns the verification result to AAF. If the AAF also receives the MAC-I, it can send the MAC-I to the AUSF for verification.
  • the AAF can also send an authorization confirmation request to the UDM.
  • the request can carry the EEC ID (or GPSI) to determine whether the terminal is allowed to access the ECS or EEC (or EAS).
  • the UDM can carry the authorization confirmation response in the ECS ID and/or EES information.
  • the AAF After that, the AAF generates the third authorization information, and sends the third authorization information to the EEC.
  • the third authorization information may include ECS ID and EEC ID.
  • the third authorization information may also include one or more of EES ID, EES provider ID, ECSP ID or EAS ID. It is used to determine the authorization scope of the ECS to the EEC, and the EES objects that can be authorized to be accessed.
  • the third authorization information may further include an expiration time, which is used by the EES to determine whether the authorization of the ECS to the EEC is within the available period, and the like.
  • the EEC After receiving the third authorization information, the EEC can send a third request carrying the third authorization information to the EES, and determine whether to allow the EEC to access the EES according to the verification process of the third authorization information by the EES.
  • the specific process is shown in Figure 2 or The descriptions of the corresponding processes in FIG. 3A to FIG. 3C will not be repeated here.
  • the EEC is authorized through a special AAF network element, which reduces the resource overhead of the edge enabling server to authorize each terminal; the terminal requests the EES for access verification according to the obtained third authorization information , so that the EES determines whether the terminal has the authority to access the corresponding service according to the third authorization information, which reduces the possibility of terminal authority misappropriation and ensures the communication security during the edge service process.
  • each network element in the above-mentioned implementation includes corresponding hardware structures and/or software modules for executing each function.
  • the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
  • each function module may be divided into corresponding functions, or the Two or more functions are integrated into one processing module, and the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
  • the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
  • FIG. 5 is a communication apparatus 500 provided by an embodiment of the present application, which can be used to execute the authorization method and specific embodiment applied to a terminal in FIG. 2 or FIG. 3A to FIG. 3C.
  • the apparatus may be a terminal or may be configured in terminal chip.
  • the communication device 500 includes a sending module 501, a receiving module 502 and a processing module 503.
  • a sending module 501 configured to send a first configuration request to an edge configuration server ECS, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server EES;
  • a receiving module 502 configured to receive first authorization information generated by the ECS according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • a processing module 503 configured to generate a first request, where the first request carries the first authorization information
  • the sending module 501 is configured to send a first request to the EES
  • the receiving module 502 is configured to receive a first response, where the first response includes indication information of whether the terminal is authorized to access the EES.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes an edge-enabled service key Kees.
  • the first authorization information is encrypted by a first key, and the first key is a shared key of the edge configuration server and the edge enablement server; or the first key is all the public key of the edge-enabled server.
  • the receiving module 502 is further configured to receive the Kees from the edge configuration server, or receive parameters used for deriving the Kees from the edge configuration server
  • the processing module 503 is further configured to receive the Kees from the edge configuration server.
  • the parameters used for deriving the Kees are derived to obtain the Kees
  • the sending module 501 is further configured to send the Kees to the edge-enabled server.
  • the first authorization information is signed by the edge configuration server private key.
  • the processing module 503 uses the Kees to communicate with the edge-enabled server, or uses the Kees-derived password. key to communicate.
  • the above-mentioned processing module 503 may be a chip, an encoder, an encoding circuit or other integrated circuits that can implement the method of the present application.
  • the receiving module 502 and the sending module 501 may be interface circuits or transceivers.
  • the receiving module 502 and the sending module 501 may be independent modules, or may be integrated into a transceiver module (not shown in the figure), and the transceiver module may implement the functions of the aforementioned receiving module 502 and the sending module 501 .
  • the apparatus 500 is used to execute the synchronization signal transmission method corresponding to the network device, so the specific description of the method is involved, especially the receiving module 502, the sending module 501 and the processing module For the function of 503, reference may be made to the relevant part of the corresponding embodiment, and details are not repeated here.
  • the apparatus 500 may further include a storage module (not shown in the figure), the storage module may be used for storing data and/or signaling, the storage module may be coupled with the processing module 503, or may be coupled with the receiving module 502 or the sending Module 501 is coupled.
  • the processing module 503 may be configured to read data and/or signaling in the storage module, so that the authorization methods in the foregoing method embodiments are executed.
  • FIG. 6 is another communication apparatus 600 provided by an embodiment of the present application, which may be used to execute the authorization method and specific embodiment applied to an edge configuration server in FIG. 2 or FIG. 3A to FIG. 3C.
  • the apparatus may be a server or A chip that can be configured on a server.
  • the communication apparatus 600 includes a receiving module 601 , a sending module 602 , and a processing module 603 .
  • a receiving module 601 configured to receive a first configuration request sent by a terminal, where the first configuration request is used to request to obtain authorization information for communication between the terminal and the edge enabling server;
  • a processing module 603, configured to generate first authorization information according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • the sending module 602 is configured to send the first authorization information to the terminal.
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes an edge-enabled service key Kees.
  • the processing module 603 is further configured to: encrypt the first authorization information with a first key, where the first key is a shared key of the edge configuration server and the edge enablement server ; or the first key is the public key of the edge-enabled server.
  • the sending module 602 is further configured to: send the Kees to the terminal, or send the parameters used for deriving the Kees to the terminal.
  • processing module 603 is further configured to: use the edge configuration server private key to sign the first authorization information.
  • the sending module 602 is further configured to: push the Kees to the edge-enabled server, or send the Kees to the edge-enabled server according to the key request information of the edge-enabled server Described by Kees.
  • the above-mentioned processing module 603 may be a chip, an encoder, an encoding circuit or other integrated circuits that can implement the method of the present application.
  • the receiving module 601 and the sending module 602 may be interface circuits or transceivers.
  • the receiving module 601 and the sending module 602 may be independent modules, or may be integrated into a transceiver module (not shown in the figure), and the transceiver module may implement the functions of the aforementioned receiving module 601 and the sending module 602 .
  • the apparatus 600 is used to execute a synchronization signal transmission method corresponding to a network device, so the specific description of the method is involved, especially the receiving module 601, the sending module 602 and the processing module For the function of 603, reference may be made to the relevant part of the corresponding embodiment, and details are not repeated here.
  • the apparatus 600 may further include a storage module (not shown in the figure), the storage module may be used for storing data and/or signaling, the storage module may be coupled with the processing module 603, or may be coupled with the receiving module 601 or the sending module Module 602 is coupled.
  • the processing module 603 may be configured to read data and/or signaling in the storage module, so that the authorization methods in the foregoing method embodiments are executed.
  • FIG. 7 is another communication apparatus 700 provided by an embodiment of the present application, which may be used to execute the authorization method and specific embodiment applied to an edge-enabled server in FIG. 2 or FIG. 3A to FIG. 3C , and the apparatus may be a server Or it can be configured in the chip of the server.
  • the communication device 700 includes a receiving module 701 , a sending module 702 , and a processing module 703 .
  • a receiving module 701 configured to receive a first request sent by a terminal, where the first request includes first authorization information, and the first authorization information includes an edge configuration server identifier and a terminal identifier;
  • the processing module 703 is further configured to generate a first response after verification, where the first response includes indication information of whether the terminal is authorized to access the edge-enabled server;
  • the first authorization information further includes one or more of the following information: an edge-enabled server identifier, an edge-enabled server provider identifier, and an edge application server identifier.
  • the first authorization information further includes an edge-enabled service key Kees; the processing module is further configured to: acquire the Kees in the first authorization information.
  • the first authorization information is encrypted by a first key, and the first key is a shared key of the edge configuration server and the edge enablement server; or the first key is all the public key of the edge-enabled server;
  • the obtaining of the Kees in the first authorization information includes: the edge enabling server decrypts the encrypted first authorization information by using the shared key or the private key corresponding to the public key, and obtains the encrypted first authorization information. the first authorization information, and obtain the Kees in the first authorization information.
  • the edge-enabled server receives the Kees from the terminal.
  • the receiving module 701 is further configured to: receive the Kees from the edge configuration server;
  • the sending module 702 sends key request information to the edge configuration server, and the receiving module receives the Kees from the edge configuration server.
  • the processing module 703 is further configured to perform security authentication according to the Kees acquired from the terminal and the Kees acquired from the edge configuration server, and perform secure communication with the terminal after the authentication is passed.
  • the first authorization information is signed by using the edge configuration server private key; the processing module 703 is further configured to: use the edge configuration server public key to verify the first authorization information.
  • the above-mentioned processing module 703 may be a chip, an encoder, an encoding circuit or other integrated circuits that can implement the method of the present application.
  • the receiving module 701 and the sending module 702 may be interface circuits or transceivers.
  • the receiving module 701 and the sending module 702 may be independent modules, or may be integrated into a transceiver module (not shown in the figure), and the transceiver module may implement the functions of the aforementioned receiving module 701 and the sending module 702 .
  • the apparatus 700 is used to execute a synchronization signal transmission method corresponding to a network device, so the specific description of the method is related to the receiving module 701, the sending module 702 and the processing module.
  • the function of 703 reference may be made to the relevant part of the corresponding embodiment, and details are not repeated here.
  • the apparatus 700 may further include a storage module (not shown in the figure), the storage module may be used for storing data and/or signaling, the storage module may be coupled with the processing module 703, and may also be coupled with the receiving module 701 or the sending Module 702 is coupled.
  • the processing module 703 may be configured to read data and/or signaling in the storage module, so that the authorization methods in the foregoing method embodiments are executed.
  • FIG. 8 shows a schematic diagram of a hardware structure of a communication apparatus in an embodiment of the present application.
  • the structure of the terminal or server may refer to the structure shown in FIG. 8 .
  • the communication device 900 includes: a processor 111 and a communication transceiver 112, the processor 111 and the transceiver 112 are electrically coupled;
  • the processor 111 is configured to execute part or all of the computer program instructions in the memory, and when the part or all of the computer program instructions are executed, the apparatus executes the method described in any of the foregoing embodiments.
  • the transceiver 112 is configured to communicate with other devices, for example, configured to send a first configuration request to the edge configuration server ECS, where the first configuration request is used to request an authorization for the terminal to communicate with the edge enablement server EES information; or for receiving first authorization information generated by the ECS according to the first configuration request, where the first authorization information includes an edge configuration server identifier, a terminal identifier, and the like.
  • the memory 113 for storing computer program instructions.
  • the memory 113 (memory #1) is located in the device, and the memory 113 (memory #2) is integrated with the processor 111. together, or the memory 113 (memory #3) is located outside the device.
  • the communication device 900 shown in FIG. 8 may be a chip or a circuit.
  • a chip or circuit may be provided in a terminal device or a communication device.
  • the transceiver 112 described above may also be a communication interface.
  • Transceivers include receivers and transmitters.
  • the communication device 900 may also include a bus system.
  • the processor 111, the memory 113, and the transceiver 112 are connected through a bus system, and the processor 111 is used to execute the instructions stored in the memory 113 to control the transceiver to receive and send signals, and complete the first implementation method involved in this application. device or step of the second device.
  • the memory 113 may be integrated in the processor 111 , or may be provided separately from the processor 111 .
  • the function of the transceiver 112 can be considered to be implemented by a transceiver circuit or a dedicated transceiver chip.
  • the processor 111 can be considered to be implemented by a dedicated processing chip, a processing circuit, a processor or a general-purpose chip.
  • the processor can be a central processing unit (CPU), a network processor (NP), or a combination of CPU and NP.
  • the processor may further include hardware chips or other general purpose processors.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general-purpose array logic (generic array logic, GAL) and other programmable logic devices. , discrete gate or transistor logic devices, discrete hardware components, etc., or any combination thereof.
  • CPLD complex programmable logic device
  • FPGA field-programmable gate array
  • GAL general-purpose array logic
  • GAL general-purpose array logic
  • a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory mentioned in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be random access memory (RAM), which acts as an external cache.
  • RAM random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous DRAM
  • SDRAM double data rate synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous link dynamic random access memory
  • direct rambus RAM direct rambus RAM
  • An embodiment of the present application provides a computer storage medium storing a computer program, where the computer program includes a method for executing the method corresponding to the terminal in the foregoing embodiment.
  • Embodiments of the present application provide a computer storage medium storing a computer program, where the computer program includes a method for executing a corresponding edge configuration server or edge-enabled service in the foregoing embodiments.
  • the embodiments of the present application provide a computer program product including instructions, which, when run on a computer, cause the computer to execute the method corresponding to the terminal in the foregoing embodiments.
  • Embodiments of the present application provide a computer program product containing instructions, which, when run on a computer, cause the computer to execute the method for an edge configuration server or an edge-enabled service in the foregoing embodiments.
  • the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium.
  • the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution, and the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk and other mediums that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande concerne un procédé et un dispositif d'autorisation. Le procédé comprend les étapes suivantes : un terminal envoie une première demande de configuration à un serveur de configuration périphérique, la première demande de configuration servant à demander l'acquisition d'informations d'autorisation pour une communication entre le terminal et un serveur de validation périphérique (EES) ; le serveur de configuration périphérique génère des premières informations d'autorisation en fonction de la première demande de configuration, puis envoie les premières informations d'autorisation au terminal ; le terminal envoie une première demande à l'EES, la première demande comportant les premières informations d'autorisation ; l'EES reçoit la première demande, puis vérifie les premières informations d'autorisation et génère une première réponse après vérification, la première réponse comprenant des informations d'indication indiquant si le terminal est autorisé à accéder à l'EES ; l'EES envoie la première réponse au terminal ; le terminal détermine, en fonction de la première réponse, si le terminal est autorisé à accéder à l'EES. Selon des modes de réalisation de la présente demande, le serveur de configuration périphérique autorise le terminal à accéder à l'EES, ce qui permet de réduire la probabilité de vol d'autorité d'un terminal, et de garantir ainsi la sécurité de communication pendant un service périphérique.
PCT/CN2021/117644 2020-09-16 2021-09-10 Procédé et dispositif d'autorisation Ceased WO2022057736A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010973308.XA CN114268943B (zh) 2020-09-16 2020-09-16 授权方法及装置
CN202010973308.X 2020-09-16

Publications (1)

Publication Number Publication Date
WO2022057736A1 true WO2022057736A1 (fr) 2022-03-24

Family

ID=80775902

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/117644 Ceased WO2022057736A1 (fr) 2020-09-16 2021-09-10 Procédé et dispositif d'autorisation

Country Status (2)

Country Link
CN (1) CN114268943B (fr)
WO (1) WO2022057736A1 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116848823A (zh) * 2023-05-15 2023-10-03 北京小米移动软件有限公司 用于边缘计算场景的网际互连协议地址校验方法及其装置
WO2023185567A1 (fr) * 2022-03-30 2023-10-05 华为技术有限公司 Procédé et appareil de découverte de serveur d'application
WO2023201576A1 (fr) * 2022-04-20 2023-10-26 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et appareil pour des services de communication
CN117061135A (zh) * 2022-05-06 2023-11-14 华为技术有限公司 一种通信方法及装置
WO2024097381A1 (fr) * 2022-11-04 2024-05-10 Interdigital Patent Holdings, Inc. Procédés, architectures, appareils et systèmes d'authentification de réseau avec un serveur d'autorisation et de comptabilité d'authentification patrimoniale pour réseau non public autonome
CN118160336A (zh) * 2022-09-30 2024-06-07 北京小米移动软件有限公司 一种构建连接的方法及装置
WO2024261514A1 (fr) * 2023-06-20 2024-12-26 Telefonaktiebolaget Lm Ericsson (Publ) Authentification et gestion de clés pour des applications (akma) basées sur une authentification à deux facteurs silencieuse
WO2024261515A1 (fr) * 2023-06-20 2024-12-26 Telefonaktiebolaget Lm Ericsson (Publ) Authentification à deux facteurs basée sur une gestion d'authentification et de clé pour applications (akma) pure

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117014170A (zh) * 2022-04-28 2023-11-07 中国移动通信有限公司研究院 一种信息的通告方法及网络节点
CN117014136A (zh) * 2022-04-29 2023-11-07 中国移动通信有限公司研究院 一种信息传输方法及设备
EP4527092A1 (fr) * 2022-05-16 2025-03-26 Telefonaktiebolaget LM Ericsson (publ) Procédés permettant à un client informatique en périphérie d'obtenir et d'utiliser des identificateurs d'un équipement utilisateur qui héberge le client
CN117597959A (zh) * 2022-06-17 2024-02-23 北京小米移动软件有限公司 认证与授权方法、装置、通信设备及存储介质
CN117597956A (zh) * 2022-06-17 2024-02-23 北京小米移动软件有限公司 认证方式选择方法、装置、设备及存储介质
WO2023240657A1 (fr) * 2022-06-17 2023-12-21 北京小米移动软件有限公司 Procédé et appareil d'authentification et d'autorisation, dispositif de communication et support de stockage
US20260059307A1 (en) * 2022-09-29 2026-02-26 Apple Inc. Negotiation of Authentication Procedures in Edge Computing
WO2024168683A1 (fr) * 2023-02-16 2024-08-22 Apple Inc. Génération et construction d'identifiant de client de facilitateur périphérique d'informatique de périphérie multi-accès
CN115859263B (zh) * 2023-02-23 2023-05-19 北京易智时代数字科技有限公司 一种虚拟现实应用的管理方法、终端及边缘业务平台
CN120110674A (zh) * 2025-01-26 2025-06-06 西安华为技术有限公司 一种通信方法及其装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594276A (zh) * 2008-05-28 2009-12-02 原创信通电信技术(北京)有限公司 用于ip电信网系统的业务授权方法
US20140143428A1 (en) * 2011-07-14 2014-05-22 Huawei Technologies Co., Ltd. Method, Apparatus, and Edge Node Controller for Allocating Edge Node
CN110366159A (zh) * 2018-04-09 2019-10-22 华为技术有限公司 一种获取安全策略的方法及设备
CN111225377A (zh) * 2018-11-23 2020-06-02 财团法人工业技术研究院 网络服务系统及网络服务方法
CN111611561A (zh) * 2020-06-09 2020-09-01 中国电子科技集团公司第二十八研究所 一种面向边缘分级用户的认证授权统一管控方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020174121A1 (fr) * 2019-02-28 2020-09-03 Nokia Technologies Oy Autorisation de communication de réseau inter-mobile
CN111163063B (zh) * 2019-12-12 2022-07-12 万翼科技有限公司 边缘应用管理方法及相关产品

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594276A (zh) * 2008-05-28 2009-12-02 原创信通电信技术(北京)有限公司 用于ip电信网系统的业务授权方法
US20140143428A1 (en) * 2011-07-14 2014-05-22 Huawei Technologies Co., Ltd. Method, Apparatus, and Edge Node Controller for Allocating Edge Node
CN110366159A (zh) * 2018-04-09 2019-10-22 华为技术有限公司 一种获取安全策略的方法及设备
CN111225377A (zh) * 2018-11-23 2020-06-02 财团法人工业技术研究院 网络服务系统及网络服务方法
CN111611561A (zh) * 2020-06-09 2020-09-01 中国电子科技集团公司第二十八研究所 一种面向边缘分级用户的认证授权统一管控方法

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023185567A1 (fr) * 2022-03-30 2023-10-05 华为技术有限公司 Procédé et appareil de découverte de serveur d'application
WO2023201576A1 (fr) * 2022-04-20 2023-10-26 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et appareil pour des services de communication
CN117061135A (zh) * 2022-05-06 2023-11-14 华为技术有限公司 一种通信方法及装置
CN118160336A (zh) * 2022-09-30 2024-06-07 北京小米移动软件有限公司 一种构建连接的方法及装置
WO2024097381A1 (fr) * 2022-11-04 2024-05-10 Interdigital Patent Holdings, Inc. Procédés, architectures, appareils et systèmes d'authentification de réseau avec un serveur d'autorisation et de comptabilité d'authentification patrimoniale pour réseau non public autonome
CN116848823A (zh) * 2023-05-15 2023-10-03 北京小米移动软件有限公司 用于边缘计算场景的网际互连协议地址校验方法及其装置
WO2024261514A1 (fr) * 2023-06-20 2024-12-26 Telefonaktiebolaget Lm Ericsson (Publ) Authentification et gestion de clés pour des applications (akma) basées sur une authentification à deux facteurs silencieuse
WO2024261515A1 (fr) * 2023-06-20 2024-12-26 Telefonaktiebolaget Lm Ericsson (Publ) Authentification à deux facteurs basée sur une gestion d'authentification et de clé pour applications (akma) pure

Also Published As

Publication number Publication date
CN114268943B (zh) 2024-07-19
CN114268943A (zh) 2022-04-01

Similar Documents

Publication Publication Date Title
CN114268943B (zh) 授权方法及装置
CN113225176B (zh) 密钥获取方法及装置
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US7734280B2 (en) Method and apparatus for authentication of mobile devices
CN112566119B (zh) 终端认证方法、装置、计算机设备及存储介质
TWI388180B (zh) 通信系統中之金鑰產生
RU2414086C2 (ru) Аутентификация приложения
US9049184B2 (en) System and method for provisioning a unique device credentials
CN110798833A (zh) 一种鉴权过程中验证用户设备标识的方法及装置
WO2018077232A1 (fr) Procédé d'authentification de réseau, et dispositif et système associés
WO2017028593A1 (fr) Procédé pour amener un dispositif d'accès à un réseau à accéder à un point d'accès à un réseau sans fil, dispositif d'accès à un réseau, serveur d'application et support de stockage lisible par ordinateur non volatil
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
WO2009094942A1 (fr) Procédé et système de réseau de communication pour établir une conjonction de sécurité
WO2019029531A1 (fr) Procédé de déclenchement d'authentification de réseau et dispositif associé
WO2018010150A1 (fr) Procédé d'authentification et système d'authentification
WO2023221891A1 (fr) Procédé et appareil de communication sécurisée
WO2014127751A1 (fr) Méthode de configuration de terminal sans fil, appareil et terminal sans fil
WO2022028259A1 (fr) Procédé et appareil d'obtention de données d'abonnement utilisateur
US20260006016A1 (en) Communication method and communication apparatus
CN112423300A (zh) 无线网络接入认证方法及装置
CN115022850A (zh) 一种d2d通信的认证方法、装置、系统、电子设备及介质
CN116939609A (zh) 一种无线网络的接入认证方法及相关装置
WO2022094936A1 (fr) Procédé d'accès, dispositif, et dispositif de plateforme en nuage
WO2025026232A1 (fr) Procédé d'établissement de session et appareil associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21868561

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21868561

Country of ref document: EP

Kind code of ref document: A1