[go: up one dir, main page]

CN117320009A - Electronic devices, wireless communication methods and computer-readable storage media - Google Patents

Electronic devices, wireless communication methods and computer-readable storage media Download PDF

Info

Publication number
CN117320009A
CN117320009A CN202210726111.5A CN202210726111A CN117320009A CN 117320009 A CN117320009 A CN 117320009A CN 202210726111 A CN202210726111 A CN 202210726111A CN 117320009 A CN117320009 A CN 117320009A
Authority
CN
China
Prior art keywords
authentication
authentication policy
electronic device
npn
updated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210726111.5A
Other languages
Chinese (zh)
Inventor
李晖
曾峻篪
马驰
王晓雪
孙晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Group Corp
Original Assignee
Sony Group Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Group Corp filed Critical Sony Group Corp
Priority to CN202210726111.5A priority Critical patent/CN117320009A/en
Priority to CN202380038016.9A priority patent/CN119156846A/en
Priority to PCT/CN2023/100630 priority patent/WO2023246629A1/en
Publication of CN117320009A publication Critical patent/CN117320009A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/02Arrangements for optimising operational condition

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure relates to an electronic device, a wireless communication method, and a computer-readable storage medium. An electronic device according to the present disclosure includes processing circuitry configured to: generating updated authentication policy information for a network element in the NPN, the authentication policy information comprising an authentication policy used when secondarily authenticating a user equipment in the NPN; and sending the updated authentication policy information to a network element in the NPN. Using the electronic device, the wireless communication method, and the computer-readable storage medium according to the present disclosure, the secondary authentication policy of the NPN network element can be automatically updated, thereby simplifying the update flow.

Description

Electronic device, wireless communication method, and computer-readable storage medium
Technical Field
Embodiments of the present disclosure relate generally to the field of wireless communications, and in particular, to electronic devices, wireless communication methods, and computer-readable storage media. More particularly, the present disclosure relates to an electronic device for managing an authentication policy of secondary authentication, an electronic device for a Network element in an NPN (Non-Public Network), a wireless communication method performed by the electronic device for managing an authentication policy, a wireless communication method performed by a Network element in an NPN, and a computer-readable storage medium.
Background
In a PNI-NPN (Public Network Integrated NPN, public Network based NPN) system, the NPN can be connected to a DN (Data Network) through a Network slice of a 3GPP Network. Here, the DN may be a private network of an enterprise and may include an authentication server DN-AAA (Authentication, authorization, accounting, authentication, authorization, accounting). Furthermore, the UE may connect to the DN through a network slice of the 3GPP network. In such a wireless communication system, after the UE is primary authenticated (Primary Authentication) by the 3GPP network, an authentication server DN-AAA in the DN is also required to perform secondary authentication (Secondary Authentication) on the UE so that the UE can access the DN through the 3GPP network.
The policy of the secondary authentication may not meet the current demands for authentication security or authentication efficiency. In this case, the policy of the secondary authentication needs to be updated. In the prior art, the authentication policy of each NPN network element needs to be updated manually and separately, and the number of network elements that need to update the policy of the secondary authentication is large, so that the workload is great.
Therefore, it is necessary to propose a technical solution to automatically update the secondary authentication policy of the NPN network element, so as to simplify the update procedure.
Disclosure of Invention
This section provides a general summary of the disclosure, and is not a comprehensive disclosure of its full scope or all of its features.
An object of the present disclosure is to provide an electronic device, a wireless communication method, and a computer-readable storage medium to automatically update a secondary authentication policy of a network element of an NPN, thereby simplifying an update flow.
According to an aspect of the present disclosure, there is provided an electronic device in an NPN comprising processing circuitry configured to: generating updated authentication policy information for a network element in the NPN, the authentication policy information comprising an authentication policy used when secondarily authenticating a user equipment in the NPN; and sending the updated authentication policy information to a network element in the NPN.
According to another aspect of the present disclosure, there is provided an electronic device in an NPN comprising processing circuitry configured to: receiving updated authentication policy information for the electronic device generated by an authentication policy management device, the authentication policy information comprising an authentication policy used when secondarily authenticating a user device in the NPN; and performing the secondary authentication according to the updated authentication policy information.
According to another aspect of the present disclosure, there is provided a wireless communication method performed by an electronic device in an NPN, comprising: generating updated authentication policy information for a network element in the NPN, the authentication policy information comprising an authentication policy used when secondarily authenticating a user equipment in the NPN; and sending the updated authentication policy information to a network element in the NPN.
According to another aspect of the present disclosure, there is provided a wireless communication method performed by an electronic device in a non-public network NPN, comprising: receiving updated authentication policy information for the electronic device generated by an authentication policy management device, the authentication policy information comprising an authentication policy used when secondarily authenticating a user device in the NPN; and performing the secondary authentication according to the updated authentication policy information.
According to another aspect of the present disclosure, there is provided a computer-readable storage medium comprising executable computer instructions which, when executed by a computer, cause the computer to perform a wireless communication method according to the present disclosure.
According to another aspect of the present disclosure, there is provided a computer program which, when executed by a computer, causes the computer to perform the wireless communication method according to the present disclosure.
Using an electronic device, a wireless communication method, and a computer-readable storage medium according to the present disclosure, updated authentication policy information for a network element in an NPN may be generated and transmitted to the network element in the NPN. In this way, the network element in the NPN can perform the secondary authentication using the updated authentication policy information. Therefore, the electronic equipment can automatically update the secondary authentication strategy of the NPN network element, so that the updating flow is simplified.
Further areas of applicability will become apparent from the description provided herein. The description and specific examples in this summary are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
Drawings
The drawings described herein are for illustration purposes only of selected embodiments and not all possible implementations, and are not intended to limit the scope of the present disclosure. In the drawings:
fig. 1 is a block diagram showing an example of a configuration of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a signaling flow diagram illustrating an update procedure of an authentication policy of an authentication server AAA according to an embodiment of the present disclosure;
fig. 3 is a signaling flow diagram illustrating an update procedure of an authentication policy of an SMF (Session Management Function ) according to an embodiment of the present disclosure;
Fig. 4 is a signaling flow diagram illustrating an update procedure of an authentication policy of a UE (User Equipment) according to an embodiment of the present disclosure;
fig. 5 is a signaling flow diagram illustrating an update procedure of an authentication policy of a UE according to another embodiment of the present disclosure;
fig. 6 is a signaling flow diagram illustrating an update procedure of an authentication policy of a UE according to another embodiment of the present disclosure;
fig. 7 is a signaling flow diagram illustrating an update procedure of an authentication policy of a UE according to another embodiment of the present disclosure;
fig. 8 is a signaling flow diagram illustrating a process of primary authentication and secondary authentication according to an embodiment of the present disclosure;
fig. 9 is a block diagram showing an example of a configuration of an electronic device according to another embodiment of the present disclosure;
fig. 10 is a flowchart illustrating a wireless communication method performed by an electronic device according to an embodiment of the present disclosure;
fig. 11 is a flowchart illustrating a wireless communication method performed by an electronic device according to another embodiment of the present disclosure;
FIG. 12 is a block diagram illustrating an example of a server that may implement an electronic device according to the present disclosure;
fig. 13 is a block diagram showing an example of a schematic configuration of a smart phone; and
fig. 14 is a block diagram showing an example of a schematic configuration of the car navigation device.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and are herein described in detail. It should be understood, however, that the description herein of specific embodiments is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the disclosure. It is noted that corresponding reference numerals indicate corresponding parts throughout the several views of the drawings.
Detailed Description
Examples of the present disclosure will now be described more fully with reference to the accompanying drawings. The following description is merely exemplary in nature and is not intended to limit the present disclosure, application, or uses.
Example embodiments are provided so that this disclosure will be thorough and will fully convey the scope to those skilled in the art. Numerous specific details are set forth such as examples of specific components, devices, and methods in order to provide a thorough understanding of embodiments of the present disclosure. It will be apparent to those skilled in the art that the exemplary embodiments may be embodied in many different forms without the use of specific details, neither of which should be construed to limit the scope of the disclosure. In certain example embodiments, well-known processes, well-known structures, and well-known techniques have not been described in detail.
The description will be made in the following order:
1. a description of a scene;
2. a configuration example of an electronic device for managing an authentication policy of secondary authentication;
3. configuration examples of electronic devices for network elements in NPN;
4. method embodiments;
5. application examples.
<1. Description of scene >
A wireless communication system according to the present disclosure may include an NPN, which may be hosted by or as part of a PLMN (Public Land Mobile Network ), which may be referred to as a PNI-NPN. The NPN according to the present disclosure may be implemented by partitioning independent network resources for the NPN on the PLMN by way of network slicing. For example, NPN may be connected to DN through a network slice of a 3GPP network. Here, the DN may be a private network of an enterprise and may include an authentication server DN-AAA. That is, the NPN may include DN and network slice portions of the 3GPP network. Furthermore, the UE may connect with the DN in the NPN through a network slice portion of the 3GPP network. In such a wireless communication system, after the 3GPP network performs primary authentication on the UE, an authentication server DN-AAA in the DN is also required to perform secondary authentication on the UE, so that the UE can access the DN through the 3GPP network. In NPN, UE, SMF and UPF (User Plane Function ) of 3GPP network, and DN-AAA participate in the secondary authentication procedure of UE, they all belong to network elements in NPN, but UPF is only used for transparent forwarding of messages between DN and 3GPP network. The 3GPP network herein includes, but is not limited to, a 5G network or a later-emerging higher level network.
The present disclosure proposes an electronic device in a wireless communication system, a wireless communication method performed by the electronic device in the wireless communication system, and a computer-readable storage medium for such a scenario to automatically update a secondary authentication policy of a network element of an NPN, thereby simplifying an update flow.
According to embodiments of the present disclosure, the secondary authentication may be based on an EAP (Extensible Authentication Protocol ) framework. In EAP framework-based secondary authentication, the UE acts as a Client in EAP (EAP Client), the SMF acts as an EAP authentication entity (EAP Authenticator), and the DN-AAA acts as an authentication server (Authentication Server).
The network element for managing the authentication policy of the secondary authentication is added in the NPN, and the network element is arranged in the DN and can manage the authentication policy of the network element in the NPN, including updating the authentication policy. Furthermore, the network element may be provided separately from the authentication server AAA in the DN or may be integrated in the authentication server AAA in the DN. Further, this network element may be implemented as a server.
Further, in the present disclosure, the network elements in the NPN whose authentication policy is managed may include UE, SMF, and DN-AAA. Wherein the SMF and DN-AAA can also be implemented as servers.
The servers according to the present disclosure may be tower servers, rack servers, and blade servers, or may be control modules installed on the servers.
The user equipment according to the present disclosure may be a mobile terminal such as a smart phone, a tablet Personal Computer (PC), a notebook PC, a portable game terminal, a portable/dongle type mobile router, and a digital camera device, or a vehicle-mounted terminal such as a car navigation device. User equipment may also be implemented as terminals performing machine-to-machine (M2M) communication (also referred to as Machine Type Communication (MTC) terminals). Further, the user equipment may be a wireless communication module (such as an integrated circuit module including a single die) mounted on each of the above terminals.
<2 > configuration example of electronic device for managing authentication policy of secondary authentication >
Fig. 1 is a block diagram showing an example of a configuration of an electronic device 100 according to an embodiment of the present disclosure. Here, the electronic device 100 may be a server for managing authentication policies, which may be provided separately from the authentication server AAA in the DN, or may be integrated in the authentication server AAA in the DN. In case the electronic device 100 is arranged separately from the authentication server AAA in the DN, the electronic device 100 may be denoted as DN-PCF (Policy Control function ), i.e. PCF in the DN, the function of which is similar to the function of PCF in a 3GPP network.
As shown in fig. 1, the electronic device 100 may include a generation unit 110 and a communication unit 120.
Here, each unit of the electronic device 100 may be included in the processing circuit. Note that the electronic device 100 may include one processing circuit or a plurality of processing circuits. Further, the processing circuitry may include various discrete functional units to perform various different functions and/or operations. It should be noted that these functional units may be physical entities or logical entities, and that units that are referred to differently may be implemented by the same physical entity.
According to an embodiment of the present disclosure, the generating unit 110 may generate updated authentication policy information for the network element in the NPN. Herein, the authentication policy information may include an authentication policy used when the user equipment in the NPN is secondarily authenticated.
According to an embodiment of the present disclosure, the electronic device 100 may send the updated authentication policy information generated by the generating unit 110 to the network element in the NPN through the communication unit 120.
As can be seen, according to the electronic device 100 of the embodiment of the present disclosure, updated authentication policy information for a network element in the NPN may be generated and transmitted to the network element in the NPN. In this way, the network element in the NPN can perform the secondary authentication using the updated authentication policy information. It can be seen that the electronic device 100 according to the present disclosure can automatically update the secondary authentication policy of the NPN network element, thereby simplifying the update procedure.
In the present disclosure, the authentication policy information may include one or more of the following: authentication protocol, key generation method and authentication parameters.
The authentication protocols for secondary authentication according to the present disclosure may include, among others, EAP-based authentication protocols including, but not limited to, EAP-TLS (EAP-Transport Layer Security, EAP-based transport layer security) authentication protocols, EAP-TTLS (EAP-Tunneled Transport Layer Security, EAP-based tunneling layer security) authentication protocols, EAP-FAST (EAP-Flexible Authentication via Secure Tunneling, EAP-based secure tunnel flexible authentication) authentication protocols, EAP-MD5 (EAP-Message Digest 5, EAP-based MD5 Message Digest algorithm) authentication protocols, EAP-LEAP (EAP-Lightweight Extensible Authentication Protocol, EAP-based lightweight extensible authentication protocol) and EAP-GPSK (EAP-Generalized Pre-Shared Key, EAP-based generic Pre-Shared Key) authentication protocols. A plurality of EAP-based authentication protocols may be preconfigured in both the electronic device 100 and the network element in the NPN, so that the authentication policy information may include identification information of a selected one of the authentication protocols. Thus, after receiving the authentication policy information, the network element in the NPN may determine the corresponding authentication protocol according to the identification information of the authentication protocol.
Among them, the key generation method for secondary authentication according to the present disclosure includes, but is not limited to, argon2, scrypt, and PBKDF2. A plurality of key generation methods may be preconfigured in both the electronic device 100 and the network element in the NPN, so that the authentication policy information may include identification information of a selected one of the key generation methods. In this way, after receiving the authentication policy information, the network element in the NPN may determine the corresponding key generation method according to the identification information of the key generation method.
Among other things, authentication parameters for secondary authentication according to the present disclosure may include configuration parameters related to the process of secondary authentication, including, but not limited to, an identifier of a user device in NPN, a certificate used in EAP protocol, an identifier of an authentication algorithm used, and an extension parameter used by the authentication protocol. The authentication policy information may include these authentication parameters. In this way, after receiving the authentication policy information, the network element in the NPN can obtain these authentication parameters.
According to an embodiment of the present disclosure, the electronic device 100 may also receive an update notification indicating success or failure of the authentication policy update from a network element in the NPN through the communication unit 120.
According to embodiments of the present disclosure, the electronic device 100 may send updated authentication policy information using EAP messages. The EAP message includes the identification information of the destination device of the EAP message, so that the network element in the NPN can determine whether the EAP message is a message sent to itself according to the identification information of the destination device of the EAP message.
According to embodiments of the present disclosure, the electronic device 100 may also utilize a key derived key generated during the secondary authentication process to confidentiality protect and/or integrity protect updated authentication policy information.
In accordance with embodiments of the present disclosure, where electronic device 100 is located separately from an authentication server AAA in a DN, electronic device 100 is referred to herein as a DN-PCF, i.e., a policy control function network element in a DN, that is similar to a PCF network element in a core network. At this time, the network element in the NPN may be an authentication server AAA of an SMF, a user equipment, or a DN in the core network. That is, the electronic device 100 may configure and update the authentication policy in the authentication server AAA of the SMF, the user equipment, or the DN. In case the electronic device 100 is integrated in an authentication server AAA in the DN, the network element in the NPN may be an SMF or a user equipment in the core network. That is, the electronic device 100 may configure and update the authentication policy of the SMF or the user device.
According to embodiments of the present disclosure, the electronic device 100 may be responsible for managing an authentication policy for secondary authentication of network elements in an NPN, including configuring and updating the authentication policy. For example, a network administrator of the NPN may configure authentication policies for network elements in the NPN through electronic device 100, such that electronic device 100 may automatically configure and update authentication policies for network elements in the NPN according to embodiments of the disclosure. That is, in the case where the electronic device 100 determines that the network administrator updated the authentication policy that the electronic device 100 is configured, updated authentication policy information may be generated.
According to embodiments of the present disclosure, the electronic device 100 may automatically update the authentication policy of each network element one by one. For example, the electronic device 100 first updates the authentication policy of the authentication server AAA of the DN, then updates the authentication policy of the SMF, and finally updates the authentication policies of the respective user devices one by one. Further, according to an embodiment of the present disclosure, in the case where at least one of the authentication protocol, the key generation method, and the authentication parameters is updated, the electronic device 100 may update the authentication policy of each network element. Here, the electronic device 100 may include only a portion in which an update occurs in the updated authentication policy information, or may include the entire authentication protocol, key generation method, and authentication parameter in the updated authentication policy information. Further, the electronic device 100 may carry updated authentication policy information through the authentication policy container.
The update procedure of the authentication policy of the authentication servers AAA, SMF and UE will be described below in connection with fig. 2-7. In fig. 2-7, DN-PCF may be implemented by electronic device 100. And in fig. 2, the DN-PCF is provided independently of the DN-AAA, and in fig. 3-7, the DN-PCF may be provided independently of the DN-AAA or may be integrated in the DN-AAA.
Fig. 2 is a signaling flow diagram illustrating an update procedure of an authentication policy of an authentication server AAA according to an embodiment of the present disclosure. As shown in fig. 2, in step S201, the DN-PCF determines that its configured authentication policy is updated, and thus determines that the authentication policy of the DN-AAA needs to be updated. In step S202, the DN-PCF sends a Policy Update Request (AAA_policy_update_Request) to the DN-AAA, including updated authentication Policy information for the DN-AAA. Here, after the DN-AAA receives the updated authentication policy information, it may update its stored authentication policy. For example, the new authentication policy may be stored locally along with the previous authentication policy. That is, various versions of authentication policies may be stored in the DN-AAA. In step S203, after the DN-AAA updates its stored authentication Policy, a DN-AAA Policy Update notification (aaa_policy_update_notify) is sent to the DN-PCF to indicate that the Update was successful. In fig. 2, in step S202 and step S203, the message to be sent may be carried by an EAP packet, and may be confidentiality protected and/or integrity protected by using a key derived from the key generated in the secondary authentication process.
Fig. 3 is a signaling flow diagram illustrating an update procedure of an authentication policy of an SMF according to an embodiment of the present disclosure. As shown in fig. 3, in step S301, the DN-PCF determines that its configured authentication policy is updated and that the authentication policy of the DN-AAA has been updated, thus determining that the authentication policy of the SMF needs to be updated. In step S302, the DN-PCF sends a Policy Update Request (smf_policy_update_request) to the SMF via the UPF, including the updated authentication Policy information of the SMF. Here, after the SMF receives the updated authentication policy information, it may update its stored authentication policy. For example, the new authentication policy may be stored locally along with the previous authentication policy. That is, various versions of authentication policies may be stored in the SMF. In step S303, after the SMF updates its stored authentication Policy, an SMF Policy Update notification (smf_policy_update_notify) is sent to the DN-PCF by the UPF to indicate that the Update was successful. In fig. 3, in step S302 and step S303, the message to be sent may be carried by an EAP packet, and may be confidentiality protected and/or integrity protected by using a key derived from the key generated in the secondary authentication process.
Fig. 4-7 are signaling flow diagrams illustrating an update procedure of an authentication policy of a UE according to an embodiment of the present disclosure. Here, the DN-PCF may update the authentication policy of each UE in the NPN one by one through the flow shown in fig. 4-7.
As shown in fig. 4, in step S401, the DN-PCF determines that its configured authentication policy is updated and that the authentication policies of the DN-AAA and the SMF have been updated, thus determining that the authentication policy of the UE needs to be updated. In step S402, the DN-PCF sends a UE Policy Update Request (ue_policy_update_request) to the SMF via the UPF, including updated authentication Policy information of the UE. In step S403, the SMF determines whether a new policy of the UE is supported, that is, whether a new policy of the UE is included in the authentication policy stored in the SMF. It is assumed here that the SMF supports the new policy of the UE, in step S404, a network triggered service request is performed, i.e. the SMF tries to connect the UE through the base station device in the RAN (Radio Access Network ). If the UE is registered with the SMF and the SMF can be connected to the UE through the base station apparatus, the SMF forwards a UE policy update request to the UE in step S405. Here, after the UE receives the updated authentication policy information, it may update its stored authentication policy. For example, the old authentication policy may be replaced with the new authentication policy. That is, only the latest version of the authentication policy, including the latest version of the authentication protocol, the latest version of the key generation method, and the latest version of the authentication parameter, is stored in the UE. In step S406, after the UE updates its stored authentication Policy, a UE Policy Update notification (ue_policy_update_notify) is sent to the SMF by the base station apparatus to indicate that the Update was successful. In step S407, the SMF forwards the UE policy update notification to the DN-PCF via the UPF. As described above, fig. 4 shows an example in which the UE successfully updates the authentication policy. In fig. 4, in step S402, step S405, step S406, and step S407, the message to be transmitted may be carried by an EAP packet, and may be confidentiality protected and/or integrity protected by using a key derived from the key generated in the secondary authentication process.
As shown in fig. 5, in step S501, the DN-PCF determines that its configured authentication policy is updated and that the authentication policies of the DN-AAA and SMF have been updated, thus determining that the authentication policy of the UE needs to be updated. In step S502, the DN-PCF sends a UE policy update request to the SMF via the UPF, including updated authentication policy information of the UE. In step S503, the SMF determines whether a new policy of the UE is supported, that is, whether a new policy of the UE is included in the authentication policy stored in the SMF. Here, assuming that the SMF does not support the new policy of the UE, in step S504, the SMF sends a UE policy update notification to the DN-PCF through the UPF, indicating that the UE policy update fails, because the SMF does not support the new policy of the UE. As described above, fig. 5 shows an example in which the new policy of the UE is not supported by the SMF, resulting in update failure. In fig. 5, in step S502 and step S504, the message to be sent may be carried by an EAP message, and may be confidentiality protected and/or integrity protected by using a key derived from the key generated in the secondary authentication process.
As shown in fig. 6, in step S601, the DN-PCF determines that its configured authentication policy is updated and that the authentication policies of the DN-AAA and the SMF have been updated, thus determining that the authentication policy of the UE needs to be updated. In step S602, the DN-PCF sends a UE policy update request to the SMF via the UPF, including updated authentication policy information of the UE. In step S603, the SMF determines whether a new policy of the UE is supported, that is, whether a new policy of the UE is included in the authentication policy stored in the SMF. It is assumed here that the SMF supports the new policy of the UE, in step S604, a network triggered service request is performed, i.e. the SMF tries to connect the UE through the base station device in the RAN (Radio Access Network ). Here, assuming that the UE is not registered to the SMF or is not connected to the UE through the base station apparatus, in step S605, the SMF transmits a UE policy update notification to the DN-PCF through the UPF, indicating that the UE policy update fails, because the UE is unregistered or unreachable. As described above, fig. 6 shows an example in which a UE is unregistered or unreachable resulting in update failure. In fig. 6, in step S602 and step S605, the message to be sent may be carried by an EAP packet, and may be confidentiality protected and/or integrity protected by using a key derived from the key generated in the secondary authentication process.
As shown in fig. 7, in step S701, the DN-PCF determines that its configured authentication policy is updated and that the authentication policies of the DN-AAA and the SMF have been updated, thus determining that the authentication policy of the UE needs to be updated. In step S702, the DN-PCF sends a UE policy update request including updated authentication policy information of the UE to the SMF through the UPF. In step S703, the SMF determines whether a new policy of the UE is supported, that is, whether a new policy of the UE is included in the authentication policy stored in the SMF. It is assumed here that the SMF supports a new policy of the UE, in step S704, a network triggered service request is performed, i.e. the SMF tries to connect the UE through the base station device in the RAN. If the UE is registered with the SMF and the SMF can be connected to the UE through the base station apparatus, the SMF forwards a UE policy update request to the UE in step S705. Here, the SMF may set a timer, and in case that a policy update notification from the UE is not received after the timer expires, the SMF may forward the UE policy update request to the UE again through the base station apparatus in step S706. Here, the SMF may reasonably design the number of retransmission policy update requests, which is not limited by the present disclosure. Optionally, in step S706, the SMF may also send a UE policy update notification to the DN-PCF by the UPF, indicating that the UE policy update failed, because the policy update notification from the UE is not received within a predetermined time. As described above, fig. 7 shows an example in which a policy update notification from a UE is not received within a predetermined time, resulting in update failure. In fig. 7, in step S702, step S705, and step S706, the message to be transmitted may be carried by an EAP packet, and may be confidentiality-protected and/or integrity-protected by using a key derived from the key generated in the secondary authentication process.
As described above, according to the embodiments of the present disclosure, when the electronic device 100 determines that its configured authentication policy is updated, DN-AAA (when the electronic device 100 is integrated in DN-AAA, there is no need to update the authentication policy of DN-AAA), SMF, and authentication policy of UE may be automatically sequentially updated one by one. After the entire NPN updates the authentication policy, there may be some unregistered or unreachable UEs that have not successfully updated the authentication policy. Thus, in performing secondary authentication of the UE, the electronic device 100 may again determine whether the authentication policy of the UE needs to be updated according to an embodiment of the present disclosure.
According to an embodiment of the present disclosure, as shown in fig. 1, the electronic device 100 may further include a determining unit 130 for determining whether the authentication policy of the user device needs to be updated according to the authentication policy currently configured by the user device in the course of the secondary authentication.
According to an embodiment of the present disclosure, in the process of performing the secondary authentication, the electronic device 100 may acquire an authentication policy currently configured by the user device through the communication unit 120. For example, in the case where the electronic device 100 is set separately from the DN-AAA, the electronic device 100 may acquire an authentication policy currently configured by the user device from the DN-AAA; in the case where the electronic device 100 is integrated in the DN-AAA, the electronic device 100 may obtain the authentication policy currently configured by the user device from the SMF through the UPF. Further, the determining unit 130 may determine whether the authentication policy currently configured by the user equipment is the latest version of the authentication policy, i.e. whether the authentication policy configured by the electronic device 100 for the user equipment in the NPN at the last update. In case that the authentication policy currently configured by the user equipment is not the latest version, the determining unit 130 may determine that the authentication policy of the user equipment needs to be updated. Further, in case the determining unit 130 determines that the authentication policy of the user equipment needs to be updated, the electronic device 100 may update the authentication policy of the user equipment according to the manner described above.
Fig. 8 is a signaling flow diagram illustrating a process of primary authentication and secondary authentication according to an embodiment of the present disclosure. In fig. 8, DN-PCF may be implemented by electronic device 100, and AMF (Authentication Management Function ), V-SMF (Virtual-SMF, i.e., roaming SMF), H-SMF (Home-SMF), H-UPF (Home-UPF, home UPF) are network elements in the core network. As shown in fig. 8, in step S801, a master authentication procedure is performed between the UE and the core network. In step S802, the H-SMF initiates a secondary authentication process. In step S803, the H-SMF sends an EAP request to the UE to request the identity information of the UE in NPN and the authentication policy the UE is currently configured with. In step S804, the UE sends an EAP response to the H-SMF, including the authentication policy currently configured by the UE, and may further include identification information of the UE in the NPN. In step S805, the H-SMF and H-UPF establish a session. In steps S806 and S807, the H-SMF forwards the UE' S EAP response to the DN-AAA through the H-UPF. In step S808, the DN-AAA performs a secondary authentication on the UE according to the UE' S currently configured authentication policy. In steps S809 and S810, DN-AAA sends a message to H-SMF that the secondary authentication is successful through H-UPF. In step S811, the H-SMF determines that the secondary authentication process is ended. In step S812, a session is established between the UE and the H-UPF. Here, after the DN-AAA receives the EAP response from the UE, the authentication policy currently configured by the UE may be forwarded to the DN-PCF at an appropriate occasion. As shown in fig. 8, in step S821, the DN-AAA forwards the authentication policy currently configured by the UE to the DN-PCF. In step S822, the DN-PCF determines whether the authentication policy currently configured by the UE is the latest version of the authentication policy, thereby determining whether the authentication policy of the UE needs to be updated. Here, it is described. Assuming that the DN-PCF determines that the UE's authentication policy needs to be updated, the UE's authentication policy may be updated in the manner described previously in this disclosure, for example, with reference to the flows shown in fig. 4-7. Here, the process of updating the authentication policy of the UE may be performed when the UE is idle, for example, after a session is established between the UE and the H-UPF.
Notably, fig. 8 shows a signaling flow diagram of a process of primary authentication and secondary authentication in accordance with an embodiment of the present disclosure with DN-PCF set apart from DN-AAA. In the case where the DN-PCF is integrated in the DN-AAA, step S821 need not be performed, and the DN-AAA may perform step S822 at an appropriate timing.
It follows that, according to embodiments of the present disclosure, when the electronic device 100 determines that the authentication policy that it is configured is updated, the authentication policies of the respective network elements may be automatically updated one by one in turn. Furthermore, after the entire NPN updates the authentication policy, there may be some unregistered or unreachable UEs that have not successfully updated the authentication policy. Thus, in performing the secondary authentication on the UE, the electronic device 100 may again determine whether the authentication policy of the UE needs to be updated. In summary, the electronic device 100 according to the present disclosure may automatically update the secondary authentication policy of the NPN network element, thereby simplifying the update procedure.
<3. Configuration example of electronic device for network element in NPN >
Fig. 9 is a block diagram illustrating a structure of an electronic device 900 in a wireless communication system according to an embodiment of the present disclosure. Here, the electronic device 900 may be a network element in the NPN that needs to update the authentication policy, such as an authentication server AAA of the SMF, the user equipment, or the DN. Specifically, in the case where the electronic device 100 is provided separately from the authentication server AAA in the DN, the electronic device 900 may be an SMF, a user equipment, or an authentication server AAA of the DN; in the case where the electronic device 100 is integrated in an authentication server AAA in a DN, the electronic device 900 may be an SMF or a user device.
As shown in fig. 9, the electronic device 900 may include a communication unit 910 and an authentication unit 920.
Here, each unit of the electronic device 900 may be included in the processing circuit. Note that the electronic device 900 may include one processing circuit or a plurality of processing circuits. Further, the processing circuitry may include various discrete functional units to perform various different functions and/or operations. It should be noted that these functional units may be physical entities or logical entities, and that units that are referred to differently may be implemented by the same physical entity.
According to an embodiment of the present disclosure, the electronic device 900 may receive updated authentication policy information for the electronic device 900, generated by the authentication policy management device, through the communication unit 910, the authentication policy information including an authentication policy used when performing secondary authentication on the user device in the NPN. The authentication policy management device here may be the electronic device 100 described in the foregoing.
According to an embodiment of the present disclosure, the authentication unit 920 may perform secondary authentication according to the updated authentication policy information.
As described above, according to the electronic device 900 of the embodiment of the present disclosure, it is possible to receive updated authentication policy information from the authentication policy management device and perform secondary authentication using the updated authentication policy information. As can be seen, the electronic device 900 according to the present disclosure can automatically update the secondary authentication policy under the control of the authentication policy management device, thereby simplifying the update flow.
According to an embodiment of the present disclosure, the authentication policy information includes one or more of the following: authentication protocol, key generation method and authentication parameters.
According to an embodiment of the present disclosure, as shown in fig. 9, the electronic device 900 may include an updating unit 930 for updating the authentication policy stored by the electronic device 900 according to the received updated authentication policy information. Specifically, in the case where the electronic device 900 is DN-AAA or SMF, the updating unit 930 may store the new authentication policy included in the updated authentication policy information locally together with the previous authentication policy. That is, various versions of authentication policies may be stored in DN-AAA or SMF. In case the electronic device 900 is a UE, the updating unit 930 may replace the old authentication policy with the new authentication policy. That is, only the latest version of the authentication policy, including the latest version of the authentication protocol, the latest version of the key generation method, and the latest version of the authentication parameter, is stored in the UE.
According to an embodiment of the present disclosure, as shown in fig. 9, the electronic device 900 may further include a generating unit 940 for generating an update notification indicating that the update is successful in case the authentication policy update is successful and generating an update notification indicating that the update is failed in case the authentication policy update is failed. Further, in the case where the electronic device 900 is an SMF, the generating unit 940 may also generate an update notification indicating that a new policy of the UE is not supported, generate an update notification indicating that the UE is unregistered or unreachable, and generate an update notification indicating that the update notification from the UE is not received within a predetermined time. Further, the electronic device 900 may transmit the update notification to the authentication policy management device through the communication unit 910.
According to embodiments of the present disclosure, the electronic device 900 may send the update notification using an EAP message that includes the identification information of the destination device.
According to embodiments of the present disclosure, the electronic device 900 may utilize a key derived key generated during the secondary authentication process to confidentiality protect and/or integrity protect the update notification.
According to an embodiment of the present disclosure, in case the electronic device 900 is an SMF, the electronic device 900 may receive updated authentication policy information for the user device generated by the authentication policy management device through the communication unit 910. Further, as shown in fig. 9, the electronic device 900 may further include a determining unit 950 for determining whether to forward the updated authentication policy information to the user device.
According to an embodiment of the present disclosure, the determining unit 950 may determine to forward the updated authentication policy information to the user device in case the electronic device 900 supports the updated authentication policy of the user device, i.e. in case the authentication policy configured by the electronic device 900 comprises the authentication policy in the updated authentication policy information for the user device.
According to an embodiment of the present disclosure, as shown in fig. 9, the electronic device 900 may further comprise a timing unit 960 for starting a timer after forwarding the updated authentication policy information to the user equipment. Further, in the case that an update notification indicating that the authentication policy update is successful is not received from the user equipment within a predetermined time, the electronic device 900 may forward the updated authentication policy information to the user equipment again. Alternatively, the electronic device 900 may also send an update notification indicating that the authentication policy update failed directly to the authentication policy management device.
As described above, according to embodiments of the present disclosure, DN-AAA, SMF, and UE may update an authentication policy under the control of an authentication policy management device.
According to an embodiment of the present disclosure, in case the electronic device 900 is a user device, in response to request information from the SMF in the course of the secondary authentication, the generating unit 940 may generate EAP response information including an authentication policy in which the user device is currently configured, so that the electronic device 900 may transmit the EAP response information to the SMF through the communication unit 910. Optionally, the EAP response information may further include identification information of the user equipment in the NPN.
As described above, in the course of the secondary authentication, the electronic device 900 may transmit its currently configured authentication policy to the SMF, so that the authentication policy management device may determine whether to update the authentication policy of the electronic device 900 according to the authentication policy currently configured by the electronic device 900.
<4. Method example >
Next, a wireless communication method performed by the electronic device 100 in the wireless communication system according to an embodiment of the present disclosure will be described in detail.
Fig. 10 is a flowchart illustrating a wireless communication method performed by the electronic device 100 in the wireless communication system according to an embodiment of the present disclosure.
As shown in fig. 10, in step S1010, updated authentication policy information for the network element in the NPN is generated, the authentication policy information including an authentication policy used when performing secondary authentication on the user equipment in the NPN.
Next, in step S1020, updated authentication policy information is sent to the network element in the NPN.
Preferably, the authentication policy information includes one or more of the following: authentication protocol, key generation method and authentication parameters.
Preferably, the wireless communication method further comprises: an update notification is received from a network element in the NPN indicating success or failure of an update of the authentication policy.
Preferably, transmitting the updated authentication policy information includes: and sending updated authentication policy information by using an extensible authentication protocol EAP message.
Preferably, transmitting the updated authentication policy information includes: and confidentiality protection is carried out on the updated authentication strategy information by utilizing a key derived from the key generated in the secondary authentication process.
Preferably, the network elements in the NPN comprise the SMF, the user equipment and an authentication server AAA of the external data network DN.
Preferably, the wireless communication method further comprises: in the event that it is determined that the authentication policy with which the electronic device is configured is updated, updated authentication policy information is generated.
Preferably, the network element in the NPN comprises a user equipment, and the wireless communication method further comprises: and determining whether the authentication policy of the user equipment needs to be updated according to the authentication policy currently configured by the user equipment.
Preferably, the wireless communication method further comprises: in the process of carrying out secondary authentication, acquiring an authentication strategy which is currently configured by user equipment; and determining that the authentication policy of the user equipment needs to be updated in the case that the authentication policy currently configured by the user equipment is not the latest version.
Preferably, the electronic device is located in an authentication server AAA of the external data network DN.
According to embodiments of the present disclosure, the subject performing the above-described method may be the electronic device 100 according to embodiments of the present disclosure, and thus all embodiments hereinbefore described with respect to the electronic device 100 apply here.
Next, a wireless communication method performed by the electronic device 900 in the wireless communication system according to an embodiment of the present disclosure will be described in detail.
Fig. 11 is a flowchart illustrating a wireless communication method performed by an electronic device 900 in a wireless communication system according to an embodiment of the disclosure.
As shown in fig. 11, in step S1110, updated authentication policy information for the electronic device 900 generated by the authentication policy management device is received, the authentication policy information including an authentication policy used when the user device in the NPN is secondarily authenticated.
Next, in step S1120, secondary authentication is performed according to the updated authentication policy information.
Preferably, the authentication policy information includes one or more of the following: authentication protocol, key generation method and authentication parameters.
Preferably, the wireless communication method further comprises: an update notification is sent indicating success or failure of the authentication policy update.
Preferably, sending the update notification includes: the update notification is sent using extensible authentication protocol EAP messages.
Preferably, sending the update notification includes: and confidentiality protection is carried out on the update notification by utilizing the key derived from the key generated in the secondary authentication process.
Preferably, the electronic device 900 is an SMF, a user equipment or an authentication server AAA of an external data network DN.
Preferably, in the case where the electronic device 900 is an SMF, the wireless communication method further includes: receiving updated authentication policy information for the user equipment generated by the authentication policy management device; and determining whether to forward the updated authentication policy information to the user equipment.
Preferably, determining whether to forward the updated authentication policy information to the user equipment comprises: in the case where the authentication policy configured by the electronic device 900 includes an authentication policy in the updated authentication policy information for the user device, the updated authentication policy information is forwarded to the user device.
Preferably, the wireless communication method further comprises: and when the update notification indicating that the authentication policy update is successful is not received from the user equipment within a preset time, forwarding the updated authentication policy information to the user equipment again or sending an update notification indicating that the authentication policy update is failed to the authentication policy management equipment.
Preferably, in the case where the electronic device 900 is a user device, the wireless communication method further includes: in response to the request information from the SMF, an authentication policy currently configured by the user equipment is sent to the SMF.
According to an embodiment of the present disclosure, the subject performing the above-described method may be the electronic device 900 according to an embodiment of the present disclosure, and thus all embodiments described hereinbefore with respect to the electronic device 900 are applicable thereto.
<5. Application example >
The techniques of the present disclosure can be applied to various products.
For example, electronic device 100, electronic device 900 as an SMF, electronic device 900 as a DN-AAA may be implemented as any type of server, such as a tower server, a rack server, and a blade server. The electronic device 100, the electronic device 900 as an SMF, the electronic device 900 as a DN-AAA may be a control module (such as an integrated circuit module including a single wafer, and a card or blade inserted into a slot of a blade server) installed on a server.
The electronic device 900 as a user device may be implemented as a mobile terminal (such as a smart phone, a tablet Personal Computer (PC), a notebook PC, a portable game terminal, a portable/dongle type mobile router, and a digital camera device) or a vehicle-mounted terminal (such as a car navigation device). User equipment may also be implemented as terminals performing machine-to-machine (M2M) communication (also referred to as Machine Type Communication (MTC) terminals). Further, the user devices may be wireless communication modules (such as integrated circuit modules comprising a single die) mounted on each of the user devices described above.
< example of application regarding Server >
Fig. 12 is a block diagram illustrating an example of a server 1200 that may implement the electronic device 100, the electronic device 900 as an SMF, the electronic device 900 as a DN-AAA according to the present disclosure. The server 1200 includes a processor 1201, memory 1202, storage 1203, network interface 1204, and bus 1206.
The processor 1201 may be, for example, a Central Processing Unit (CPU) or a Digital Signal Processor (DSP), and controls the functions of the server 1200. The memory 1202 includes a Random Access Memory (RAM) and a Read Only Memory (ROM), and stores data and programs executed by the processor 1201. The storage 1203 may include a storage medium such as a semiconductor memory and a hard disk.
The network interface 1204 is a wired communication interface for connecting the server 1200 to the wired communication network 1205. The wired communication network 1205 may be a core network such as an Evolved Packet Core (EPC) or a Packet Data Network (PDN) such as the internet.
Bus 1206 connects processor 1201, memory 1202, storage 1203, and network interface 1204 to each other. Bus 1206 may include two or more buses (such as a high-speed bus and a low-speed bus) each having different speeds.
In the server 1200 shown in fig. 12, the generation unit 110 and the determination unit 130 described by fig. 1, the authentication unit 910, the update unit 930, the generation unit 940, the determination unit 950, and the timing unit 960 described by fig. 9 are used, and the network interface 1204 is realized by using the communication unit 120 described by fig. 1 and by using the communication unit 910 described by fig. 9. For example, the processor 1201 may perform functions of generating updated authentication policy information, determining whether an authentication policy of the user equipment needs to be updated, performing secondary authentication, updating the authentication policy, generating an update notification, determining whether to forward the updated authentication policy to the user equipment, and performing timing by executing instructions stored in the memory 1202 or the storage 1203.
< application example regarding terminal device >
(first application example)
Fig. 13 is a block diagram showing an example of a schematic configuration of a smart phone 1300 to which the technology of the present disclosure can be applied. The smartphone 1300 includes a processor 1301, a memory 1302, a storage device 1303, an external connection interface 1304, an imaging device 1306, a sensor 1307, a microphone 1308, an input device 1309, a display device 1310, a speaker 1311, a wireless communication interface 1312, one or more antenna switches 1315, one or more antennas 1316, a bus 1317, a battery 1318, and an auxiliary controller 1319.
Processor 1301 may be, for example, a CPU or a system on a chip (SoC) and controls the functions of the application layer and further layers of smartphone 1300. The memory 1302 includes RAM and ROM, and stores data and programs executed by the processor 1301. The storage device 1303 may include a storage medium such as a semiconductor memory and a hard disk. The external connection interface 1304 is an interface for connecting external devices such as a memory card and a Universal Serial Bus (USB) device to the smart phone 1300.
The image pickup device 1306 includes an image sensor such as a Charge Coupled Device (CCD) and a Complementary Metal Oxide Semiconductor (CMOS), and generates a captured image. The sensor 1307 may include a set of sensors such as a measurement sensor, a gyro sensor, a geomagnetic sensor, and an acceleration sensor. Microphone 1308 converts sound input to smart phone 1300 into an audio signal. The input device 1309 includes, for example, a touch sensor, a keypad, a keyboard, buttons, or switches configured to detect a touch on the screen of the display device 1310, and receives an operation or information input from a user. The display device 1310 includes a screen such as a Liquid Crystal Display (LCD) and an Organic Light Emitting Diode (OLED) display, and displays an output image of the smart phone 1300. The speaker 1311 converts audio signals output from the smart phone 1300 into sound.
The wireless communication interface 1312 supports any cellular communication scheme (such as LTE and LTE-advanced) and performs wireless communication. The wireless communication interface 1312 may generally include, for example, a BB processor 1313 and RF circuitry 1314. The BB processor 1313 can perform, for example, encoding/decoding, modulation/demodulation, and multiplexing/demultiplexing, and performs various types of signal processing for wireless communication. Meanwhile, the RF circuit 1314 may include, for example, a mixer, a filter, and an amplifier, and transmit and receive wireless signals via the antenna 1316. The wireless communication interface 1312 may be one chip module with the BB processor 1313 and RF circuitry 1314 integrated thereon. As shown in fig. 13, the wireless communication interface 1312 may include a plurality of BB processors 1313 and a plurality of RF circuits 1314. Although fig. 13 shows an example in which the wireless communication interface 1312 includes a plurality of BB processors 1313 and a plurality of RF circuits 1314, the wireless communication interface 1312 may also include a single BB processor 1313 or a single RF circuit 1314.
Further, the wireless communication interface 1312 may support additional types of wireless communication schemes, such as a short-range wireless communication scheme, a near-field communication scheme, and a wireless Local Area Network (LAN) scheme, in addition to a cellular communication scheme. In this case, the wireless communication interface 1312 may include a BB processor 1313 and RF circuitry 1314 for each wireless communication scheme.
Each of the antenna switches 1315 switches the connection destination of the antenna 1316 between a plurality of circuits included in the wireless communication interface 1312 (e.g., circuits for different wireless communication schemes).
Each of the antennas 1316 includes a single or multiple antenna elements (such as multiple antenna elements included in a MIMO antenna) and is used for wireless communication interface 1312 to transmit and receive wireless signals. As shown in fig. 13, a smartphone 1300 may include a plurality of antennas 1316. Although fig. 13 shows an example in which the smartphone 1300 includes multiple antennas 1316, the smartphone 1300 may also include a single antenna 1316.
Further, the smartphone 1300 may include an antenna 1316 for each wireless communication scheme. In this case, the antenna switch 1315 may be omitted from the configuration of the smart phone 1300.
The bus 1317 connects the processor 1301, the memory 1302, the storage device 1303, the external connection interface 1304, the image pickup device 1306, the sensor 1307, the microphone 1308, the input device 1309, the display device 1310, the speaker 1311, the wireless communication interface 1312, and the sub-controller 1319 to each other. The battery 1318 provides power to the various blocks of the smartphone 1300 shown in fig. 13 via a feeder line, which is partially shown as a dashed line in the figure. The auxiliary controller 1319 operates the minimum necessary functions of the smart phone 1300, for example, in a sleep mode.
In the smart phone 1300 shown in fig. 13, the authentication unit 920, the updating unit 930, and the generating unit 940 described by using fig. 9 may be implemented by the processor 1301 or the auxiliary controller 1319. At least a portion of the functionality may also be implemented by the processor 1301 or the auxiliary controller 1319. For example, the processor 1301 or the supplementary controller 1319 may perform functions of performing secondary authentication, updating an authentication policy, and generating an update notification by executing instructions stored in the memory 1302 or the storage 1303.
(second application example)
Fig. 14 is a block diagram showing an example of a schematic configuration of a car navigation device 1420 to which the technology of the present disclosure can be applied. The car navigation device 1420 includes a processor 1421, a memory 1422, a Global Positioning System (GPS) module 1424, a sensor 1425, a data interface 1426, a content player 1427, a storage medium interface 1428, an input device 1429, a display device 1430, a speaker 1431, a wireless communication interface 1433, one or more antenna switches 1436, one or more antennas 1437, and a battery 1438.
The processor 1421 may be, for example, a CPU or SoC, and controls the navigation functions and additional functions of the car navigation device 1420. The memory 1422 includes RAM and ROM, and stores data and programs executed by the processor 1421.
The GPS module 1424 uses GPS signals received from GPS satellites to measure the location (such as latitude, longitude, and altitude) of the car navigation device 1420. The sensor 1425 may include a set of sensors such as a gyro sensor, a geomagnetic sensor, and an air pressure sensor. Data interface 1426 is connected to, for example, on-vehicle network 1441 via a terminal not shown, and acquires data generated by the vehicle (such as vehicle speed data).
The content player 1427 reproduces content stored in a storage medium (such as a CD and DVD) inserted into the storage medium interface 1428. The input device 1429 includes, for example, a touch sensor, a button, or a switch configured to detect a touch on a screen of the display device 1430, and receives an operation or information input from a user. The display device 1430 includes a screen such as an LCD or OLED display, and displays images of navigation functions or reproduced content. The speaker 1431 outputs sound of a navigation function or reproduced content.
The wireless communication interface 1433 supports any cellular communication scheme (such as LTE and LTE-advanced) and performs wireless communication. The wireless communication interface 1433 may generally include, for example, a BB processor 1434 and RF circuitry 1435. The BB processor 1434 may perform, for example, encoding/decoding, modulation/demodulation, and multiplexing/demultiplexing, and performs various types of signal processing for wireless communication. Meanwhile, the RF circuit 1435 may include, for example, a mixer, a filter, and an amplifier, and transmits and receives a wireless signal via the antenna 1437. The wireless communication interface 1433 may also be a chip module on which the BB processor 1434 and the RF circuitry 1435 are integrated. As shown in fig. 14, the wireless communication interface 1433 may include a plurality of BB processors 1434 and a plurality of RF circuits 1435. Although fig. 14 shows an example in which the wireless communication interface 1433 includes a plurality of BB processors 1434 and a plurality of RF circuits 1435, the wireless communication interface 1433 may include a single BB processor 1434 or a single RF circuit 1435.
Further, the wireless communication interface 1433 may support another type of wireless communication scheme, such as a short-range wireless communication scheme, a near field communication scheme, and a wireless LAN scheme, in addition to a cellular communication scheme. In this case, the wireless communication interface 1433 may include a BB processor 1434 and RF circuitry 1435 for each wireless communication scheme.
Each of the antenna switches 1436 switches the connection destination of the antenna 1437 between a plurality of circuits included in the wireless communication interface 1433 (such as circuits for different wireless communication schemes).
Each of the antennas 1437 includes a single or multiple antenna elements (such as multiple antenna elements included in a MIMO antenna) and is used for wireless communication interface 1433 to transmit and receive wireless signals. As shown in fig. 14, the car navigation device 1420 may include a plurality of antennas 1437. Although fig. 14 shows an example in which the car navigation device 1420 includes a plurality of antennas 1437, the car navigation device 1420 may include a single antenna 1437.
Further, the car navigation device 1420 may include an antenna 1437 for each wireless communication scheme. In this case, the antenna switch 1436 may be omitted from the configuration of the car navigation device 1420.
The battery 1438 provides power to the various blocks of the car navigation device 1420 shown in fig. 14 via a feeder line, which is partially shown as a dashed line in the figure. The battery 1438 accumulates electric power supplied from the vehicle.
In the car navigation device 1420 shown in fig. 14, by using the authentication unit 920, the updating unit 930, and the generating unit 940 described in fig. 9, it can be implemented by the processor 1421. At least a portion of the functionality may also be implemented by the processor 1421. For example, the processor 1421 may perform functions of performing secondary authentication, updating an authentication policy, and generating an update notification by executing instructions stored in the memory 1422.
The techniques of this disclosure may also be implemented as an in-vehicle system (or vehicle) 1440 including one or more of car navigation device 1420, in-vehicle network 1441, and vehicle module 1442. Vehicle module 1442 generates vehicle data (such as vehicle speed, engine speed, and fault information) and outputs the generated data to on-board network 1441.
The preferred embodiments of the present disclosure have been described above with reference to the accompanying drawings, but the present disclosure is of course not limited to the above examples. Various changes and modifications may be made by those skilled in the art within the scope of the appended claims, and it is understood that such changes and modifications will naturally fall within the technical scope of the present disclosure.
For example, elements shown in a functional block diagram shown in the figures and indicated by dashed boxes each represent a functional element that is optional in the corresponding apparatus, and the individual optional functional elements may be combined in a suitable manner to achieve the desired functionality.
For example, a plurality of functions included in one unit in the above embodiments may be implemented by separate devices. Alternatively, the functions realized by the plurality of units in the above embodiments may be realized by separate devices, respectively. In addition, one of the above functions may be implemented by a plurality of units. Needless to say, such a configuration is included in the technical scope of the present disclosure.
In this specification, the steps described in the flowcharts include not only processes performed in time series in the order described, but also processes performed in parallel or individually, not necessarily in time series. Further, even in the steps of time-series processing, needless to say, the order may be appropriately changed.
Further, the present disclosure may have a configuration as described below.
1. An electronic device in a non-public network NPN comprising processing circuitry configured to:
generating updated authentication policy information for a network element in the NPN, the authentication policy information comprising an authentication policy used when secondarily authenticating a user equipment in the NPN; and
And sending the updated authentication policy information to a network element in the NPN.
2. The electronic device of 1, wherein the authentication policy information includes one or more of: authentication protocol, key generation method and authentication parameters.
3. The electronic device of claim 1, wherein the processing circuit is further configured to:
an update notification is received from a network element in the NPN indicating success or failure of an authentication policy update.
4. The electronic device of claim 1, wherein the processing circuit is further configured to:
and sending the updated authentication policy information by using an Extensible Authentication Protocol (EAP) message.
5. The electronic device of claim 1, wherein the processing circuit is further configured to:
and confidentiality protection is carried out on the updated authentication policy information by utilizing a key derived from the key generated in the secondary authentication process.
6. The electronic device according to claim 1, wherein the network elements in the NPN comprise a session management function, SMF, a user equipment and an authentication server, AAA, of an external data network, DN.
7. The electronic device of claim 6, wherein the processing circuit is further configured to:
and generating updated authentication policy information under the condition that the authentication policy configured by the electronic equipment is updated.
8. The electronic device of claim 1, wherein the network element in the NPN comprises a user device, and
wherein the processing circuit is further configured to: and determining whether the authentication policy of the user equipment needs to be updated according to the authentication policy currently configured by the user equipment.
9. The electronic device of claim 8, wherein the processing circuit is further configured to:
acquiring an authentication policy currently configured by the user equipment in the process of carrying out the secondary authentication; and
and determining that the authentication policy of the user equipment needs to be updated in the case that the authentication policy currently configured by the user equipment is not the latest version.
10. The electronic device according to claim 1, wherein the electronic device is located in an authentication server AAA of an external data network DN.
11. An electronic device in a non-public network NPN comprising processing circuitry configured to:
receiving updated authentication policy information for the electronic device generated by an authentication policy management device, the authentication policy information comprising an authentication policy used when secondarily authenticating a user device in the NPN; and
and carrying out the secondary authentication according to the updated authentication policy information.
12. The electronic device of claim 11, wherein the authentication policy information includes one or more of: authentication protocol, key generation method and authentication parameters.
13. The electronic device of claim 11, wherein the processing circuit is further configured to:
an update notification is sent indicating success or failure of the authentication policy update.
14. The electronic device of claim 13, wherein the processing circuit is further configured to:
and sending the update notification by using an extensible authentication protocol EAP message.
15. The electronic device of claim 13, wherein the processing circuit is further configured to:
and confidentiality protection is carried out on the update notification by utilizing a key derived from the key generated in the secondary authentication process.
16. The electronic device of claim 11, wherein the electronic device is a session management function, SMF, authentication server, AAA, of the user device or an external data network, DN.
17. The electronic device of claim 16, wherein, in the case where the electronic device is an SMF, the processing circuit is further configured to:
receiving updated authentication policy information for the user device generated by an authentication policy management device; and
Determining whether to forward the updated authentication policy information to the user equipment.
18. The electronic device of claim 17, wherein the processing circuit is further configured to:
forwarding the updated authentication policy information to the user equipment in case the authentication policy configured by the electronic equipment comprises the authentication policy in the updated authentication policy information for the user equipment.
19. The electronic device of claim 18, wherein the processing circuit is further configured to:
and if the update notification indicating that the authentication policy update is successful is not received from the user equipment within a preset time, retransmitting the updated authentication policy information to the user equipment or transmitting the update notification indicating that the authentication policy update is failed to the authentication policy management equipment.
20. The electronic device of claim 16, wherein, in the case where the electronic device is the user device, the processing circuitry is further configured to:
and sending an authentication policy currently configured by the user equipment to the SMF in response to the request information from the SMF.
21. A method of wireless communication performed by an electronic device in a non-public network NPN, comprising:
Generating updated authentication policy information for a network element in the NPN, the authentication policy information comprising an authentication policy used when secondarily authenticating a user equipment in the NPN; and
and sending the updated authentication policy information to a network element in the NPN.
22. The wireless communication method of claim 21, wherein the authentication policy information includes one or more of: authentication protocol, key generation method and authentication parameters.
23. The wireless communication method of claim 21, wherein the wireless communication method further comprises:
an update notification is received from a network element in the NPN indicating success or failure of an authentication policy update.
24. The wireless communication method of claim 21, wherein transmitting the updated authentication policy information comprises:
and sending the updated authentication policy information by using an Extensible Authentication Protocol (EAP) message.
25. The wireless communication method of claim 21, wherein transmitting the updated authentication policy information comprises:
and confidentiality protection is carried out on the updated authentication policy information by utilizing a key derived from the key generated in the secondary authentication process.
26. The wireless communication method according to claim 21, wherein the network elements in the NPN comprise a session management function SMF, a user equipment and an authentication server AAA of an external data network DN.
27. The wireless communication method of claim 26, wherein the wireless communication method further comprises:
and generating updated authentication policy information under the condition that the authentication policy configured by the electronic equipment is updated.
28. The wireless communication method of claim 21, wherein the network element in the NPN comprises a user equipment and
wherein the wireless communication method further comprises: and determining whether the authentication policy of the user equipment needs to be updated according to the authentication policy currently configured by the user equipment.
29. The wireless communication method of claim 28, wherein the wireless communication method further comprises:
acquiring an authentication policy currently configured by the user equipment in the process of carrying out the secondary authentication; and
and determining that the authentication policy of the user equipment needs to be updated in the case that the authentication policy currently configured by the user equipment is not the latest version.
30. The wireless communication method of claim 21, wherein the electronic device is located in an authentication server AAA of an external data network DN.
31. A method of wireless communication performed by an electronic device in a non-public network NPN, comprising:
receiving updated authentication policy information for the electronic device generated by an authentication policy management device, the authentication policy information comprising an authentication policy used when secondarily authenticating a user device in the NPN; and
And carrying out the secondary authentication according to the updated authentication policy information.
32. The wireless communication method of claim 31, wherein the authentication policy information comprises one or more of: authentication protocol, key generation method and authentication parameters.
33. The wireless communication method of claim 31, wherein the wireless communication method further comprises:
an update notification is sent indicating success or failure of the authentication policy update.
34. The wireless communication method of claim 33, wherein transmitting the update notification comprises:
and sending the update notification by using an extensible authentication protocol EAP message.
35. The wireless communication method of claim 33, wherein transmitting the update notification comprises:
and confidentiality protection is carried out on the update notification by utilizing a key derived from the key generated in the secondary authentication process.
36. The wireless communication method according to claim 31, wherein the electronic device is a session management function, SMF, authentication server, AAA, of the user equipment or an external data network, DN.
37. The wireless communication method of claim 36, wherein, in the case where the electronic device is an SMF, the wireless communication method further comprises:
receiving updated authentication policy information for the user device generated by an authentication policy management device; and
Determining whether to forward the updated authentication policy information to the user equipment.
38. The wireless communication method of claim 37, wherein determining whether to forward the updated authentication policy information to the user device comprises:
forwarding the updated authentication policy information to the user equipment in case the authentication policy configured by the electronic equipment comprises the authentication policy in the updated authentication policy information for the user equipment.
39. The wireless communication method of claim 38, wherein the wireless communication method further comprises:
and if the update notification indicating that the authentication policy update is successful is not received from the user equipment within a preset time, retransmitting the updated authentication policy information to the user equipment or transmitting the update notification indicating that the authentication policy update is failed to the authentication policy management equipment.
40. The wireless communication method of claim 36, wherein, in the case where the electronic device is the user device, the wireless communication method further comprises:
and sending an authentication policy currently configured by the user equipment to the SMF in response to the request information from the SMF.
41. A computer-readable storage medium comprising executable computer instructions which, when executed by a computer, cause the computer to perform the wireless communication method of any one of claims 21-40.
Although the embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings, it should be understood that the above-described embodiments are merely illustrative of the present disclosure and not limiting thereof. Various modifications and alterations to the above described embodiments may be made by those skilled in the art without departing from the spirit and scope of the disclosure. The scope of the disclosure is, therefore, indicated only by the appended claims and their equivalents.

Claims (10)

1.一种非公众网络NPN中的电子设备,包括处理电路,被配置为:1. An electronic device in a non-public network NPN, including a processing circuit, configured to: 生成用于所述NPN中的网元的更新后的认证策略信息,所述认证策略信息包括当对所述NPN中的用户设备进行二次认证时所使用的认证策略;以及Generate updated authentication policy information for network elements in the NPN, where the authentication policy information includes an authentication policy used when performing secondary authentication on user equipment in the NPN; and 向所述NPN中的网元发送所述更新后的认证策略信息。Send the updated authentication policy information to the network element in the NPN. 2.根据权利要求1所述的电子设备,其中,所述认证策略信息包括以下中的一种或多种:认证协议、密钥生成方法和认证参数。2. The electronic device according to claim 1, wherein the authentication policy information includes one or more of the following: authentication protocol, key generation method, and authentication parameters. 3.根据权利要求1所述的电子设备,其中,所述处理电路还被配置为:3. The electronic device of claim 1, wherein the processing circuit is further configured to: 从所述NPN中的网元接收表示认证策略更新成功或失败的更新通知。Receive an update notification indicating the success or failure of the authentication policy update from the network element in the NPN. 4.根据权利要求1所述的电子设备,其中,所述处理电路还被配置为:4. The electronic device of claim 1, wherein the processing circuit is further configured to: 利用可扩展认证协议EAP报文发送所述更新后的认证策略信息。The updated authentication policy information is sent using an Extensible Authentication Protocol EAP message. 5.根据权利要求1所述的电子设备,其中,所述处理电路还被配置为:5. The electronic device of claim 1, wherein the processing circuit is further configured to: 利用所述二次认证的过程中产生的密钥派生的密钥来对所述更新后的认证策略信息进行机密性保护。Confidentiality protection is performed on the updated authentication policy information using a key derived from the key generated during the secondary authentication process. 6.根据权利要求1所述的电子设备,其中,所述NPN中的网元包括会话管理功能SMF、用户设备和外部数据网络DN的认证服务器AAA。6. The electronic device according to claim 1, wherein the network elements in the NPN include a session management function SMF, a user equipment and an authentication server AAA of the external data network DN. 7.一种非公众网络NPN中的电子设备,包括处理电路,被配置为:7. An electronic device in a non-public network NPN, including a processing circuit, configured to: 接收由认证策略管理设备生成的、用于所述电子设备的更新后的认证策略信息,所述认证策略信息包括当对所述NPN中的用户设备进行二次认证时所使用的认证策略;以及Receive updated authentication policy information for the electronic device generated by the authentication policy management device, the authentication policy information including the authentication policy used when performing secondary authentication on the user equipment in the NPN; and 根据所述更新后的认证策略信息进行所述二次认证。The secondary authentication is performed according to the updated authentication policy information. 8.一种由非公众网络NPN中的电子设备执行的无线通信方法,包括:8. A wireless communication method performed by electronic devices in a non-public network NPN, including: 生成用于所述NPN中的网元的更新后的认证策略信息,所述认证策略信息包括当对所述NPN中的用户设备进行二次认证时所使用的认证策略;以及Generate updated authentication policy information for network elements in the NPN, where the authentication policy information includes an authentication policy used when performing secondary authentication on user equipment in the NPN; and 向所述NPN中的网元发送所述更新后的认证策略信息。Send the updated authentication policy information to the network element in the NPN. 9.一种由非公众网络NPN中的电子设备执行的无线通信方法,包括:9. A wireless communication method performed by electronic devices in a non-public network NPN, including: 接收由认证策略管理设备生成的、用于所述电子设备的更新后的认证策略信息,所述认证策略信息包括当对所述NPN中的用户设备进行二次认证时所使用的认证策略;以及Receive updated authentication policy information for the electronic device generated by the authentication policy management device, the authentication policy information including the authentication policy used when performing secondary authentication on the user equipment in the NPN; and 根据所述更新后的认证策略信息进行所述二次认证。The secondary authentication is performed according to the updated authentication policy information. 10.一种计算机可读存储介质,包括可执行计算机指令,所述可执行计算机指令当被计算机执行时使得所述计算机执行根据权利要求8-9中任一项所述的无线通信方法。10. A computer-readable storage medium comprising executable computer instructions that, when executed by a computer, cause the computer to perform the wireless communication method according to any one of claims 8-9.
CN202210726111.5A 2022-06-24 2022-06-24 Electronic devices, wireless communication methods and computer-readable storage media Pending CN117320009A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202210726111.5A CN117320009A (en) 2022-06-24 2022-06-24 Electronic devices, wireless communication methods and computer-readable storage media
CN202380038016.9A CN119156846A (en) 2022-06-24 2023-06-16 Electronic device, wireless communication method, and computer-readable storage medium
PCT/CN2023/100630 WO2023246629A1 (en) 2022-06-24 2023-06-16 Electronic device, wireless communication method, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210726111.5A CN117320009A (en) 2022-06-24 2022-06-24 Electronic devices, wireless communication methods and computer-readable storage media

Publications (1)

Publication Number Publication Date
CN117320009A true CN117320009A (en) 2023-12-29

Family

ID=89241371

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202210726111.5A Pending CN117320009A (en) 2022-06-24 2022-06-24 Electronic devices, wireless communication methods and computer-readable storage media
CN202380038016.9A Pending CN119156846A (en) 2022-06-24 2023-06-16 Electronic device, wireless communication method, and computer-readable storage medium

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202380038016.9A Pending CN119156846A (en) 2022-06-24 2023-06-16 Electronic device, wireless communication method, and computer-readable storage medium

Country Status (2)

Country Link
CN (2) CN117320009A (en)
WO (1) WO2023246629A1 (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4133799A1 (en) * 2020-04-07 2023-02-15 Lenovo (Singapore) Pte. Ltd. Configuration for a specific network slice
CN114600485B (en) * 2020-08-13 2023-10-10 华为技术有限公司 Configuration method and device of contract data

Also Published As

Publication number Publication date
WO2023246629A1 (en) 2023-12-28
CN119156846A (en) 2024-12-17

Similar Documents

Publication Publication Date Title
CN113938910B (en) A communication method and device
KR102787534B1 (en) Key Management for UE-to-Network Relay Access
CN110830925B (en) Session management method and device for user group
US20200177393A1 (en) Positioning Information Verification
CN115380570B (en) Communication method, device and system
CN111226271B (en) Abuse of air purpose markings
US20240381081A1 (en) Alternative Slice Authentication
TW201536076A (en) Terminal device and information processing device
US10382949B2 (en) Apparatus, program, and method
WO2024197812A1 (en) Information processing methods, apparatus, and storage medium
JP6904446B2 (en) Wireless communication equipment, wireless communication methods and programs
CN112470543B (en) Apparatus and method for performing group communication
CN116420427A (en) Systems and methods for UE context management in sidelink relay scenarios
US10292187B2 (en) Wireless communication apparatus, server, payment apparatus, wireless communication method, and program
WO2015068472A1 (en) Terminal device, information processing device, and information provision device
US10051671B2 (en) Terminal device and information processing device
CN117320002A (en) Communication methods and devices
US20250159641A1 (en) Authentication Security
CN114079982B (en) Network transfer method, device and equipment
CN119156846A (en) Electronic device, wireless communication method, and computer-readable storage medium
CN118785136A (en) Communication method, communication device and communication system
EP4030800A1 (en) Privacy of relay selection in cellular sliced networks
US20250254517A1 (en) User equipment, electronic device, wireless communication method, and storage medium
CN117158012A (en) Authentication method and device for network slice, equipment and storage medium
CN114978556A (en) Slice authentication method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20231229