[go: up one dir, main page]

WO2025065973A1 - Method and apparatus for communication - Google Patents

Method and apparatus for communication Download PDF

Info

Publication number
WO2025065973A1
WO2025065973A1 PCT/CN2024/071620 CN2024071620W WO2025065973A1 WO 2025065973 A1 WO2025065973 A1 WO 2025065973A1 CN 2024071620 W CN2024071620 W CN 2024071620W WO 2025065973 A1 WO2025065973 A1 WO 2025065973A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
service
spm
communication
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/071620
Other languages
French (fr)
Inventor
Bidi YING
Hang Zhang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2025065973A1 publication Critical patent/WO2025065973A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • Embodiments of the present invention relate to the field of communications technologies, and more specifically, to a method and an apparatus for communication.
  • Security procedures between a device e.g., a UE
  • network functions e.g., a UE
  • service for authentication, key management, authentication may be implemented by different network functions, it may be difficult to effectively protect privacy during implementations of these services.
  • Embodiments of this application provide a communication method and related apparatus, which can decouple authentication functionality and authorization functionality and can effectively protect privacy during an authorization procedure.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a service provision management (SPM) network function (NF) or a chip installed in the first SPM NF.
  • the method includes: receiving a first message from a second SPM NF, where the first message is used to request first information of a service, the first message includes a first identifier (ID) of a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; determining an ID of a communication associated with an authentication and/or authorization procedure of the service for the device based on the first message, where the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure; and transmitting a second message to the second
  • authentication functionality and authorization functionality could be decoupled. It could provide anonymous authorization and protect device’s ID privacy and service privacy.
  • the method further includes: transmitting a third message to a third SPM NF, where the third message is used to obtain the second ID of the device, and the third message includes the ID of the communication and the first ID of the device; and receiving a fourth message from the third SPM NF, where the fourth message includes the second ID of the device, the second ID of the device is determined based on the first ID of the device.
  • authorization functionality and identify management functionality could be decoupled. It could support anonymous communications.
  • the method further includes: determining the first information of the service based on the second ID of the device.
  • the method further includes: receiving a first request for a credential of the service for the device from a fourth SPM NF, where the first request includes the ID of the communication, and the first request further includes an ID of the service or an ID of a service provider that provides the service; and transmitting a fifth message to the fourth SPM NF, where the fifth message includes the credential of the service for the device.
  • the method further includes: receiving a second request from the second SPM NF, where the second request includes the second ID of the device and the first information of the service; and generating and storing a credential of the service for the device, where the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  • the method further includes: transmitting a sixth message to the second SPM NF, where the sixth message indicates a generation of the credential of the service for the device.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a second SPM NF or a chip installed in the second SPM NF.
  • the method includes: transmitting a first message to a first SPM NF and receiving a second message from the first SPM NF.
  • the first message includes a first ID of the device.
  • the first message is used to request first information of a service for a device.
  • the first information of the service is associated with a second ID of the device, and the first information of the service is used for granting the device a permission to access the service.
  • the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service.
  • the second message includes the first information of the service and an ID of a communication associated with an authentication and/or authorization procedure of the service for the device.
  • the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure.
  • the method further includes: transmitting a seventh message to a fourth SPM NF, where the seventh message is used to request an authentication of the service for the device, the seventh message includes the ID of the communication, and the seventh message further includes an ID of the service or an ID of a network function that provides the service; and receiving an eighth message from the fourth SPM NF, where the eighth message includes an indication of a result of the authentication of the service for the device.
  • the method further includes: transmitting a ninth message to a fifth SPM NF, where the ninth message is used to request keys used for protection of a communication associated with the service; and receiving a tenth message from the fifth SPM NF, where the tenth message includes information of the keys.
  • the method further includes: transmitting a second request to the first SPM NF, where the second request includes the second ID of the device and the first information of the service, the second request indicates a storage of a credential of the service for the device, and the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  • the method further includes: receiving a sixth message from the first SPM NF, where the sixth message indicates a generation of the credential of the service for the device.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a third SPM NF or a chip installed in the third SPM NF.
  • the method includes: receiving a third message from a first SPM NF, where the third message include a first ID of a device and an ID of a communication associated with an authentication and/or authorization procedure of a service for the device, the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure, the third message is used to obtain a second ID of the device, and the second ID is associated with first information of the service, the first information of the service is used for granting the device a permission to access the service; and transmitting a fourth message to the first SPM NF, where the fourth message includes the second ID of the device.
  • the method further includes: receiving a third request for a credential of the device from a fourth SPM NF, where the third request includes the ID of the communication; and transmitting an eleventh message to the fourth SPM NF, where the eleventh message includes the credential of the device.
  • the method further includes: receiving a fourth request (Referring to step 5 in embodiment 2) for a third ID of the device from the fourth SPM NF, where the fourth request includes a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF; generating the third ID of the device according to the fourth request; and transmitting a twelfth message to the fourth SPM NF, where the twelfth message includes the third ID of the device.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a fourth SPM NF or a chip installed in the fourth SPM NF.
  • the method includes: transmitting a first request to a first SPM NF, where the first request is used to request a credential of a service for a device, the first request includes an ID of a communication associated with an authentication and/or authorization procedure of the service for the device, the ID of the communication is associated to a first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure, and the credential of the service for the device is used for an authentication of the service for the device; and receiving a fifth message from the first SPM NF, where the fifth message includes the credential of the service for the device.
  • the method further includes: transmitting a third request for a credential of the device to a third SPM NF, where the third request includes the ID of the communication; and receiving an eleventh message from the third SPM NF, where the eleventh message includes the credential of the device.
  • the method further includes: receiving a seventh message from a second SPM NF, where the seventh message is used to request an authentication of the service for the device, the seventh message includes the ID of the communication, and the seventh message further includes an ID of the service or an ID of a network function that provides the service; and transmitting an eighth message to the second SPM NF, where the eighth message includes an indication of a result of the authentication of the service for the device.
  • the method further includes: transmitting a fourth request for a third ID of the device to a third SPM NF, where the fourth request includes a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF;and receiving a twelfth message from the third SPM NF, where the twelfth message includes the third ID of the device.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a fifth SPM NF or a chip installed in the fifth SPM NF.
  • the method includes: receiving a ninth message from a second SPM NF; and transmitting a tenth message to the second SPM NF.
  • the ninth message is used to request keys used for protection of a communication associated with a service, and the tenth message include information of the keys.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a communication system or a chip installed in the communication system.
  • the communication system includes a first SPM NF and a second SPM NF.
  • the method includes: the second SPM NF transmitting a first message to the first SPM NF, wherein the first message is used to request first information of a service, the first message comprises a first ID of a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; the first SPM NF determining an ID of a communication associated with an authentication and/or authorization procedure of the service for the device based on the first message, wherein the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication
  • the method further includes: the second SPM NF transmitting a second request to the first SPM NF, wherein the second request comprises the second ID of the device and the first information of the service; and the first SPM NF generating and storing a credential of the service for the device, wherein the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  • the method further includes: the first SPM NF transmitting a sixth message to the second SPM NF, wherein the sixth message indicates a generation of the credential of the service for the device.
  • the communication system further comprises a third SPM NF.
  • the method further includes: the first SPM NF transmitting a third message to the third SPM NF, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device; and the third SPM NF transmitting a fourth message to the first SPM NF, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device.
  • the communication system further comprises a fourth SPM NF.
  • the method further includes: the second SPM NF transmitting a seventh message to the fourth SPM NF, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and the fourth SPM NF transmitting an eighth message to the second SPM NF, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
  • the method further includes: the fourth SPM NF transmitting a first request for a credential of the service for the device to the first SPM NF, wherein the first request comprises the ID of the communication, and the first request further comprises an ID of the service or an ID of a service provider that provides the service; and the first SPM NF transmitting a fifth message to the fourth SPM NF, wherein the fifth message comprises the credential of the service for the device.
  • the method further includes: the fourth SPM NF transmitting a third request for a credential of the device to the third SPM NF, wherein the third request comprises the ID of the communication; and the third SPM NF transmitting an eleventh message to the fourth SPM NF wherein the eleventh message comprises the credential of the device.
  • the method further includes: the fourth SPM NF transmitting a fourth request for a third ID of the device to the third SPM NF, wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF; and the third SPM NF transmitting a twelfth message to the fourth SPM NF, wherein the twelfth message comprises the third ID of the device.
  • the communication system further comprises a fifth SPM NF.
  • the method further includes: the third SPM NF transmitting a ninth message to the fifth SPM NF, wherein the ninth message is used to request keys used for protection of a communication associated with the service; and the fifth SPM NF transmitting a tenth message to the third SPM NF, wherein the tenth message comprises information of the keys.
  • an embodiment of the present application provides a method for communication, and the method may be performed by a network function or a chip installed in the first SPM NF.
  • a second SPM NF and a third SPM NF are integrated into this network function.
  • the method includes: transmitting a first message, wherein the first message comprises a first ID of the device, the first message is used to request first information of a service for a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; receiving a third message, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device; transmitting a fourth message, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device; and receiving a second message, wherein the second message comprises the first information of the service and the ID of the communication.
  • the method further includes: transmitting a seventh message, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and receiving an eighth message, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
  • the method further includes: transmitting a ninth message, wherein the ninth message is used to request keys used for protection of a communication associated with the service; and receiving a tenth message, wherein the tenth message comprises information of the keys.
  • the method further includes: transmitting a second request, wherein the second request comprises the second ID of the device and the first information of the service, the second request indicates a storage of a credential of the service for the device, and the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  • the method further includes: receiving a sixth message, wherein the sixth message indicates a generation of the credential of the service for the device.
  • the method further includes: receiving a third request for a credential of the device, wherein the third request comprises the ID of the communication; and transmitting an eleventh message, wherein the eleventh message comprises the credential of the device.
  • the method further includes: receiving a fourth request for a third ID of the device wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and a serving network; generating the third ID of the device according to the fourth request; and transmitting a twelfth message, wherein the twelfth message comprises the third ID of the device.
  • a communication apparatus having a function or module to perform the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
  • a chip (or a chip system) .
  • the chip includes at least one processor, the at least one processor is coupled to at least one memory.
  • the at least one memory is configured to store one or more instructions and/or executable computer code.
  • the at least one processor is configured to invoke the one or more instructions and/or executable computer code, so that a communication apparatus installed the chip performs the method in any one of the first aspect to the seventh aspect, or any possible implementation in these aspects.
  • the chip may further include the at least one memory.
  • the chip may further include a communication interface, and the communication interface is configured to input and/or output information or data.
  • the communication apparatus includes one or more circuits and one or more communication interfaces.
  • the one or more communication interfaces may include a first interface for receiving (that is, inputting) information and/or data that is to be processed by the one or more circuits and a second interface for transmitting (that is, outputting) information and/or data processed by the one or more circuit.
  • the one or more circuits are configured to process the information and/or data that is to be processed so that the communication apparatus performs the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
  • the communication system may include the communication apparatus according to the eighth aspect or the tenth aspect.
  • the communication system may include the one or more of: the first SPM NF, the second SPM NF, the third SPM NF, the fourth SPM NF or the fifth SPM NF.
  • the communication system may further include a device.
  • a computer storage medium that stores executable computer code, and the executable computer code is used to execute one or more instructions for the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
  • a computer program product including one or more instructions, and when the computer product program runs on a computer, the computer performs the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
  • FIG. 1 is a schematic illustration of a communication system.
  • FIG. 2 illustrates an example communication system
  • FIG. 3 illustrates another example of an ED and a base station.
  • FIG. 4 illustrates units or modules in a device.
  • FIG. 5 illustrates 6G System conceptual structure.
  • FIG. 6 is a network scenario according to some embodiments of the present application.
  • FIG. 7 is an architecture of SPM according to some embodiments of the present application.
  • FIG. 8 is another architecture of SPM according to some embodiments of the present application.
  • FIG. 9 is another architecture of SPM according to some embodiments of the present application.
  • FIG. 10 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 11 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 12 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 13 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 14 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 15 is a schematic flowchart of a method for communication according to some embodiments of the present application.
  • FIG. 16 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application.
  • FIG. 17 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application.
  • the present disclosure relates generally to wireless communications.
  • 6G/future wireless networks a new network infrastructure capability (e.g., cloud natured/friendly infrastructures that are broadly deployed) ; new or relative matured techniques (e.g., artificial intelligence (AI) large scale models, data de-privacy, block chain, etc. ) that have made significant progresses and significantly impact on the entire society and human life; new applications and services (e.g., AI services, data or sensing service, digital world service, etc. ) that are broadly applied in industry/business and used by individual customers; and more global/open/collaborative operation trend (i.e., a more open and more collaborative operation mode are becoming common practice in many fields) .
  • network infrastructure capability e.g., cloud natured/friendly infrastructures that are broadly deployed
  • new or relative matured techniques e.g., artificial intelligence (AI) large scale models, data de-privacy, block chain, etc.
  • new applications and services e.g., AI services, data or sensing service, digital world service, etc.
  • Requirements to 6G system network architecture design include:
  • FIGS. 1-4 For ease of understanding the embodiments of this application, a communication system shown in FIGS. 1-4 is firstly used as an example to describe in detail a communication system to which the embodiments of this application are applicable.
  • the communication system 100 comprises a radio access network 120.
  • the radio access network 120 may be a next generation (e.g. 6G or later) radio access network, or a legacy (e.g. fifth generation (5G) , fourth generation (4G) , third generation (3G) or second generation (2G) ) radio access network.
  • One or more communication electronic devices (ED) 110a-110j (generically referred to as 110) may be interconnected to one another or connected to one or more network nodes (170a, 170b, generically referred to as 170) in the radio access network 120.
  • a core network 130 may be a part of the communication system and may be dependent or independent of the radio access technology used in the communication system 100.
  • the communication system 100 comprises a public switched telephone network (PSTN) 140, the internet 150, and other networks 160.
  • PSTN public switched telephone network
  • FIG. 2 illustrates an example communication system 100.
  • the communication system 100 enables multiple wireless or wired elements to communicate data and other content.
  • the purpose of the communication system 100 may be to provide content, such as voice, data, video, and/or text, via broadcast, multicast, groupcast, unicast, etc.
  • the communication system 100 may operate by sharing resources, such as carrier spectrum bandwidth, between its constituent elements.
  • the communication system 100 may include a terrestrial communication system and/or a non-terrestrial communication system.
  • the communication system 100 may provide a wide range of communication services and applications (such as earth monitoring, remote sensing, passive sensing and positioning, navigation and tracking, autonomous delivery and mobility, etc. ) .
  • the communication system 100 may provide a high degree of availability and robustness through a joint operation of a terrestrial communication system and a non-terrestrial communication system.
  • integrating a non-terrestrial communication system (or components thereof) into a terrestrial communication system can result in what may be considered a heterogeneous network comprising multiple layers.
  • the heterogeneous network may achieve better overall performance through efficient multi-link joint operation, more flexible functionality sharing, and faster physical layer link switching between terrestrial networks and non-terrestrial networks.
  • the communication system 100 includes electronic devices (ED) 110a-110d (generically referred to as ED 110) , radio access networks (RANs) 120a, 120b, a non-terrestrial communication network 120c, a core network 130, a public switched telephone network (PSTN) 140, the Internet 150, and other networks 160.
  • the RANs 120a, 120b include respective base stations (BSs) 170a, 170b, which may be generically referred to as terrestrial transmit and receive points (T-TRPs) 170a, 170b.
  • the non-terrestrial communication network 120c includes an access node 172, which may be generically referred to as a non-terrestrial transmit and receive point (NT-TRP) 172.
  • N-TRP non-terrestrial transmit and receive point
  • Any ED 110 may be alternatively or additionally configured to interface, access, or communicate with any T-TRP 170a, 170b and NT-TRP 172, the Internet 150, the core network 130, the PSTN 140, the other networks 160, or any combination of the preceding.
  • ED 110a may communicate an uplink and/or downlink transmission over a terrestrial air interface 190a with T-TRP 170a.
  • the EDs 110a-110d may also communicate directly with one another via one or more sidelink air interfaces 190b.
  • ED 110d may communicate an uplink and/or downlink transmission over a non-terrestrial air interface 190c with NT-TRP 172.
  • the air interfaces 190a and 190b may use similar communication technology, such as any suitable radio access technology.
  • the communication system 100 may implement one or more channel access methods, such as code division multiple access (CDMA) , space division multiple access (SDMA) , time division multiple access (TDMA) , frequency division multiple access (FDMA) , orthogonal FDMA (OFDMA) , or single-carrier FDMA (SC-FDMA, also known as discrete Fourier transform spread OFDMA, DFT-s-OFDMA) in the air interfaces 190a and 190b.
  • CDMA code division multiple access
  • SDMA space division multiple access
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • OFDMA orthogonal FDMA
  • SC-FDMA single-carrier FDMA
  • the air interfaces 190a and 190b may utilize other higher dimension signal spaces, which may involve a combination of orthogonal and/or non-orthogonal dimensions.
  • the non-terrestrial air interface 190c can enable communication between the ED 110d and one or multiple NT-TRPs 172 via a wireless link or simply a link.
  • the link is a dedicated connection for unicast transmission, a connection for broadcast transmission, or a connection between a group of EDs 110 and one or multiple NT-TRPs 172 for multicast transmission.
  • the RANs 120a and 120b are in communication with the core network 130 to provide the EDs 110a 110b, and 110c with various services such as voice, data, and other services.
  • the RANs 120a and 120b and/or the core network 130 may be in direct or indirect communication with one or more other RANs (not shown) , which may or may not be directly served by core network 130, and may or may not employ the same radio access technology as RAN 120a, RAN 120b or both.
  • the core network 130 may also serve as a gateway access between (i) the RANs 120a and 120b or EDs 110a 110b, and 110c or both, and (ii) other networks (such as the PSTN 140, the Internet 150, and the other networks 160) .
  • the EDs 110a 110b, and 110c may include functionality for communicating with different wireless networks over different wireless links using different wireless technologies and/or protocols. Instead of wireless communication (or in addition thereto) , the EDs 110a 110b, and 110c may communicate via wired communication channels to a service provider or switch (not shown) , and to the Internet 150.
  • PSTN 140 may include circuit switched telephone networks for providing plain old telephone service (POTS) .
  • Internet 150 may include a network of computers and subnets (intranets) or both, and incorporate protocols, such as Internet Protocol (IP) , Transmission Control Protocol (TCP) , User Datagram Protocol (UDP) .
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • EDs 110a 110b, and 110c may be multimode devices capable of operation according to multiple radio access technologies, and incorporate multiple transceivers necessary to support such.
  • FIG. 3 illustrates another example of an ED 110 and a base station 170a, 170b and/or 170c.
  • the ED 110 is used to connect persons, objects, machines, etc.
  • the ED 110 may be widely used in various scenarios including, for example, cellular communications, device-to-device (D2D) , vehicle to everything (V2X) , peer-to-peer (P2P) , machine-to-machine (M2M) , machine-type communications (MTC) , internet of things (IoT) , virtual reality (VR) , augmented reality (AR) , mixed reality (MR) , metaverse, digital twin, industrial control, self-driving, remote medical, smart grid, smart furniture, smart office, smart wearable, smart transportation, smart city, drones, robots, remote sensing, passive sensing, positioning, navigation and tracking, autonomous delivery and mobility, etc.
  • D2D device-to-device
  • V2X vehicle to everything
  • P2P peer-to-
  • Each ED 110 represents any suitable end user device for wireless operation and may include such devices (or may be referred to) as a user equipment/device (UE) , a wireless transmit/receive unit (WTRU) , a mobile station, a fixed or mobile subscriber unit, a cellular telephone, a station (STA) , a machine type communication (MTC) device, a personal digital assistant (PDA) , a smartphone, a laptop, a computer, a tablet, a wireless sensor, a consumer electronics device, a smart book, a vehicle, a car, a truck, a bus, a train, or an IoT device, wearable devices (such as a watch, a pair of glasses, head mounted equipment, etc.
  • UE user equipment/device
  • WTRU wireless transmit/receive unit
  • MTC machine type communication
  • PDA personal digital assistant
  • the base station 170a and 170b is a T-TRP and will hereafter be referred to as T-TRP 170. Also shown in FIG. 3, a NT-TRP will hereafter be referred to as NT-TRP 172.
  • Each ED 110 connected to T-TRP 170 and/or NT-TRP 172 can be dynamically or semi-statically turned-on (i.e., established, activated, or enabled) , turned-off (i.e., released, deactivated, or disabled) and/or configured in response to one of more of: connection availability and connection necessity.
  • the ED 110 includes a transmitter 201 and a receiver 203 coupled to one or more antennas 204. Only one antenna 204 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 204 may alternatively be panels.
  • the transmitter 201 and the receiver 203 may be integrated, e.g. as a transceiver.
  • the transceiver is configured to modulate data or other content for transmission by at least one antenna 204 or network interface controller (NIC) .
  • NIC network interface controller
  • the transceiver is also configured to demodulate data or other content received by the at least one antenna 204.
  • Each transceiver includes any suitable structure for generating signals for wireless or wired transmission and/or processing signals received wirelessly or by wire.
  • Each antenna 204 includes any suitable structure for transmitting and/or receiving wireless or wired signals.
  • the ED 110 includes at least one memory 208.
  • the memory 208 stores instructions and data used, generated, or collected by the ED 110.
  • the memory 208 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by one or more processing unit (s) (e.g., a processor 210) .
  • Each memory 208 includes any suitable volatile and/or non-volatile storage and retrieval device (s) . Any suitable type of memory may be used, such as random access memory (RAM) , read only memory (ROM) , hard disk, optical disc, subscriber identity module (SIM) card, memory stick, secure digital (SD) memory card, on-processor cache, and the like.
  • RAM random access memory
  • ROM read only memory
  • SIM subscriber identity module
  • SD secure digital
  • the ED 110 may further include one or more input/output devices (not shown) or interfaces (such as a wired interface to the Internet 150 in FIG. 1) .
  • the input/output devices or interfaces permit interaction with a user or other devices in the network.
  • Each input/output device or interface includes any suitable structure for providing information to or receiving information from a user, and/or for network interface communications. Suitable structures include, for example, a speaker, microphone, keypad, keyboard, display, touch screen, etc.
  • the ED 110 includes the processor 210 for performing operations including those operations related to preparing a transmission for uplink transmission to the NT-TRP 172 and/or the T-TRP 170; those operations related to processing downlink transmissions received from the NT-TRP 172 and/or the T-TRP 170; and those operations related to processing sidelink transmission to and from another ED 110.
  • Processing operations related to preparing a transmission for uplink transmission may include operations such as encoding, modulating, transmit beamforming, and generating symbols for transmission.
  • Processing operations related to processing downlink transmissions may include operations such as receive beamforming, demodulating and decoding received symbols.
  • a downlink transmission may be received by the receiver 203, possibly using receive beamforming, and the processor 210 may extract signaling from the downlink transmission (e.g. by detecting and/or decoding the signaling) .
  • An example of signaling may be a reference signal transmitted by the NT-TRP 172 and/or by the T-TRP 170.
  • the processor 210 implements the transmit beamforming and/or the receive beamforming based on the indication of beam direction, e.g. beam angle information (BAI) , received from the T-TRP 170.
  • the processor 210 may perform operations relating to network access (e.g.
  • the processor 210 may perform channel estimation, e.g. using a reference signal received from the NT-TRP 172 and/or from the T-TRP 170.
  • the processor 210 may form part of the transmitter 201 and/or part of the receiver 203.
  • the memory 208 may form part of the processor 210.
  • the processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory (e.g. in the memory 208) .
  • some or all of the processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented using dedicated circuitry, such as a programmed field-programmable gate array (FPGA) , an application-specific integrated circuit (ASIC) , or a hardware accelerator such as a graphics processing unit (GPU) or an artificial intelligence (AI) accelerator.
  • FPGA programmed field-programmable gate array
  • ASIC application-specific integrated circuit
  • AI artificial intelligence
  • the T-TRP 170 may be known by other names in some implementations, such as a base station, a base transceiver station (BTS) , a radio base station, a network node, a network device, a device on the network side, a transmit/receive node, a Node B, an evolved NodeB (eNodeB or eNB) , a Home eNodeB, a next Generation NodeB (gNB) , a transmission point (TP) , a site controller, an access point (AP) , a wireless router, a relay station, a terrestrial node, a terrestrial network device, a terrestrial base station, a base band unit (BBU) , a remote radio unit (RRU) , an active antenna unit (AAU) , a remote radio head (RRH) , a central unit (CU) , a distributed unit (DU) , a positioning node, among other possibilities.
  • BBU base band unit
  • RRU remote radio unit
  • the T-TRP 170 may be a macro BS, a pico BS, a relay node, a donor node, or the like, or combinations thereof.
  • the T-TRP 170 may refer to the forgoing devices or refer to apparatus (e.g. a communication module, a modem, or a chip) in the forgoing devices.
  • the parts of the T-TRP 170 may be distributed.
  • some of the modules of the T-TRP 170 may be located remote from the equipment that houses the antennas 256 for the T-TRP 170, and may be coupled to the equipment that houses the antennas 256 over a communication link (not shown) sometimes known as front haul, such as common public radio interface (CPRI) .
  • the term T-TRP 170 may also refer to modules on the network side that perform processing operations, such as determining the location of the ED 110, resource allocation (scheduling) , message generation, and encoding/decoding, and that are not necessarily part of the equipment that houses the antennas 256 of the T-TRP 170.
  • the modules may also be coupled to other T-TRPs.
  • the T-TRP 170 may actually be a plurality of T-TRPs that are operating together to serve the ED 110, e.g. through the use of coordinated multipoint transmissions.
  • the T-TRP 170 includes at least one transmitter 252 and at least one receiver 254 coupled to one or more antennas 256. Only one antenna 256 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 256 may alternatively be panels.
  • the transmitter 252 and the receiver 254 may be integrated as a transceiver.
  • the T-TRP 170 further includes a processor 260 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to the NT-TRP 172, and processing a transmission received over backhaul from the NT-TRP 172.
  • Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. multiple input multiple output (MIMO) precoding) , transmit beamforming, and generating symbols for transmission.
  • Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols.
  • the processor 260 may also perform operations relating to network access (e.g. initial access) and/or downlink synchronization, such as generating the content of synchronization signal blocks (SSBs) , generating the system information, etc.
  • the processor 260 also generates an indication of beam direction, e.g.
  • the processor 260 performs other network-side processing operations described herein, such as determining the location of the ED 110, determining where to deploy the NT-TRP 172, etc.
  • the processor 260 may generate signaling, e.g. to configure one or more parameters of the ED 110 and/or one or more parameters of the NT-TRP 172. Any signaling generated by the processor 260 is sent by the transmitter 252.
  • signaling may be transmitted in a physical layer control channel, e.g. a physical downlink control channel (PDCCH) , in which case the signaling may be known as dynamic signaling.
  • PDCCH physical downlink control channel
  • Signaling transmitted in a downlink physical layer control channel may be known as downlink control information (DCI) .
  • DCI downlink control information
  • UCI uplink control information
  • Siganling transmitted in an uplink physical layer control channel may be known as uplink control information (UCI) .
  • Signaling transmitted in a sidelink physical layer control channel may be known as sidelink control information (SCI) .
  • Signaling may be included in a higher-layer (e.g., higher than physical layer) packet transmitted in a physical layer data channel, e.g. in a physical downlink shared channel (PDSCH) , in which case the signaling may be known as higher-layer signaling, static signaling, or semi-static signaling.
  • Higher-layer signaling may also refer to radio resource control (RRC) protocol signaling or Media Access Control –Control Element (MAC-CE) signaling.
  • RRC radio resource control
  • MAC-CE Media Access Control –Control Element
  • the scheduler 253 may be coupled to the processor 260.
  • the scheduler 253 may be included within or operated separately from the T-TRP 170.
  • the scheduler 253 may schedule uplink, downlink, sidelink, and/or backhaul transmissions, including issuing scheduling grants and/or configuring scheduling-free (e.g., “configured grant” ) resources.
  • the T-TRP 170 further includes a memory 258 for storing information and data.
  • the memory 258 stores instructions and data used, generated, or collected by the T-TRP 170.
  • the memory 258 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by the processor 260.
  • the processor 260 may form part of the transmitter 252 and/or part of the receiver 254. Also, although not illustrated, the processor 260 may implement the scheduler 253. Although not illustrated, the memory 258 may form part of the processor 260.
  • the processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 258.
  • some or all of the processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC.
  • the NT-TRP 172 is illustrated as a drone only as an example, the NT-TRP 172 may be implemented in any suitable non-terrestrial form, such as satellites and high altitude platforms, including international mobile telecommunication base stations and unmanned aerial vehicles, for example. Also, the NT-TRP 172 may be known by other names in some implementations, such as a non-terrestrial node, a non-terrestrial network device, or a non-terrestrial base station.
  • the NT-TRP 172 includes a transmitter 272 and a receiver 274 coupled to one or more antennas 280. Only one antenna 280 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas may alternatively be panels.
  • the transmitter 272 and the receiver 274 may be integrated as a transceiver.
  • the NT-TRP 172 further includes a processor 276 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to T-TRP 170, and processing a transmission received over backhaul from the T-TRP 170.
  • Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. MIMO precoding) , transmit beamforming, and generating symbols for transmission.
  • precoding e.g. MIMO precoding
  • Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols.
  • the processor 276 implements the transmit beamforming and/or receive beamforming based on beam direction information (e.g. BAI) received from the T-TRP 170.
  • the processor 276 may generate signaling, e.g. to configure one or more parameters of the ED 110.
  • the NT-TRP 172 implements physical layer processing, but does not implement higher layer functions such as functions at the medium access control (MAC) or radio link control (RLC) layer. As this is only an example, more generally, the NT-TRP 172 may implement higher layer functions in addition to physical layer processing.
  • MAC medium access control
  • RLC radio link control
  • the NT-TRP 172 further includes a memory 278 for storing information and data.
  • the processor 276 may form part of the transmitter 272 and/or part of the receiver 274.
  • the memory 278 may form part of the processor 276.
  • the processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 278.
  • some or all of the processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC.
  • the NT-TRP 172 may actually be a plurality of NT-TRPs that are operating together to serve the ED 110, e.g. through coordinated multipoint transmissions.
  • the T-TRP 170, the NT-TRP 172, and/or the ED 110 may include other components, but these have been omitted for the sake of clarity.
  • FIG. 4 illustrates units or modules in a device, such as in the ED 110, in the T-TRP 170, or in the NT-TRP 172.
  • a signal may be transmitted by a transmitting unit or by a transmitting module.
  • a signal may be received by a receiving unit or by a receiving module.
  • a signal may be processed by a processing unit or a processing module.
  • Other steps may be performed by an AI or machine learning (ML) module.
  • the respective units or modules may be implemented using hardware, one or more components or devices that execute software, or a combination thereof.
  • one or more of the units or modules may be a circuit such as an integrated circuit.
  • Examples of an integrated circuit includes a programmed FPGA, a GPU, or an ASIC.
  • one or more of the units or modules may be logical such as a logical function performed by a circuit, by a portion of an integrated circuit, or by software instructions executed by a processor.
  • the modules may be retrieved by a processor, in whole or part as needed, individually or together for processing, in single or multiple instances, and that the modules themselves may include instructions for further deployment and instantiation.
  • next generation e.g. 6G or later
  • legacy e.g. 5G, 4G, 3G or 2G
  • the proposed 6G system architecture is defined to support 6G XaaS services by using techniques such as network function virtualization and network slicing.
  • the 6G system architecture utilizes service-based interactions between 6G services.
  • the 6G system leverages service-based architecture and XaaS concept.
  • XaaS services in the 6G system are categorized into three layers.
  • the 6G system conceptual structure is shown in FIG. 5.
  • An infrastructure layer includes infrastructures supporting 6G services.
  • wireless networks e.g., a RAN, and a core network (CN)
  • CN core network
  • cloud/data center infrastructures e.g., a RAN, and a core network (CN)
  • satellite networks e.g., a RAN, and a core network (CN)
  • sensing networks e.g., a RAN, and a core network (CN)
  • CN core network
  • Each of the infrastructures could have its control and management functions, denoted as C/M functions, for infrastructure management.
  • C/M functions for infrastructure management.
  • Each of these infrastructures is one type of infrastructure as a service.
  • a control and management (C/M) layer includes control and management services of the 6G system. They are developed and deployed by using slicing techniques and utilizing resource provided by infrastructure layer.
  • C/M control and management
  • RM resource management
  • MM mission management
  • a 6G mission is defined as a service provided to customers by the 6G system.
  • a mission can be a type of services which is provided by a single 6G XaaS service or a type of services that needs contributions from multiple XaaS services.
  • CONET confederation network
  • SPM service provisioning management
  • 6G service access by customers and provisioning of requested services provides a capability of control and management of 6G service access by customers and provisioning of requested services.
  • the capability is provided by unified mutual authentication, authorization and policy, key management, quality of service (QoS) assurance and charging between any pair of XaaS service provider and customer.
  • the customers include end-customers not only in physical world, but also digital representatives in digital world.
  • CM connectivity management
  • protocol as a service provides a capability to design service customized protocol stacks for identified interfaces.
  • the protocol stacks could be pre-defined for on-demand selection, or could be on-demand designed.
  • - network security as a service provides a capability for owners of infrastructures to detect potential security risks of their infrastructures.
  • - XaaS services in C/M Layer support control and management of the 6G system itself and also provide support to verticals if requested.
  • RM service can serve RAN for over-the-air resource management and can also provide service to a vertical for the vertical’s over-the-air resource allocation to its end-customers.
  • the XaaS in C/M layer can be deployed by using slicing technique.
  • a service layer includes 6G services which provide services to customers.
  • 6G system conceptual structure:
  • NET4AI a service.
  • Artificial intelligence service provides AI capability to support a variety of AI applications.
  • DAM Service of data collection, data sanitization, data analysis and data delivery
  • This service provides a capability of lifecycle management of statistic data, including acquisition, de-privatization, analysis and delivery of data which are information statistic data from any types of sensors, devices, network functions, and etc.
  • NET4Data Service of storage and sharing of data
  • This service provides a capability to trustworthily storage and share data under the control of owners of data and following recognized authorities’ regulations on control of identified data.
  • NET4DW Digital world service to provide digital world
  • Digital world service provides a capability to construct, control and manage digital world.
  • Digital world is defined as digital realization of physical world.
  • NET4BC 6G block chain service
  • NET4CON Enhanced connectivity service
  • NET4CON network for connectivity
  • This service provides a capability to support exchange of messages and data among new 6G services.
  • All XaaS services at this layer are developed and deployed by using resource provided in infrastructure and utilizing network function virtualization and slicing techniques.
  • the capability of each of 6G services is provided by its control and management functions and service specific data process functions.
  • 6G system leverages 5G system for provisioning of vertical services.
  • the difference between 6G XaaS services and other verticals are that a vertical is a pure customer which needs other XaaS services to enable its operation, while each of XaaS services provide their capabilities to 6G customers.
  • Any pair of XaaS services of the 6G system could also be mutual customer and provider of each other.
  • an infrastructure owner provides its resource to XaaS services in service layer and C/M layer
  • RM services may need the capabilities provided by NET4AI, DAM and NET4DW for its resource management for vertical slicing
  • CONET service and NET4Data service may need the capability provided by NET4BC for their operation.
  • the key concepts of 6G system includes that:
  • a basic XaaS service provides unique capability to enable a specific type of service, such as NET4AI service, NET4DW service, DAM service, NET4Data service, block chain service, mission management service, etc.
  • data plane of the 6G system which includes processing functions of data plane of XaaS services. Programing the interconnection of these functions, by mission management service, enables to support a variety of customized customer services.
  • C/M Plane of the 6G system which includes C/M functions in XaaS services and may include 5G CP (e.g., AMF) depending on implementation options.
  • 5G CP e.g., AMF
  • BAS basic architecture structure
  • GWs trustworthy gateways
  • 5G users can use the 6G system to access 5G services.
  • XaaS XaaS
  • C/M control/management
  • data processing functions are used for processing data and could only exist in a service layer of XaaS.
  • the C/M functions are used for control and management and could exist in a service layer and C/M layer of XaaS.
  • a service provider of XaaS could also be referred to as a XaaS service.
  • FIG. 6 is a network scenario according to some embodiments of the present application.
  • a control and management trustworthy gateway (C/M-TW-GW) is a network function and could be defined as an endpoint of a C/M session at network side.
  • the setup of the C/M session is for a device or a XaaS service to transmit the control message relating to the XaaS service.
  • the C/M session could be defined as a secured logical connection between a device (e.g., a user equipment) and its serving C/M-TW-GW.
  • the data trustworthy gateway (Data-TW-GW) is a network function and could be defined as an endpoint of data session of a device.
  • the setup of the data session is for the device or the XaaS service to participate in processing data.
  • the data session could be defined as a secured logical connection between a device and its serving Data-TW-GW.
  • the radio bearer (RB) handler is a network function and could be implemented as a radio access network (RAN) .
  • the RB handler could be defined as a logical function which performs RB protocol stack operations after getting configurations.
  • the RB handler could be connected to both other infrastructures (e.g., a core network and/or a third-party cloud) and C/M-TW-GW. Communications between the device and the RB handler could include a C/M RB or a data RB.
  • the C/M RB could be defined as an over-the-air connection for carrying control signaling for over-the-air interface management and C/M plane messages.
  • the data RB could be an over-the-air connection for carrying data plane traffic.
  • an interface I could be defined as a set of security features that enables a device to authenticate and access services via the network securely, and to protect against attacks on the radio interfaces.
  • an interface II could be defined as a set of security features that enables a system shown in FIG. 6 to securely exchange C/M session between a device and a C/M-TW-GW or securely exchange data session between the device and the Data-TW-GW.
  • an interface III could be defined as a set of security features that enables the system to securely exchange C/M session between the XaaS service and the C/M-TW-GW or securely exchange data session between the XaaS service and a Data-TW-GW.
  • an interface IV could be a set of security features that enables XaaS service functions to exchange messages securely.
  • an interface V could be defined as a set of security features that enables secure communications among C/M-TW-GWs or a Data-TW-GWs.
  • the interface I could support a connection between a device and an RB handler; the interface II could support a connection between a device and a C/M-TW-GW/Data-TW-GW; the interface III could support a connection between a XaaS service and a C/M-TW-GW/Data-TW-GW.
  • security procedures between a device e.g., a UE
  • network functions would be involved when the device is capable of connecting to a network.
  • the security procedures may include a primary authentication and key agreement procedures.
  • the primary authentication and key agreement procedures are to enable mutual authentication between the device and a severing network and to provide keying materials that can be used between the device and the severing network.
  • the keying materials can be used for signaling security protection on the interface I and interface II in subsequent security procedures.
  • the security procedures may include a secondary primary authentication and key agreement procedures.
  • the secondary authentication and key agreement procedures are to enable mutual authentication between the device and the XaaS service, and to provide keying materials that can be used between the device and the XaaS service in subsequent security procedures.
  • the keying materials can be used for data security protection on an interface I and an interface II in subsequent security procedures.
  • the primary authentication and key agreement procedures, and the second authentication and the key agreement procedures could be controlled or handled by a SPM in 6G XaaS service at C/M layer.
  • Internet protocol security (IPsec) protocol or transport layer security (TLS) protocol can be used to implement on an interface III and an interface IV and an interface V for secure communications.
  • the primary authentication and key agreement procedures and the secondary authentication and key agreement procedures are controlled or handled by a SPM in 6G XaaS service at C/M layer (as shown in FIG. 6) .
  • the following issues shall be addressed when implementing these procedures.
  • a participator could be anonymously served by requested XaaS services, or the participator does not have a permission to access the XaaS services?
  • the XaaS service does not know who uses this service, and the participator does not know who provides this service to him/her.
  • This network function should be provided some functionalities, e.g., participator identification, identifiers from different providers should be mapped or aligned to a specific participator, identifier management.
  • FIG. 7 is an architecture of a SPM according to some embodiments of the present application.
  • a SPM-Authen could be responsible for authentication on a device and/or a XaaS service.
  • the SPM-Authen could also be responsible for negotiation a shared key.
  • the shared key could be known by the device and the network.
  • a SPM-Authen could provide a unified mutual authentication service.
  • the SPM-Authen service could provide a unified mutual authentication service for multiple un-trusted participators (e.g., a device, an end customer, an infrastructure provider or a XaaS service) .
  • the unified mutual authentication service can be implemented by a SPM-Authen during a primary authentication procedure.
  • a SPM-Author could be responsible for service subscription negotiation with a XaaS service on behalf of a device.
  • the SPM-Author could also be responsible for granting service permissions to devices.
  • the SPM-Author could also be responsible for generating an authentication code which is used for validation on a device, a required service and a service provider that provides the required service to the device.
  • the SPM-Author could further be responsible for setting up or configuring a secure tunnel between a device and a service provider.
  • the secure tunnel could be established by other network functions, such as an access management function.
  • a SPM-Author could provide an anonymous authorization service.
  • the SPM-Author could provide authorization for a device to access a XaaS service anonymously.
  • the anonymous authorization service can be implemented by SPM-Author during a secondary authentication/authorization procedure.
  • a SPM-IDM could provide ID management service.
  • the SPM-IDM could be responsible for maintaining or storing ID information of devices and the corresponding authentication materials (e.g. a certificate) of devices.
  • a certificate of a device could be taken as a credential of the device that is used for a mutual authentication between the device and the SPM-Authen.
  • a SPM-IDM could be responsible for generating, refreshing and revoking an ID of the device.
  • the SPM-IDM could be responsible for ID mapping and ID alignment. The motivation of the ID mapping is to provide anonymous ID mappings when a XaaS service/a network function cannot link a temporary ID of a device with this device.
  • the temporary ID of the device could be mapped to another ID of the device that could be used to identify the device by the XaaS service/the network function.
  • the ID alignment could provide an anonymous ID alignment when different un-trust network functions or XaaS service align data from different entities (e.g. organizations, and/or third parties) to a same device.
  • a SPM-UDM could be responsible for management on service profiles and service credentials.
  • a SPM-KMF could be responsible for negotiating a shared key.
  • the shared key shall be known by the device.
  • the SPM-KMF could also be responsible for generating session keys /RB keys.
  • the session keys could be used for security protection on interface II.
  • the session keys may include keys used for protection of a C/M session or keys used for protection of a data session.
  • the RB keys could be used for security protection on interface I.
  • the RB keys may include keys used for protection of a C/M RB or keys used for protection of a data RB.
  • the SPM-KMF could be responsible for key refreshing and key revocation.
  • the SPM-KMF could be responsible for security configuration/activation on a device and a network side.
  • a SPM-PCF could be responsible for charging policy.
  • the SPM-PCF could provide charging and policy service that provides policy and charging control rules for a session.
  • a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF could be distributed among different network functions.
  • at least two of a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF could be integrated into a same one network function.
  • an architectures of SPM may be different from the architecture shown in the FIG. 7.
  • an architectures of SPM would not include all entities (i.e., a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF) shown in the FIG. 7.
  • This framework could provide unified mutual authentication service, anonymous authorization service, key management service, charging and policy service, and ID management service.
  • This framework we provide interfaces among these different functions that shall implement the above services.
  • our framework has new features: (1) Decouple authentication with key management, which could reduce overhead during key refresh. (2) Decouple authentication with authorization, which could bring anonymous authorization. (3) With the help of IDM, it could provide anonymous communications and protect ID privacy.
  • FIG. 8 and FIG. 9 illustrates other architectures of SPM according to some embodiments of the present application.
  • an architecture of SPM shown in FIG. 8 could support a mutual authentication service.
  • an architecture of SPM shown in FIG. 9 could support an anonymous authorization service.
  • all entities e.g., a client, a SMP-Authen, a XaaS service
  • a trust SPM-IDM shall generate an authentication ID for a client, register to a CA on behalf of the client, and keep the client’s authentication materials (e.g., certificate) that corresponding to the authentication ID.
  • a SPM-Authen is responsible for authentication on a client, and responsible for negotiation a shared key with a SPM-KMF.
  • a client shall subscribe a XaaS service with the help of the network.
  • a SPM-Author negotiates with XaaS service providers on behalf of the client for the service subscriptions. This could avoid XaaS service providers from knowing the real ID of the client. These service subscriptions are kept in a SPM-UDM. Thus, it could provide anonymous service subscription with XaaS services for the client.
  • a SPM-Author could grant permissions to the client after the client is successfully authenticated by a SPM-Authen.
  • these XaaS service providers can’ t associate these services with the specific client.
  • a session key that is used for service data security protection, or a secure communication between the client and the XaaS service may be negotiated by a SPM-KMF.
  • a unified mutual authentication service, an anonymous authorization service, a key management service, a charging and policy service, and an ID management service could be provided by different entities.
  • a procedure of authentication could be decoupled with a procedure of key management, and it could reduce signaling overhead during key refreshing.
  • a procedure of authentication could be decoupled with a procedure of authorization, and an anonymous authentication could be supported.
  • an anonymous communication and a privacy protection on the ID of the device could be provide with the help of the SPM-IDM.
  • FIG. 10 is a schematic flowchart of a method for communication according to some embodiments of the present application. The following separately describes steps involved in the method 500 in detail.
  • the FIG. 10 could illustrate an example of a call flow of a procedure of authentication, authorization and key management.
  • a SPM-UDM could be taken as an example of a first SPM NF
  • a SPM-Author could be taken as an example of a second SPM NF
  • a SPM-IDM could be taken as an example of a third SPM NF
  • a SPM-Authen could be taken as an example of a fourth SPM NF
  • SPM-KMF could be taken as an example of a fifth SPM NF.
  • a second SPM NF transmits a first message to a first SPM NF.
  • the second SPM NF could transmit the first message to the first SPM NF directly or indirectly. After receiving a request for authorizing a service to a device, the second SPM NF could transmit the first message.
  • the request might be transmitted from the device or an access management function.
  • the first message is used to request first information of a service.
  • the first information of the service is used for granting the device a permission to access the service.
  • the first information may include but not be limited to: information of a subscription of a service, information of a service provider that provides the request service.
  • the first information of the service for the device could also be referred to as a profile of the service, or a service profile.
  • the first message includes a first ID of the device.
  • the first ID of the device is used in a communication between the device and a serving network.
  • the device could use a temporary ID to communicate with a service provider or a network function (e.g., a C/M-TW-GW, a Data-TW-GW, or SPM-author) .
  • a real ID of a device (also be referred to as a device’s real ID) could be used for identifying the device.
  • the first ID of the device could be a temporary ID.
  • the first message could further include an ID of a requested service, or an ID of a service provider that provides the requested service.
  • the first SPM NF shall transmit a message (e.g., a second message) to the second SPM NF, and this message includes the first information of the service.
  • a message e.g., a second message
  • this message includes the first information of the service.
  • the first SPM NF may not know which device that an ID of the device included in the first message is associated with. Therefore, an identification of the device shall be implemented with the help of a SPM-IDM.
  • the first SPM NF determines an ID of a communication related to an authentication and/or authorization procedure of the service for the device.
  • the ID of the communication is associated to the first ID of the device.
  • a temporary ID of a device may be used in communications between the device and network functions, different temporary IDs of a same device may be used on communications related to different network functions. Due to the ID of the communication is associated to the first ID of the device, the ID of the communication can be used to identify the device by at least one network function related to the authentication and/or authorization procedure. For example, a SPM-Authen, a SPM-Author, a SPM-IDM, or a SPM-UDM could use this ID to identify the device in an authentication/authorization procedure.
  • the first SPM NF transmits a third message to a third SPM NF.
  • the third message includes the first ID of the device and the ID of the communication mentioned.
  • the third message is used to obtain a second ID of the device.
  • the first information of the service is related to the second ID of the device.
  • the second ID of the device may be a temporary ID.
  • a same device may use different temporary IDs in different communications.
  • a device may use a temporary ID (e.g., a temporary ID #1) to subscribe a service, and a service subscription could be generated by a service provider and be related to the temporary ID #1.
  • a SPM-UDM could store the service subscription.
  • the device may use another temporary ID (e.g., a temporary ID #2) to request a permission to access the service, and a SPM-UDM may not identify the device according to the temporary ID #2.
  • the SPM-UDM could transmit a message to a SPM-IDM to query the temporary ID #1.
  • the SPM-IDM could inform the SPM-UDM that which device the temporary ID #1 is associated with.
  • the third SPM NF determines the second ID of the device.
  • the third SPM NF could determine the second ID of the device according to the first ID of the device.
  • the third SPM NF could query an ID of the device that is associated with the first information of the service according to an ID of the device included in the third message.
  • the third SPM NF transmits a fourth message to the first SPM.
  • the fourth message includes the second ID of the device.
  • the fourth message could be a response to the third message.
  • the first SPM NF implements identification on the device.
  • the first SPM implements identification on the device according to the second ID of the device.
  • the first SPM could determine the information of the requested service that the second ID of the device is associated with.
  • the first SPM NF could select a service profile from a plurality of service profiles according to the second ID of the device.
  • the first SPM NF transmits a second message to the second SPM NF.
  • the second message includes the information of the service associated with the second ID of the device.
  • the second message could further include the ID of the communication mentioned in S502.
  • the second message could be a response to the first message.
  • the second SPM NF transmits a seventh message to a fourth SPM NF.
  • the seventh message is used to request an authentication of the service for the device.
  • the seventh message includes the ID of the communication.
  • the seventh message could further include an ID of the requested service or an ID of a service provider that provides the requested service.
  • the fourth SPM NF could implement the authentication after obtaining authentication materials (e.g., a credential of the service for the device, and a credential of the device) from other network functions. Moreover, the fourth SPM NF could transmit a message (e.g., an eight message) to indicate a result of the authentication.
  • authentication materials e.g., a credential of the service for the device, and a credential of the device
  • the fourth SPM NF could transmit a message (e.g., an eight message) to indicate a result of the authentication.
  • the fourth SPM NF transmits a first request to the first SPM NF.
  • the first request is used to request a credential of the service for the device that is associated with the second ID of the device and the first information of the service.
  • the credential of the service for the device is used for an authentication on the service or an authentication on a service provider that provides the service.
  • the first request includes the ID of the communication mentioned in S502.
  • the first request further includes an ID of the requested service or an ID of a service provider that provides the requested service.
  • the first information of the service could be generated in a procedure of service subscription.
  • the second ID of the device is used, and the second SPM NF may obtain the first information of the service from a service provider.
  • the second SPM NF could transmit a request (e.g., a second request) to the first SPM NF to indicate a storage of a credential of the service for the device.
  • This request includes the first information of the service and the second ID of the device.
  • the first SPM NF could generate the credential of the service for the device that is associated with the second ID of the device and the first information of the service.
  • the first SPM NF could transmit a message (e.g., a sixth message) to indicate a generation of the credential of the service for the device.
  • the first SPM NF transmits a fifth message to the fourth SPM NF.
  • the fifth message includes the credential of the service for the device.
  • the fifth message could be a response to the first request.
  • the credential of the service for the device is obtained by the first SPM NF according to the ID of the communication mentioned in S502.
  • the fourth SPM NF transmits a third request for a credential of the device to the third SPM NF.
  • all entities e.g., a device, a SPM-Authen, a XaaS service
  • the SPM-IDM could register to the CA on behalf of a device and obtain a certificate of the device (also be referred to as a device’s certificate) .
  • the SPM-IDM could store or maintain the device’s certificate.
  • the device’s certificate could be used for an authentication of the device (e.g., a mutual authentication between the device and a SPM-Authen) .
  • the device’s certificate could be taken as an example of the credential of the device.
  • the SPM-Authen is responsible for authentication on a client, and responsible for negotiation a shared key with a SPM-KMF.
  • a SPM-IDM shall generate an ID of a device and this ID of the device is used to register to the CA on behalf of the device by the SPM-IDM.
  • This ID of the device could be referred to as an authentication ID of the device or device’s authentication ID.
  • a certificate of a device could be associated with the device’s authentication ID.
  • the third SPM NF transmits a message to the fourth SPM NF.
  • the message (e.g., an eleventh message) could be considered as a response to the third request.
  • the message includes the credential of the device.
  • the fourth SPM NF implements an authenticate on the device and a service provider.
  • the fourth SPM NF implements an authentication on the device and an authentication on the requested service/aservice provider that provided the requested service according to the credential of the device and the credential of the service for the device.
  • the fourth SPM NF transmits an eighth message to the second SPM NF.
  • the eighth message includes an indication of a result of the authentication.
  • the eighth message could be a response to the seventh message.
  • the second SPM NF transmits a ninth message to a fifth SPM NF.
  • the ninth message is used to request keys used for security protection of a communication associated with the service.
  • the fifth SPM NF generates information of the keys.
  • the fifth SPM NF could generate keys for protection of a C/M session, keys for protection of a data session and so on.
  • the C/M session and/or the data session is associated with the service.
  • the fifth SPM NF transmits a tenth message to the second SPM NF.
  • the tenth message includes information of the keys.
  • the tenth message could be a response of the ninth message.
  • the information of the keys could be used for generation or configuration of these keys.
  • the fourth SPM NF transmits a request for a temporary ID of the device to the SPM-IDM, when a new temporary ID of the device is needed.
  • the fourth SPM NF transmits a fourth request for a third ID of the device to the third SPM NF.
  • the fourth request could include a fourth ID of the device or the ID of the communication mentioned in S502.
  • the fourth ID of the device could be used for a mutual authentication between the device and the fourth SPN NF, and the fourth ID of the device could be associated with the credential of the device.
  • an authentication ID of a device could be taken as an example of a fourth ID of the device.
  • the third SPM NF could generate the third ID of the device according to the fourth request.
  • the third SPM NF could transmit a twelfth message to the fourth SPM NF.
  • the twelfth message includes the third ID of the device and could be a response of the fourth request.
  • a SPM-Authen As mentioned above, at least two of a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF could be integrated into the same one network function.
  • a SPM-Author and a SPM-IDM are integrated into a network function.
  • a SPM-Author and a SPM-Authen are integrated into a network function.
  • There are other integration methods for at least two of a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF which is not limited.
  • a second SPM NF and a third SPM NF are integrated into one network function (e.g., a third network function) .
  • the third network function shall transmit messages that include messages transmitted by the second SPM NF and messages transmitted by the third SPM NF.
  • the third network function shall receive messages that include messages received by the second SPM NF and messages received by the third SPM NF.
  • the third network function transmits a message that corresponds to the first message in S501; correspondingly, a first SPM NF receives this message.
  • the first SPM NF transmits a message that corresponds to the second message in S507; correspondingly, the third network function receives this message.
  • the first SPM NF transmits a message that corresponds to the third message in S503; correspondingly, the third network function receives the third message.
  • FIG. 11 is a schematic flowchart of a method 600 according to some embodiments of the present application.
  • the basic concepts about these embodiments are:
  • a device transmits a message 1 to a SPM-Authen.
  • the message 1 could include an access request and could be represented by an access_request in FIG. 11.
  • the device could transmit the message 1 to the SPM-Authen directly or indirectly.
  • the message 1 shall include an ID of the device.
  • the ID of the device is used in a communication between the device and a serving network.
  • the message 1 includes an ID of the device that is pre-assigned to the device when the device registers to a CA. This ID of the device could be taken as an example of an authentication ID of the device.
  • the message 1 includes a temporary ID of the device, e.g., a temporary ID #3.
  • the message 1 could further include an ID of a requested XaaS service.
  • the SPM-Authen transmits a message 2.
  • a SPM-IDM receives the message 2.
  • the message 2 is used to request authentication materials of the device and could be represented by an auth_material_request in FIG. 11.
  • the authentication materials of the device may include device’s certificate.
  • the message 2 includes the ID of the device mentioned in S601.
  • the SPM-IDM transmits a message 3.
  • the SPM-Authen receives the message 3.
  • the message 3 includes the authentication materials of the device and could be represented by an auth_material_response in FIG. 11.
  • the authentication materials are corresponding to the ID of the device mentioned in S602.
  • the authentication materials are obtained according to the authentication ID of the device.
  • the authentication materials are obtained according to a temporary ID of the device, e.g., the temporary ID #3.
  • the SPM-Authen launches a mutual authentication between the device and the SPM-Authen.
  • the mutual authentication could be implemented according to an extensible authentication protocol-transport layer security (EAP-TLS) method, or other authentication solutions.
  • EAP-TLS extensible authentication protocol-transport layer security
  • This authentication mentioned above could be taken as an example of a primary authentication.
  • a temporary ID of the device may be involved in a communication between the device and the network.
  • the method 600 could further include step S605 to S607.
  • the SPM-Authen shall request a temporary ID of the device for privacy protection.
  • the SPM-Authen may request a new temporary ID (e.g., a temporary ID #4) of the device for next time window according to a current temporary ID (e.g., the temporary ID #3) of the device.
  • a new temporary ID e.g., a temporary ID #4
  • a current temporary ID e.g., the temporary ID #3
  • the SPM-Authen transmits a message 5.
  • a SPM-IDM receives the message 5.
  • the message 5 is used to request a temporary ID (e.g., a temporary ID #4) of the device.
  • the message 5 could be represented by a Tem_ID_request in FIG. 11.
  • the message 5 could be taken as an example of the fourth request mentioned in the method 500.
  • the message 5 includes an ID of the device, e.g., the authentication ID of the device or the temporary ID #3 mentioned above.
  • the SPM-IDM generates a temporary ID of the device.
  • the temporary ID #4 is generated related to the authentication ID of the device or the temporary ID #3.
  • the SPM-IDM could store or maintain the temporary ID of the device.
  • the SPM-IDM transmits a message 7.
  • the SPM-Authen receives the message 7.
  • the message 7 could be a response of the message 5 and could be represented by a Tem_ID_reponse in FIG. 11.
  • the message 7 includes a temporary ID of the device.
  • the message 7 includes the temporary ID #4 mentioned above.
  • the message 7 could be taken as an example of the twelfth message mentioned in the method 500.
  • the SPM-Authen transmits a message 8.
  • a SPM-KMF receives the message 8.
  • the message 8 is used to request a shared key for the device and network.
  • the message 8 could be represented by a Nego_sharekey_request in FIG. 11.
  • the message 8 shall include a temporary ID of the device.
  • the shared key could be associated with this temporary ID of the device.
  • the shared key could be used to generate keys used for protection of a communication between the device and the network. For example, keys used for protection of a C/M session between the device and a C/M-TW-GW could be generated based on the shared key.
  • the SPM-Authen when the mutual authentication is performed according to the authentication ID of the device, the SPM-Authen shall request and obtain a temporary ID of the device for privacy protection.
  • the message 8 could include this temporary ID of the device and the shared key is associated with this temporary ID.
  • this temporary ID could be included in the message 8 to request the shared key.
  • the shared key is associated with the temporary ID #3.
  • steps S605 to S607 could be skipped in this scenario.
  • a new temporary ID of the device e.g., the temporary ID #4
  • the shared key is generated and associated with the temporary ID #4.
  • the message 8 could further include information generated during the mutual authentication.
  • the SPM-KMF transmits a message 9.
  • the SPM-Authen receives the message 9.
  • the SPM-KMF could negotiate a shared key with the SPM-Authen.
  • the message 9 shall include the shared key.
  • the shared key could be a root key, or a long-term key, e.g., an extended master session key.
  • the message 9 could be a response of the message 8, and could be represented by a Nego_sharekey_reponse in FIG. 11.
  • the SPM-KMF transmit a message 10.
  • the device receives the message 10.
  • the message 10 is a response for the access request and could be represented by an access_reponse in FIG. 11.
  • the message 10 could include the shared key and the ID of the device that the shared key is associated with.
  • interfaces for a unified mutual authentication service could be provided.
  • the authentication could be decoupled with the ID management, and the authentication could be decoupled with the key management. It could provide privacy protection of identify and enable anonymous communications.
  • This access request shall include ID of the client, this ID is pre-assigned to the client when the client registers to the CA.This ID could be an authentication ID.
  • This access request may include an ID of a request XaaS service. This access request corresponds to the message 1 in S601.
  • the SPM-Authen sends an auth_mateiral request to a SPM-IDM.
  • the request shall include the ID of the client.
  • the auth_mateiral request corresponds to the message 2 in S602.
  • the SPM-IDM sends an auth_material response to the SPM-Authen. This response shall include authentication materials that corresponding to the ID of the client.
  • the auth_material response corresponds to the message 3 in S603. Later, the SPM-Authen launches a mutual authentication between the client and the SPM-Authen. A method of how to implement the mutual authentication could be EAP-TLS, or other existing authentication solutions.
  • the SPM-Authen sends a TemID_request to the SPM-IDM.
  • the TemID_request corresponds to the message 5 in S605.
  • the SPM-IDM generates a temporary ID and sends a TemID_response that including the temporary ID to the SPM-Authen.
  • the TemID_response corresponds to the message 7 in S607.
  • the SPM-Authen sends a Nego_sharekey request to a SPM-KMF.
  • This request may include the temporary ID, information that generated during a mutual authentication.
  • the Nego_sharekey request corresponds to the message 8 in S608.
  • the SPM-KMF sends a Nego_sharekey response to the SPM-Authen.
  • This response may include a negotiated shared key.
  • the Nego_sharekey response corresponds the message 9 in S609.
  • the SPM-Authen sends an access response that including the temporary ID, the negotiated shared key, to the client.
  • the access response corresponds to the message 10 in S610.
  • a device may subscribe a service provided by a XaaS service with the help of the network.
  • SPM-Author could negotiate with a service provider on behalf of the device for a service subscription. It could avoid the service provider from knowing a real ID of the device.
  • the service subscription could be stored in a SPM-UDM. It could provide anonymous service subscription with the XaaS service for the device.
  • a SPM-Author could grant permission to the device after the device is successfully authenticated by a SPM-Authen.
  • a session key used for security protection on service data or used for security protection of a communication between the device and the XaaS service may be negotiated by a SPM-KMF.
  • a SPM-Authen only knows the exact client, but does not know which XaaS service is provide to the client. This could protect client ID privacy and service privacy.
  • FIG. 12 is a schematic flowchart of a method 700 according to some embodiments of the present application.
  • FIG. 12 illustrates an example of a call flow of a procedure of a service subscription. The following separately describes steps involved in the method 700 in detail.
  • a device transmits a message 1.
  • a SPM-Author receives the message 1.
  • the message 1 is used to request for a subscription to a service for the device.
  • the message 1 could be represented by a subscribe_request in the FIG. 12.
  • the service could be provided by a XaaS service.
  • the message 1 could include a temporary ID of the device and information of a requested service.
  • the information of the requested service could include but not limited to: at least one of the service’s ID, the service’s name, a type of the service, requirements for the service.
  • the SPM-Author negotiates the service subscription with a XaaS service.
  • the SPM-Author could negotiate with a XaaS service (i.e., a service provider) on behalf of the device for the service subscription, and obtain a service subscription for the device.
  • the service subscription is corresponding to the temporary ID of the device.
  • the SPM-Author transmits a message 3.
  • a SPM-UDM receives the message 3.
  • the message 3 is used to request for a storage of the service subscription.
  • the message 3 could be represented by a subs_store_request in the FIG. 12.
  • the message 3 could include the service subscription and the temporary ID of the device.
  • the message 3 could be taken as an example of the second request mentioned in the method 500.
  • the SPM-UDM transmits a message 4.
  • the SPM-Author receives the message 4.
  • the SPM-UDM could generate a service credential that is associated with the device’s temporary ID and the service subscription.
  • the SPM-UDM could store or maintain the service credential.
  • the message 4 is a response to the request for the storage of the service subscription.
  • the message 4 could be represented by a subs_store_reponse in the FIG. 12.
  • the message 4 could indicate a complete generation of the service credential.
  • the message 4 could be taken as an example of the sixth message mentioned in the method 500.
  • the SPM-Author transmits a message 5.
  • the device receives the message 5.
  • the message 5 could be a response to the request for the service subscription for the device.
  • the message 5 could include the service subscription.
  • the message 5 could be represented by a subscribe_response in the FIG. 12.
  • a client when a client sends a subscribe request to request for a subscription with a XaaS service, to a SPM-Author.
  • This request shall include a temporary ID of the client, requested service information.
  • This request corresponds to the message 1 in S701.
  • the SPM-author negotiates with a XaaS service provider on behalf of the client for the service subscriptions and obtains a service subscription for the client.
  • the SPM-author sends a subs_store request that including the service subscription and the temporary ID of the client, to a SPM-UDM.
  • the subs_store request corresponds the message 3 in S703.
  • the SPM_UDM may generate a service credential that is associated with the client’s temporary and the service subscription.
  • the SPM_UDM sends a subs_store response to the SPM-Author that may indicate a completely generation service credential.
  • the subs_store response corresponds to the message 4 in S704.
  • the SPM-Author sends a subscribe response to the client. This response may include the service subscription.
  • the subscribe response corresponds the message 5 in S705.
  • FIG. 13 is a schematic flowchart of a method 800 according to some embodiments of the present application.
  • FIG. 8 illustrates an example of a call flow of a procedure of a service establishment. The following separately describes steps involved in the method 800 in detail.
  • a device transmits a message 1 to a SPM-Author.
  • the message 1 is used to request a service for the device.
  • the message 1 could be represented by a service_request in the FIG. 13.
  • the message 1 could include a temporary ID of the device.
  • the message 1 could further include information of a requested service.
  • the information of the requested service could include but not limited to: at least one of the service’s ID, the service’s name, a type of the service, requirements for the service.
  • the SPM-Author selects a service and generates an authentication code.
  • the SPM-Author could select a service for the device according to the information of the requested service. For example, the SPM-Author could select a service according to requirements for the requested service.
  • the SPM-Author could generate an authentication code that is associated with the temporary ID of the device and an ID of the service.
  • the SPM-Author transmits a message 3 to a SPM-Authen.
  • the message 3 is used to request an authentication of the service for the device.
  • the message 3 could be represented by an auth_request in the FIG. 13.
  • the message 3 could include the temporary ID of the device.
  • the SPM-Author could further the authentication code.
  • the message 3 could be taken as an example of the seventh message mentioned in the method 500.
  • the SPM-Authen transmits a message 4 to a SPM-UDM.
  • the message 4 is used to request authentication material and could be represented by an auth_material_request in the FIG. 13.
  • the message 4 could include the temporary ID of the device.
  • the authentication material could include the service credential mentioned in method 700.
  • the message 4 could be taken as an example of the first request mentioned in the method 500.
  • the SPM-UDM transmits a message 5 to the SPM-Authen.
  • the message 5 is a response to the request for authentication material and could be represented by an auth_material_reponse in the FIG. 13.
  • the message 5 could include a service credential that is associated with the temporary ID of the device.
  • the message 5 could be taken as an example of the fifth message mentioned in the method 500.
  • the SPM-Authen authenticates the device and the service.
  • the SPM-Authen could authenticate the device and the service according to the service credential and the authentication code. This authentication could be referred to as a second authentication.
  • the temporary ID of the device mentioned in method 700 is different from the temporary ID mentioned in method 800.
  • temporary ID #1 of the device may be used at a procedure of a subscription of service #1, and the service credential stored in the SPM-UDM is associated with the temporary ID #1.
  • the device may use temporary ID #2 to request the service #1 at a procedure of establishment of the service #1.
  • the SPM-IDM since the SPM-IDM is responsible for ID mapping, the relationship between the temporary ID #1 and the temporary ID #2 could be obtained from the SPM-IDM.
  • the SPM-Authen transmits a message 7 to the SPM-Author.
  • the message 7 could be a response to the request for the authentication and could be represented by an auth_reponse in the FIG. 13.
  • the message 7 shall indicate a result of the authentication.
  • the message 7 could be taken as an example of the eighth message mentioned in the method 500.
  • the SPM-Author transmits a message 8 to a SPM-KMF.
  • the message 8 could be used to request key materials and could be represented by a keymaterial_request in the FIG. 13. These key materials could be used for security protection of service data on the interface I and/or interface II in subsequent security procedures.
  • the message 8 could include the temporary ID of the device.
  • the message 8 could be taken as an example of the ninth message mentioned in the method 500.
  • the SPM-KMF transmits a message 9 to the SPM-Author.
  • the SPM-KMF could generate security parameters for configuration on a security tunnel between the device and the XaaS service.
  • the message 9 could include these security parameters.
  • the message 9 could be represented by a keymaterial_reponse in the FIG. 13.
  • the message 9 could be taken as an example of the tenth message mentioned in the method 500.
  • the SPM-Author sets up a secure tunnel between the device and a XaaS service.
  • the secure tunnel between the device and the XaaS service could be set up by other network function, e.g., an access management function.
  • the SPM-Author could transmit a message to the network function that are responsible for the setup of the secure tunnel.
  • the SPM-Author transmits a message 11 to the device.
  • the message 11 could be a response to the service request of the device and could be represented by a service_reponse in the FIG. 13.
  • the message 11 could include security parameters.
  • interfaces for an anonymous authorization for services could be provided.
  • the service profile and the ID profile could be decoupled according to the embodiments mentioned above. It could provide anonymous authorization, and could protect device’s ID privacy and the service privacy.
  • a client sends a service request to a SPM-Author.
  • This request shall include a temporary ID of the client, a required service information.
  • the service request corresponds to the message 1 in S801.
  • the SPM-Author may select a service according to the requirement of the service information.
  • the SPM-Author generates an authentication code that is associated with the temporary ID of the client and the service information (e.g., service ID) .
  • the SPM-Author sends an auth_request to a SPM-Authen.
  • This auth_request may include the authentication code and the temporary ID of the client.
  • the auth_request corresponds to the message 3 in S803.
  • the SPM-Authen sends an auth_material request to a SPM_UDM.
  • This request may include the temporary ID of the client.
  • This request corresponds to the message 4 in S804.
  • the SPM_UDM sends an auth_material response to the SPM-Authen.
  • This response may include a service credential that is associated with the temporary ID of the client.
  • the auth_material response corresponds to the message 5 in S805.
  • the SPM-Authen authenticates the client and the service according to the service credential and the authentication code.
  • the SPM-Authen sends an auth_response to the SPM-Author. This response may include a completed authentication result.
  • the auth_response corresponds to the message 7 in S807.
  • the SPM-Author sends a keymaterial_request to a SPM-KMF.
  • the keymaterial_request corresponds to the message 8 in S808.
  • This SPM-KMF may generate security parameters for configuration on a secure tunnel between the client and the XaaS service.
  • the SPM-KMF sends a keymaterial_response that including the security parameters to the SPM-Author.
  • the keymaterial_response corresponds to the message 9 in S809.
  • the SPM-Author sets up a secure tunnel between the client and the XaaS service.
  • the SPM-Author sends a service response to the client. This response may include security parameters.
  • the service response corresponds to the message 11 in S811.
  • the key management service could provide a hierarchy key management for the device.
  • the key management service could be provided by one or more KMFs.
  • a SPM-KMF-Session could generate keys for security protection on interface II
  • a SPM-KMF-RB could generate keys for security protection on interface I.
  • a SPM-KMF-Session and a SPM-KMF-RB could be distributed among different network functions.
  • a KMF #1 and a KMF #2 could be different network function, where the KMF #1 could be taken as an example of the SPM-KMF-Session and the KMF #2 could be taken as an example of the SPM-KMF-RB.
  • a SPM-KMF-Session and a SPM-KMF-RB could be integrated into one network function, e.g., a KMF #3.
  • the key management service could generate security parameters, and configure security parameters to the device side and the network side (e.g., configuring security parameters to an RB handler, a C/M-TW-GW or a Data-TW-GW) before activation of security protection on signaling or data.
  • FIG. 14 is a schematic flowchart of a method 1000 according to some embodiments of the present application.
  • the basic concepts about these embodiments are: decouple authentication/authorization and key management.
  • the key management service may provide a hierarchy key management for a client, for example, SPM-KMF-RB generates RB keys for security protection on interface I, and a SPM-KMF-Session. This enables an efficient cryptographic method for signaling protection and data protection.
  • the key management service provides security parameters generation, and how to configure security parameters to a client side and a network side (e.g. RB handler, serving C/M-TW-GW or serving Data-TW-GW) , before activation of the signaling protection and data protection.
  • a network side e.g. RB handler, serving C/M-TW-GW or serving Data-TW-GW
  • a primary authentication could be implemented according to the method 600.
  • a second authentication could be implemented according to the method 800.
  • a SPM-KMF-Session receives a request (represented by a key_request in the FIG. 14) for keys.
  • the step S902 could include S902a or S902b.
  • a SPM-Authen transmits a message 2a to the SPM-KMF-Session.
  • a SPM-Authen could transmit a message 2a to the SPM-KMF-Session to request keys.
  • a SPM-Author transmits a message 2b to the SPM-KMF-Session.
  • a SPM-Author could transmit a message 2b to the SPM-KMF-Session to request keys.
  • the message 2a or message 2b could include a temporary ID of the device.
  • the message 2a or message 2b could further include a shared key.
  • the message 2a or message 2b includes the shared key mentioned in the method 600.
  • the SPM-KMF-Session generates session keys.
  • the session keys could be used for security protection on interface II.
  • the session keys may include keys used for protection of a C/M session or keys used for protection of a data session.
  • the session keys could be associated with the temporary ID of the device, the shared key and an ID of the SPM-KMF-Session.
  • the SPM-KMF-Session transmits a message 4 to a SPM-KMF-RB.
  • the message 4 could be used to request for RB keys and be represented by a RBkey_request in the FIG. 14.
  • the RB keys could be used for security protection on interface I.
  • the RB keys may include keys used for protection of the C/M RB or keys used for protection of the data RB.
  • the message 4 could include the temporary ID of the device and the ID of the SPM-KMF-Session.
  • the SPM-KMF-RB generates RB keys.
  • the RB keys could be associated with the temporary ID of the device and an ID of the SPM-KMF-RB.
  • the SPM-KMF-RB transmits a message 6 to the SPM-KMF-Session.
  • the message 6 is a response to the request for the RB keys and could be represented by a RBkey_reponse in the FIG. 14.
  • the message 6 could indicate a successful generation of the RB keys.
  • the SPM-KMF-Session implements security activation on a network side.
  • the SPM-KMF-Session transmits a response (represented by a key_response in the FIG. 14) to the request for the keys.
  • the step S908 may include S908a or S908b.
  • the SPM-KMF-Session transmits a message 8a to the SPM-Authen.
  • the SPM-KMF-Session transmits a message 8a to the SPM-Authen.
  • the message 8a could be used to configure keys used for protection of a C/M-session.
  • the SPM-KMF-Session transmits a message 8b to the SPM-Author.
  • the SPM-KMF-Session transmits a message 8a to the SPM-Author.
  • the message 8b could be used to configure keys used for protection of a data session.
  • interfaces for key management could be provided.
  • the keys for security protection is generated by the KMF according to the embodiments mentioned above. It provides an efficient cryptographic method for signaling protection and data protection. It could provide flexibilities or scalabilities for the network.
  • a device may use a temporary ID that is different from the one associated with a service credential stored in the SPM-UDM.
  • the SPM-IDM may transmit message to indicate relationship between different IDs of the device.
  • a SPM-Authen or SPM-Author may send a key request to a SPM-KMF-Session.
  • This request may include a temporary ID of a client. This request corresponds to the message 2a in S902a or the message 2b in S902b.
  • This request may include a shared key that a negotiated shared key in FIG. 8. The SPM-KMF-Session generates a session key for security protection on interface II.
  • This session key is associated with the temporary ID of the client, the negotiated shared key, the ID of the SPM-KMF-Session.
  • a step for generating the session key by the SPM-KMF corresponds to the step S903.
  • the SPM-KMF-Session sends an RB key request to a SPM-KMF-RB.
  • This request may include the ID of the SPM-KMF-Session and the temporary ID of the client.
  • This request corresponds to the message 4 in S904.
  • the SPM-KMF-RB generates an RB key.
  • This RB key is associated with the ID of the SPM-KMF-RB and the temporary ID of the client.
  • a step for generating the RB key corresponds to the step S905.
  • the SPM-KMF-RB sends an RB key response to the SPM-KMF-Session.
  • the RB key response corresponds to the message 6 in S906.
  • the SPM-KMF-Session implements security activation on a network side.
  • the SPM-KMF-Session sends a key response to the SPM-Authen or the SPM-Author.
  • the key response corresponds to the message 8a in S908a or the message 8b in S908b. Then, security configuration on the client is triggered.
  • FIG. 15 is an example of a method 1000 according to some embodiments of the present application.
  • a device transmits a message 1 to an access management function.
  • the access management function could be a gateway, or an AMF in 5 th generation network.
  • the message 1 is used to request an access to a service.
  • the message 1 could include a temporary ID of the device, e.g., a current temporary ID of the device.
  • the message 1 could further include a service ID and an ID of a service provider that provides or deploys the service.
  • the message 1 could further include requirements for a service required by the device.
  • the access management function transmits a message 2 to a SPM-Author.
  • the message 2 is used to request an authorization of the service for the device.
  • the message 2 could include the temporary ID of the device.
  • the message 2 may include at least one of: the ID of the service, the ID of the service provider, or requirements for a requested service.
  • the SPM-Author transmits a message 3 to a SPM-UDM.
  • the message 3 is used to request service profile.
  • the service profiles may include but not limited to: information of subscription of the service, or information of the service provider.
  • the message 3 include the temporary ID of the device. In some embodiments, the message 3 could further include the ID of the service and the ID of the service provider.
  • the message 3 could be taken as an example of the first message in the method 500.
  • the SPM-UDM creates a temporary session ID.
  • the SPM-UDM could generate or create a temporary ID of a session that is a communication related to the authentication and/or authorization procedure of the service for the device.
  • the temporary ID of the session (also be referred to as a temporary session ID) is associated with the temporary ID of the device.
  • the temporary session ID is used for link-ability of different IDs of the device, and can avoid disclosure of these IDs of the device. In other word, the usage of the temporary could protect ID privacy.
  • the temporary session ID could be used at a communication related to the authentication and/or authorization procedure of the service for the device.
  • the SPM-UDM transmits a message 5 to a SPM-IDM.
  • the message 5 is used to request an ID query.
  • the message 5 could include the temporary ID of the device and the temporary session ID.
  • the message 5 could be taken as an example of the third message in the method 500.
  • the SPM-IDM implements ID mapping.
  • the SPM-IDM could query other ID (s) of the device according to the current temporary ID of the device.
  • the SPM-IDM could determine an ID of the device that is associated with device’s service profiles.
  • the SPM-IDM transmits a message 7 to the SPM-UDM.
  • the message 7 is a response to the request for ID query.
  • the message 7 could include the ID of the device that is associated with the device’s service profiles.
  • the message 7 could be taken as an example of the fourth message in the method 500.
  • the SPM-UDM implements identification on the device.
  • the SPM-UDM could identify the device based on the message 7.
  • the SPM-IDM transmits a message 9 to the SPM-Author.
  • the message 9 could be a response to the request of service profile.
  • the message 9 could include the temporary session ID and the device’s service profiles.
  • the message 9 could be taken as an example of the second message in the method 500.
  • the SPM-Author selects one or more service for the device.
  • the SPM-Author could select a service from a plurality of services for the device based on the service requirement.
  • the SPM-Author transmits a message 11 to the SPM-Authen.
  • the message 11 is a request for authentication on the device and the service.
  • the message 11 could be taken as an example of the seventh message in the method 500.
  • the message 11 could include the temporary session ID, and at least one of: the service’s ID or the ID of the service provider.
  • the SPM-Authen transmits a request for security materials.
  • the SPM-Authen receive a response to the request for security materials.
  • the step S1012 may include S1012a and S1012b.
  • the step S1013 could include S1013a and S1013b.
  • the SPM-Authen transmits a message 12a to the SPM-UDM.
  • the message 12a may be used to request security materials stored at the SPM-UDM side.
  • the message 12a could include the temporary session ID, and at least one of: the service’s ID or the ID of the service provider.
  • the security materials stored at the SPM-UDM side could be used for authentication on the selected service or the selected service provider.
  • the security materials stored at the SPM-UDM side could include a service credential.
  • the message 12a could be taken as an example of the first request in the method 500.
  • the SPM-UDM transmits a message 13a to the SPM-Authen.
  • the message 13a could be a response to the message 12a.
  • the message 13a could include security materials that are stored at the SPM-UDM side and associated with the service’s ID.
  • the message 13a could be taken as an example of the fifth message in the method 500.
  • the SPM-Authen transmits a message 12b to the SPM-IDM.
  • the message 12b may be used to request security materials stored at the SPM-IDM side.
  • the message 12b could include the temporary session ID.
  • the security materials stored at the SPM-IDM side could be used for authentication on the device.
  • the security materials stored at the SPM-IDM side could include the device’s certificate.
  • the message 12b could be taken as an example of the third request in the method 500.
  • the SPM-IDM transmits a message 13b to the SPM-Authen.
  • the message 13b could be a response to the message 12b.
  • the message 13b could include security materials stored at the SPM-IDM side.
  • the message 13b could be taken as an example of the eleventh message in the method 500.
  • the SPM-Authen implements authentication on the device and the service provider.
  • the SPM-Authen implements authentication on the device and authentication on the selected service provider/the selected service.
  • the SPM-Authen transmits a message 15 to the SPM-Author.
  • the message 15 could be a response to the request for the authentication on the device and the service.
  • the message 15 could include an indication of a result of the authentication.
  • the message 15 could be taken as an example of the eighth message in the method 500.
  • the SPM-Author implements authorization for the device.
  • the SPM-Author could implement service authorization for the device according to the result of the authentication.
  • the SPM-Author could transmit a message 20 to the device.
  • the message 20 could indicate a failure of the authentication.
  • the SPM-Author could determine whether a security protection is needed. In this scenario, the message 20 could indicate a success of the authentication.
  • the SPM-Author transmits a message 17 to a SPM-KMF.
  • the message 17 is used to request for key materials.
  • the message 17 could include the temporary ID of the device.
  • the message 17 could be taken as an example of the ninth message in the method 500.
  • the SPM-KMF generates keys materials.
  • the SPM-KMF could generate key materials that used for security protection on communications on interface I and/interface II when the service is implemented.
  • the SPM-KMF transmits a message 19 to the SPM-Author.
  • the message 19 could include these key materials.
  • the message 19 could be taken as an example of the tenth message in the method 500.
  • the SPM-Author transmits a message 20 to the access management function.
  • the message 20 could include key materials, and at least one of: the service’s ID and the service provider’s ID.
  • the access management function setups a secure tunnel among the device, the service provider and the network.
  • the access management function transmits a message 21 to the device.
  • the message 21 could be a response to the request of the access to the service.
  • the message 21 could include an indication of authentication result.
  • FIG. 16 is a schematic block diagram of a communication apparatus 10 according to some embodiments of the present application.
  • the communication apparatus may be a communication device or an apparatus applied to the communication device and capable of realizing corresponding functions of any one of the network functions in the embodiments of the present application, for example, the apparatus may be a chip, a chip system or a circuit, which is not limited.
  • the communication device may be a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF, or the chip installed in any one of these network functions.
  • the communication apparatus 10 includes a processing module 11.
  • the processing module 11 may be a processor, a processing circuit, a processing board, a processing unit, or a processing device, et al.
  • the processing module 11 is configured to implement processing and/or operations implemented inside the communication apparatus except sending the receiving actions.
  • the communication apparatus 10 may further include a communication module 12.
  • the communication unit 12 is configured to implement a sending action and/or a receiving action.
  • the communication module 12 also may be called a transceiver module, a transceiver, or a transceiver device, et al, and is configured to implement operations of receiving (which may be referred to as inputting) and/or sending (which may be referred to as an outputting) .
  • the communication module 12 could be configured to receive the first message.
  • the communication module 12 could further be configured to transmit the first message.
  • the communication module 12 could be configured to transmit the first message.
  • the communication module 12 could further be configured to receive the first message.
  • the communication module 12 could be configured to receive the third message.
  • the communication module 12 could further be configured to transmit the fourth message.
  • FIG. 17 is a schematic block diagram of a communication apparatus according to an embodiment of the present application.
  • the communication apparatus 20 includes at least one processor 21.
  • the at least one processor 21 is coupled to at least one memory 22.
  • the at least one memory 22 is configured to store one or more instructions and/or executable computer code.
  • the at least one processor 21 is configured to invoke the one or more instructions and/or executable computer code, so that the communication apparatus 20 implements the method provided in the embodiments of the present application.
  • the communication apparatus 20 may further include the at least one memory 22.
  • the communication apparatus 20 may further include at least one communication interface 23, and the at least one communication interface 23 is configured to input and/or output information or data.
  • the communication apparatus 20 may be any one of the network functions in the method embodiments.
  • the communication apparatus 20 may be a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF.
  • the processor 21 may be a baseband apparatus, and the communication interface 23 may be a radio frequency apparatus.
  • the communication apparatus 20 may be a chip (or a chip system) installed at a communication device such as a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF.
  • the processor 21 may be a circuit, for example, a logic circuit, an integrated circuit, etc.
  • the communication interface 23 may be a transceiver, an interface circuit, an input/output interface, a bus, a module, a pin, or other types of interfaces.
  • An embodiment of the present application further provides a communication system.
  • the communication system may include any one of communication apparatuses according to any one of the method embodiments.
  • the communication system may include one or more of the following network functions: a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF.
  • the communication system may further include a device (e.g., a UE) or other network functions, which is not limited.
  • An embodiment of the present application further provides a computer storage medium, and the computer storage medium may store one or more instructions for executing any of the foregoing methods.
  • An embodiment of the present application further provides a computer program product, and the computer program product may store one or more instructions for executing any of the foregoing methods.
  • a and/or B may represent the following three cases: Only A exists, both A and B exist, and only B exists.
  • the character “/” generally indicates an “or” relationship between the associated objects.
  • At least one means one or more.
  • At least one of A and B similar to “A and/or B” , describes an association relationship between associated objects and represents that three relationships may exist.
  • at least one of A and B may represent the following three cases: Only A exists, both A and B exist, and only B exists.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the described apparatus embodiment is merely an example.
  • the unit division is a logical function division and other methods of division may be used in an actual embodiment.
  • a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed.
  • the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented using various communication interfaces.
  • the indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.
  • function units in the embodiments of this application may be integrated into one processing unit, each of the units may exist alone physically, or two or more units may be integrated into one unit.
  • the functions When the functions are implemented in the form of a software functional unit and sold or used as an independent product, the functions may be stored in a computer-readable storage medium.
  • the technical solutions of this application may be implemented in the form of a software product.
  • the software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods described in the embodiments of this application.
  • the foregoing storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a ROM, a RAM, a magnetic disk, an optical disc or the like.
  • the units described as separate parts may be or may not be physically separate, and parts displayed as units may be or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected based on actual requirements to achieve the objectives of the solutions of the embodiments.
  • functional units in the embodiments of this application may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units are integrated into one unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of this application provide a method and an apparatus for communication. The method includes: receiving a first message from a second service provision management (SPM) network function (NF), where the first message is used to request first information of a service, the first message includes a first identifier (ID) of a device, the first information of the service is related to a second ID of the device, and the first information of the service is used for granting the device a permission to access the service; determining an ID of a communication related to an authentication and/or authorization procedure of the service for the device, where the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function related to the authentication and/or authorization procedure; and transmitting a second message to the second SPM NF, where the second message includes the first information of the service and the ID of the communication. It could decouple authentication functionality and authorization functionality. It could provide anonymous authorization and protect device's ID privacy and service privacy.

Description

METHOD AND APPARATUS FOR COMMUNICATION
CROSS-REFERENCE TO RELATED APPLICATIONS
The present application is related to, and claims priority to, United States provisional patent application Serial No. 63/586,453, entitled “A FRAMEWORK OF SERVICE PROVISION MANAGEMENT (SPM) IN THE FUTURE NETWORK” , and filed on September 29, 2023.
The disclosure of the aforementioned application is hereby incorporated by reference in its entirety.
TECHNICAL FIELD
Embodiments of the present invention relate to the field of communications technologies, and more specifically, to a method and an apparatus for communication.
BACKGROUND
Security procedures between a device (e.g., a UE) and network functions would be involved when the device is capable of connecting to a network. In the future network, service for authentication, key management, authentication may be implemented by different network functions, it may be difficult to effectively protect privacy during implementations of these services.
SUMMARY
Embodiments of this application provide a communication method and related apparatus, which can decouple authentication functionality and authorization functionality and can effectively protect privacy during an authorization procedure.
According to a first aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a service provision management (SPM) network function (NF) or a chip installed in the first SPM NF. The method includes: receiving a first message from a second SPM NF, where the first message is used to request first information of a service, the first message includes a first identifier (ID) of a device, the first information of the service is  associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; determining an ID of a communication associated with an authentication and/or authorization procedure of the service for the device based on the first message, where the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure; and transmitting a second message to the second SPM NF, where the second message includes the first information of the service and the ID of the communication.
According to the above-mentioned technical solution, authentication functionality and authorization functionality could be decoupled. It could provide anonymous authorization and protect device’s ID privacy and service privacy.
With reference to the first aspect, in some embodiments, the method further includes: transmitting a third message to a third SPM NF, where the third message is used to obtain the second ID of the device, and the third message includes the ID of the communication and the first ID of the device; and receiving a fourth message from the third SPM NF, where the fourth message includes the second ID of the device, the second ID of the device is determined based on the first ID of the device.
According to the above-mentioned technical solution, authorization functionality and identify management functionality could be decoupled. It could support anonymous communications.
With reference to the first aspect, in some embodiments, the method further includes: determining the first information of the service based on the second ID of the device.
With reference to the first aspect, in some embodiments, the method further includes: receiving a first request for a credential of the service for the device from a fourth SPM NF, where the first request includes the ID of the communication, and the first request further includes an ID of the service or an ID of a service provider that provides the service; and transmitting a fifth message to the fourth SPM NF, where the fifth message includes the credential of the service for the device.
With reference to the first aspect, in some embodiments, the method further includes: receiving a second request from the second SPM NF, where the second request includes the second ID of the device and the first information of the service; and generating and storing a credential of the service for the device, where the credential of the service for the device is associated with the second ID of the device and the first information of the service.
With reference to the first aspect, in some embodiments, the method further includes: transmitting a sixth message to the second SPM NF, where the sixth message indicates a generation of the credential of the service for the device.
According to a second aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a second SPM NF or a chip installed in the second SPM NF. The method includes:  transmitting a first message to a first SPM NF and receiving a second message from the first SPM NF.
The first message includes a first ID of the device. The first message is used to request first information of a service for a device. The first information of the service is associated with a second ID of the device, and the first information of the service is used for granting the device a permission to access the service. The first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service. The second message includes the first information of the service and an ID of a communication associated with an authentication and/or authorization procedure of the service for the device. The ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure.
With reference to the second aspect, in some embodiments, the method further includes: transmitting a seventh message to a fourth SPM NF, where the seventh message is used to request an authentication of the service for the device, the seventh message includes the ID of the communication, and the seventh message further includes an ID of the service or an ID of a network function that provides the service; and receiving an eighth message from the fourth SPM NF, where the eighth message includes an indication of a result of the authentication of the service for the device.
With reference to the second aspect, in some embodiments, the method further includes: transmitting a ninth message to a fifth SPM NF, where the ninth message is used to request keys used for protection of a communication associated with the service; and receiving a tenth message from the fifth SPM NF, where the tenth message includes information of the keys.
With reference to the second aspect, in some embodiments, the method further includes: transmitting a second request to the first SPM NF, where the second request includes the second ID of the device and the first information of the service, the second request indicates a storage of a credential of the service for the device, and the credential of the service for the device is associated with the second ID of the device and the first information of the service.
With reference to the second aspect, in some embodiments, the method further includes: receiving a sixth message from the first SPM NF, where the sixth message indicates a generation of the credential of the service for the device.
According to a third aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a third SPM NF or a chip installed in the third SPM NF. The method includes: receiving a third message from a first SPM NF, where the third message include a first ID of a device and an ID of a communication associated with an authentication and/or authorization procedure of a service for the device, the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure, the third message is used to obtain a second ID of the device, and the second ID  is associated with first information of the service, the first information of the service is used for granting the device a permission to access the service; and transmitting a fourth message to the first SPM NF, where the fourth message includes the second ID of the device.
With reference to the third aspect, in some embodiments, the method further includes: receiving a third request for a credential of the device from a fourth SPM NF, where the third request includes the ID of the communication; and transmitting an eleventh message to the fourth SPM NF, where the eleventh message includes the credential of the device.
With reference to the third aspect, in some embodiments, the method further includes: receiving a fourth request (Referring to step 5 in embodiment 2) for a third ID of the device from the fourth SPM NF, where the fourth request includes a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF; generating the third ID of the device according to the fourth request; and transmitting a twelfth message to the fourth SPM NF, where the twelfth message includes the third ID of the device.
According to a fourth aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a fourth SPM NF or a chip installed in the fourth SPM NF. The method includes: transmitting a first request to a first SPM NF, where the first request is used to request a credential of a service for a device, the first request includes an ID of a communication associated with an authentication and/or authorization procedure of the service for the device, the ID of the communication is associated to a first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure, and the credential of the service for the device is used for an authentication of the service for the device; and receiving a fifth message from the first SPM NF, where the fifth message includes the credential of the service for the device.
With reference to the fourth aspect, in some embodiments, the method further includes: transmitting a third request for a credential of the device to a third SPM NF, where the third request includes the ID of the communication; and receiving an eleventh message from the third SPM NF, where the eleventh message includes the credential of the device.
With reference to the fourth aspect, in some embodiments, the method further includes: receiving a seventh message from a second SPM NF, where the seventh message is used to request an authentication of the service for the device, the seventh message includes the ID of the communication, and the seventh message further includes an ID of the service or an ID of a network function that provides the service; and transmitting an eighth message to the second SPM NF, where the eighth message includes an indication of a result of the authentication of the service for the device.
With reference to the fourth aspect, in some embodiments, the method further includes: transmitting a fourth request for a third ID of the device to a third SPM NF, where the fourth request includes a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM  NF;and receiving a twelfth message from the third SPM NF, where the twelfth message includes the third ID of the device.
According to a fifth aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a fifth SPM NF or a chip installed in the fifth SPM NF. The method includes: receiving a ninth message from a second SPM NF; and transmitting a tenth message to the second SPM NF.
The ninth message is used to request keys used for protection of a communication associated with a service, and the tenth message include information of the keys.
According to a sixth aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a communication system or a chip installed in the communication system. The communication system includes a first SPM NF and a second SPM NF. The method includes: the second SPM NF transmitting a first message to the first SPM NF, wherein the first message is used to request first information of a service, the first message comprises a first ID of a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; the first SPM NF determining an ID of a communication associated with an authentication and/or authorization procedure of the service for the device based on the first message, wherein the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure; and the first SPM NF transmitting a second message to the second SPM NF, wherein the second message comprises the first information of the service and the ID of the communication.
With reference to the sixth aspect, in some embodiments, the method further includes: the second SPM NF transmitting a second request to the first SPM NF, wherein the second request comprises the second ID of the device and the first information of the service; and the first SPM NF generating and storing a credential of the service for the device, wherein the credential of the service for the device is associated with the second ID of the device and the first information of the service.
With reference to the sixth aspect, in some embodiments, the method further includes: the first SPM NF transmitting a sixth message to the second SPM NF, wherein the sixth message indicates a generation of the credential of the service for the device.
With reference to the sixth aspect, in some embodiments, the communication system further comprises a third SPM NF. The method further includes: the first SPM NF transmitting a third message to the third SPM NF, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device; and the third SPM NF transmitting a fourth message to the first SPM NF, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device.
With reference to the sixth aspect, in some embodiments, the communication system further comprises a fourth SPM NF. The method further includes: the second SPM NF transmitting a seventh message to the fourth SPM NF, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and the fourth SPM NF transmitting an eighth message to the second SPM NF, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
With reference to the sixth aspect, in some embodiments, the method further includes: the fourth SPM NF transmitting a first request for a credential of the service for the device to the first SPM NF, wherein the first request comprises the ID of the communication, and the first request further comprises an ID of the service or an ID of a service provider that provides the service; and the first SPM NF transmitting a fifth message to the fourth SPM NF, wherein the fifth message comprises the credential of the service for the device.
With reference to the sixth aspect, in some embodiments, the method further includes: the fourth SPM NF transmitting a third request for a credential of the device to the third SPM NF, wherein the third request comprises the ID of the communication; and the third SPM NF transmitting an eleventh message to the fourth SPM NF wherein the eleventh message comprises the credential of the device.
With reference to the sixth aspect, in some embodiments, the method further includes: the fourth SPM NF transmitting a fourth request for a third ID of the device to the third SPM NF, wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF; and the third SPM NF transmitting a twelfth message to the fourth SPM NF, wherein the twelfth message comprises the third ID of the device.
With reference to the sixth aspect, in some embodiments, the communication system further comprises a fifth SPM NF. The method further includes: the third SPM NF transmitting a ninth message to the fifth SPM NF, wherein the ninth message is used to request keys used for protection of a communication associated with the service; and the fifth SPM NF transmitting a tenth message to the third SPM NF, wherein the tenth message comprises information of the keys.
According to a seventh aspect, an embodiment of the present application provides a method for communication, and the method may be performed by a network function or a chip installed in the first SPM NF. A second SPM NF and a third SPM NF are integrated into this network function. The method includes: transmitting a first message, wherein the first message comprises a first ID of the device, the first message is used to request first information of a service for a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a  serving network, and the second ID of the device is associated with the service; receiving a third message, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device; transmitting a fourth message, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device; and receiving a second message, wherein the second message comprises the first information of the service and the ID of the communication.
With reference to the seventh aspect, in some embodiments, the method further includes: transmitting a seventh message, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and receiving an eighth message, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
With reference to the seventh aspect, in some embodiments, the method further includes: transmitting a ninth message, wherein the ninth message is used to request keys used for protection of a communication associated with the service; and receiving a tenth message, wherein the tenth message comprises information of the keys.
With reference to the seventh aspect, in some embodiments, the method further includes: transmitting a second request, wherein the second request comprises the second ID of the device and the first information of the service, the second request indicates a storage of a credential of the service for the device, and the credential of the service for the device is associated with the second ID of the device and the first information of the service.
With reference to the seventh aspect, in some embodiments, the method further includes: receiving a sixth message, wherein the sixth message indicates a generation of the credential of the service for the device.
With reference to the seventh aspect, in some embodiments, the method further includes: receiving a third request for a credential of the device, wherein the third request comprises the ID of the communication; and transmitting an eleventh message, wherein the eleventh message comprises the credential of the device.
With reference to the seventh aspect, in some embodiments, the method further includes: receiving a fourth request for a third ID of the device wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and a serving network; generating the third ID of the device according to the fourth request; and transmitting a twelfth message, wherein the twelfth message comprises the third ID of the device.
According to an eighth aspect, there is provided a communication apparatus having a function or module to perform the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
According to a ninth aspect, there is provided a chip (or a chip system) . The chip includes at least one processor,  the at least one processor is coupled to at least one memory. The at least one memory is configured to store one or more instructions and/or executable computer code. The at least one processor is configured to invoke the one or more instructions and/or executable computer code, so that a communication apparatus installed the chip performs the method in any one of the first aspect to the seventh aspect, or any possible implementation in these aspects.
Optionally, the chip may further include the at least one memory.
Optionally, the chip may further include a communication interface, and the communication interface is configured to input and/or output information or data.
According to a tenth aspect, there is provided a communication apparatus. The communication apparatus includes one or more circuits and one or more communication interfaces. The one or more communication interfaces may include a first interface for receiving (that is, inputting) information and/or data that is to be processed by the one or more circuits and a second interface for transmitting (that is, outputting) information and/or data processed by the one or more circuit. The one or more circuits are configured to process the information and/or data that is to be processed so that the communication apparatus performs the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
According to an eleventh aspect, there is provided a communication system. The communication system may include the communication apparatus according to the eighth aspect or the tenth aspect. For example, the communication system may include the one or more of: the first SPM NF, the second SPM NF, the third SPM NF, the fourth SPM NF or the fifth SPM NF. The communication system may further include a device.
According to a twelfth aspect, there is provided a computer storage medium that stores executable computer code, and the executable computer code is used to execute one or more instructions for the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
According to a thirteen aspect, there is provided a computer program product including one or more instructions, and when the computer product program runs on a computer, the computer performs the method in any one of the first aspect to the seventh aspect, or any one of the implementations in these aspects.
DESCRIPTION OF DRAWINGS
FIG. 1 is a schematic illustration of a communication system.
FIG. 2 illustrates an example communication system.
FIG. 3 illustrates another example of an ED and a base station.
FIG. 4 illustrates units or modules in a device.
FIG. 5 illustrates 6G System conceptual structure.
FIG. 6 is a network scenario according to some embodiments of the present application.
FIG. 7 is an architecture of SPM according to some embodiments of the present application.
FIG. 8 is another architecture of SPM according to some embodiments of the present application.
FIG. 9 is another architecture of SPM according to some embodiments of the present application.
FIG. 10 is a schematic flowchart of a method for communication according to some embodiments of the present application.
FIG. 11 is a schematic flowchart of a method for communication according to some embodiments of the present application.
FIG. 12 is a schematic flowchart of a method for communication according to some embodiments of the present application.
FIG. 13 is a schematic flowchart of a method for communication according to some embodiments of the present application.
FIG. 14 is a schematic flowchart of a method for communication according to some embodiments of the present application.
FIG. 15 is a schematic flowchart of a method for communication according to some embodiments of the present application.
FIG. 16 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application.
FIG. 17 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application.
DESCRIPTION OF EMBODIMENTS
In order to understand features and technical contents of embodiments of the present application in detail, implementations of the embodiments of the present application will be described in detail below with reference to the accompanying drawings, and the attached drawings are only for reference and illustration purposes, and are not intended to limit the embodiments of the present applications. In the following technical descriptions, for ease of explanation, numerous details are set forth to provide a thorough understanding of the disclosed embodiments.
The present disclosure relates generally to wireless communications.
Many new trends will trigger the consideration and design of 6G/future wireless networks: a new network infrastructure capability (e.g., cloud natured/friendly infrastructures that are broadly deployed) ; new or relative matured techniques (e.g., artificial intelligence (AI) large scale models, data de-privacy, block chain, etc. ) that have made significant progresses and significantly impact on the entire society and human life; new applications and services (e.g., AI services, data or sensing service, digital world service, etc. ) that are broadly applied in industry/business and used by individual customers; and more global/open/collaborative operation trend (i.e., a more open and more collaborative operation mode are becoming common practice in many fields) .
New expectation and stricter requirements on future networks also drive rethinking and development of new generation of wireless networks. These requirements include: privacy and trustworthiness, simplified standardization, rapid deployment, etc.
All of the above drives sixth generation (6G) network architecture research work.
Our proposed 6G network architecture (X-centric) are: SBA (XaaS service) based; and/or cloud-native. Anything as a service could be denoted as XaaS.
Requirements to 6G system network architecture design include:
1) The proposed 6G network architecture needs to support new 6G services which could be developed/deployed by 3rd parties.
2) The proposed 6G network architecture needs to embrace more open ecosystem to open door to technical capable 3rd parties.
3) The proposed 6G network architecture needs to enable better trustworthiness management.
A solution to enable above requirements is needed.
For ease of understanding the embodiments of this application, a communication system shown in FIGS. 1-4 is firstly used as an example to describe in detail a communication system to which the embodiments of this application are applicable.
Referring to FIG. 1, as an illustrative example without limitation, a simplified schematic illustration of a communication system is provided. The communication system 100 comprises a radio access network 120. The radio access network 120 may be a next generation (e.g. 6G or later) radio access network, or a legacy (e.g. fifth generation (5G) , fourth generation (4G) , third generation (3G) or second generation (2G) ) radio access network. One or more communication electronic devices (ED) 110a-110j (generically referred to as 110) may be interconnected to one another or connected to one or more network nodes (170a, 170b, generically referred to as 170) in the radio access network 120. A core network 130 may be a part  of the communication system and may be dependent or independent of the radio access technology used in the communication system 100. Also, the communication system 100 comprises a public switched telephone network (PSTN) 140, the internet 150, and other networks 160.
FIG. 2 illustrates an example communication system 100. In general, the communication system 100 enables multiple wireless or wired elements to communicate data and other content. The purpose of the communication system 100 may be to provide content, such as voice, data, video, and/or text, via broadcast, multicast, groupcast, unicast, etc. The communication system 100 may operate by sharing resources, such as carrier spectrum bandwidth, between its constituent elements. The communication system 100 may include a terrestrial communication system and/or a non-terrestrial communication system. The communication system 100 may provide a wide range of communication services and applications (such as earth monitoring, remote sensing, passive sensing and positioning, navigation and tracking, autonomous delivery and mobility, etc. ) . The communication system 100 may provide a high degree of availability and robustness through a joint operation of a terrestrial communication system and a non-terrestrial communication system. For example, integrating a non-terrestrial communication system (or components thereof) into a terrestrial communication system can result in what may be considered a heterogeneous network comprising multiple layers. Compared to conventional communication networks, the heterogeneous network may achieve better overall performance through efficient multi-link joint operation, more flexible functionality sharing, and faster physical layer link switching between terrestrial networks and non-terrestrial networks.
The terrestrial communication system and the non-terrestrial communication system could be considered sub-systems of the communication system. In the example shown in FIG. 2, the communication system 100 includes electronic devices (ED) 110a-110d (generically referred to as ED 110) , radio access networks (RANs) 120a, 120b, a non-terrestrial communication network 120c, a core network 130, a public switched telephone network (PSTN) 140, the Internet 150, and other networks 160. The RANs 120a, 120b include respective base stations (BSs) 170a, 170b, which may be generically referred to as terrestrial transmit and receive points (T-TRPs) 170a, 170b. The non-terrestrial communication network 120c includes an access node 172, which may be generically referred to as a non-terrestrial transmit and receive point (NT-TRP) 172.
Any ED 110 may be alternatively or additionally configured to interface, access, or communicate with any T-TRP 170a, 170b and NT-TRP 172, the Internet 150, the core network 130, the PSTN 140, the other networks 160, or any combination of the preceding. In some examples, ED 110a may communicate an uplink and/or downlink transmission over a terrestrial air interface 190a with T-TRP 170a. In some examples, the EDs 110a-110d may also communicate directly with one another via one or more sidelink air interfaces 190b. In some examples, ED 110d may communicate an uplink and/or downlink transmission over a non-terrestrial air interface 190c with NT-TRP 172.
The air interfaces 190a and 190b may use similar communication technology, such as any suitable radio access  technology. For example, the communication system 100 may implement one or more channel access methods, such as code division multiple access (CDMA) , space division multiple access (SDMA) , time division multiple access (TDMA) , frequency division multiple access (FDMA) , orthogonal FDMA (OFDMA) , or single-carrier FDMA (SC-FDMA, also known as discrete Fourier transform spread OFDMA, DFT-s-OFDMA) in the air interfaces 190a and 190b. The air interfaces 190a and 190b may utilize other higher dimension signal spaces, which may involve a combination of orthogonal and/or non-orthogonal dimensions.
The non-terrestrial air interface 190c can enable communication between the ED 110d and one or multiple NT-TRPs 172 via a wireless link or simply a link. For some examples, the link is a dedicated connection for unicast transmission, a connection for broadcast transmission, or a connection between a group of EDs 110 and one or multiple NT-TRPs 172 for multicast transmission.
The RANs 120a and 120b are in communication with the core network 130 to provide the EDs 110a 110b, and 110c with various services such as voice, data, and other services. The RANs 120a and 120b and/or the core network 130 may be in direct or indirect communication with one or more other RANs (not shown) , which may or may not be directly served by core network 130, and may or may not employ the same radio access technology as RAN 120a, RAN 120b or both. The core network 130 may also serve as a gateway access between (i) the RANs 120a and 120b or EDs 110a 110b, and 110c or both, and (ii) other networks (such as the PSTN 140, the Internet 150, and the other networks 160) . In addition, some or all of the EDs 110a 110b, and 110c may include functionality for communicating with different wireless networks over different wireless links using different wireless technologies and/or protocols. Instead of wireless communication (or in addition thereto) , the EDs 110a 110b, and 110c may communicate via wired communication channels to a service provider or switch (not shown) , and to the Internet 150. PSTN 140 may include circuit switched telephone networks for providing plain old telephone service (POTS) . Internet 150 may include a network of computers and subnets (intranets) or both, and incorporate protocols, such as Internet Protocol (IP) , Transmission Control Protocol (TCP) , User Datagram Protocol (UDP) . EDs 110a 110b, and 110c may be multimode devices capable of operation according to multiple radio access technologies, and incorporate multiple transceivers necessary to support such.
FIG. 3 illustrates another example of an ED 110 and a base station 170a, 170b and/or 170c. The ED 110 is used to connect persons, objects, machines, etc. The ED 110 may be widely used in various scenarios including, for example, cellular communications, device-to-device (D2D) , vehicle to everything (V2X) , peer-to-peer (P2P) , machine-to-machine (M2M) , machine-type communications (MTC) , internet of things (IoT) , virtual reality (VR) , augmented reality (AR) , mixed reality (MR) , metaverse, digital twin, industrial control, self-driving, remote medical, smart grid, smart furniture, smart office, smart wearable, smart transportation, smart city, drones, robots, remote sensing, passive sensing, positioning, navigation and tracking, autonomous delivery and mobility, etc.
Each ED 110 represents any suitable end user device for wireless operation and may include such devices (or may be referred to) as a user equipment/device (UE) , a wireless transmit/receive unit (WTRU) , a mobile station, a fixed or mobile subscriber unit, a cellular telephone, a station (STA) , a machine type communication (MTC) device, a personal digital assistant (PDA) , a smartphone, a laptop, a computer, a tablet, a wireless sensor, a consumer electronics device, a smart book, a vehicle, a car, a truck, a bus, a train, or an IoT device, wearable devices (such as a watch, a pair of glasses, head mounted equipment, etc. ) , an industrial device, or an apparatus in (e.g. communication module, modem, or chip) or comprising the forgoing devices, among other possibilities. Future generation EDs 110 may be referred to using other terms. The base station 170a and 170b is a T-TRP and will hereafter be referred to as T-TRP 170. Also shown in FIG. 3, a NT-TRP will hereafter be referred to as NT-TRP 172. Each ED 110 connected to T-TRP 170 and/or NT-TRP 172 can be dynamically or semi-statically turned-on (i.e., established, activated, or enabled) , turned-off (i.e., released, deactivated, or disabled) and/or configured in response to one of more of: connection availability and connection necessity.
The ED 110 includes a transmitter 201 and a receiver 203 coupled to one or more antennas 204. Only one antenna 204 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 204 may alternatively be panels. The transmitter 201 and the receiver 203 may be integrated, e.g. as a transceiver. The transceiver is configured to modulate data or other content for transmission by at least one antenna 204 or network interface controller (NIC) . The transceiver is also configured to demodulate data or other content received by the at least one antenna 204. Each transceiver includes any suitable structure for generating signals for wireless or wired transmission and/or processing signals received wirelessly or by wire. Each antenna 204 includes any suitable structure for transmitting and/or receiving wireless or wired signals.
The ED 110 includes at least one memory 208. The memory 208 stores instructions and data used, generated, or collected by the ED 110. For example, the memory 208 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by one or more processing unit (s) (e.g., a processor 210) . Each memory 208 includes any suitable volatile and/or non-volatile storage and retrieval device (s) . Any suitable type of memory may be used, such as random access memory (RAM) , read only memory (ROM) , hard disk, optical disc, subscriber identity module (SIM) card, memory stick, secure digital (SD) memory card, on-processor cache, and the like.
The ED 110 may further include one or more input/output devices (not shown) or interfaces (such as a wired interface to the Internet 150 in FIG. 1) . The input/output devices or interfaces permit interaction with a user or other devices in the network. Each input/output device or interface includes any suitable structure for providing information to or receiving information from a user, and/or for network interface communications. Suitable structures include, for example, a speaker, microphone, keypad, keyboard, display, touch screen, etc.
The ED 110 includes the processor 210 for performing operations including those operations related to preparing  a transmission for uplink transmission to the NT-TRP 172 and/or the T-TRP 170; those operations related to processing downlink transmissions received from the NT-TRP 172 and/or the T-TRP 170; and those operations related to processing sidelink transmission to and from another ED 110. Processing operations related to preparing a transmission for uplink transmission may include operations such as encoding, modulating, transmit beamforming, and generating symbols for transmission. Processing operations related to processing downlink transmissions may include operations such as receive beamforming, demodulating and decoding received symbols. Depending upon the embodiment, a downlink transmission may be received by the receiver 203, possibly using receive beamforming, and the processor 210 may extract signaling from the downlink transmission (e.g. by detecting and/or decoding the signaling) . An example of signaling may be a reference signal transmitted by the NT-TRP 172 and/or by the T-TRP 170. In some embodiments, the processor 210 implements the transmit beamforming and/or the receive beamforming based on the indication of beam direction, e.g. beam angle information (BAI) , received from the T-TRP 170. In some embodiments, the processor 210 may perform operations relating to network access (e.g. initial access) and/or downlink synchronization, such as operations relating to detecting a synchronization sequence, decoding and obtaining the system information, etc. In some embodiments, the processor 210 may perform channel estimation, e.g. using a reference signal received from the NT-TRP 172 and/or from the T-TRP 170.
Although not illustrated, the processor 210 may form part of the transmitter 201 and/or part of the receiver 203. Although not illustrated, the memory 208 may form part of the processor 210.
The processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory (e.g. in the memory 208) . Alternatively, some or all of the processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented using dedicated circuitry, such as a programmed field-programmable gate array (FPGA) , an application-specific integrated circuit (ASIC) , or a hardware accelerator such as a graphics processing unit (GPU) or an artificial intelligence (AI) accelerator.
The T-TRP 170 may be known by other names in some implementations, such as a base station, a base transceiver station (BTS) , a radio base station, a network node, a network device, a device on the network side, a transmit/receive node, a Node B, an evolved NodeB (eNodeB or eNB) , a Home eNodeB, a next Generation NodeB (gNB) , a transmission point (TP) , a site controller, an access point (AP) , a wireless router, a relay station, a terrestrial node, a terrestrial network device, a terrestrial base station, a base band unit (BBU) , a remote radio unit (RRU) , an active antenna unit (AAU) , a remote radio head (RRH) , a central unit (CU) , a distributed unit (DU) , a positioning node, among other possibilities. The T-TRP 170 may be a macro BS, a pico BS, a relay node, a donor node, or the like, or combinations thereof. The T-TRP 170 may refer to the forgoing devices or refer to apparatus (e.g. a communication module, a modem, or a chip) in the forgoing devices.
In some embodiments, the parts of the T-TRP 170 may be distributed. For example, some of the modules of the T-TRP 170 may be located remote from the equipment that houses the antennas 256 for the T-TRP 170, and may be coupled to the equipment that houses the antennas 256 over a communication link (not shown) sometimes known as front haul, such as common public radio interface (CPRI) . Therefore, in some embodiments, the term T-TRP 170 may also refer to modules on the network side that perform processing operations, such as determining the location of the ED 110, resource allocation (scheduling) , message generation, and encoding/decoding, and that are not necessarily part of the equipment that houses the antennas 256 of the T-TRP 170. The modules may also be coupled to other T-TRPs. In some embodiments, the T-TRP 170 may actually be a plurality of T-TRPs that are operating together to serve the ED 110, e.g. through the use of coordinated multipoint transmissions.
The T-TRP 170 includes at least one transmitter 252 and at least one receiver 254 coupled to one or more antennas 256. Only one antenna 256 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 256 may alternatively be panels. The transmitter 252 and the receiver 254 may be integrated as a transceiver. The T-TRP 170 further includes a processor 260 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to the NT-TRP 172, and processing a transmission received over backhaul from the NT-TRP 172. Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. multiple input multiple output (MIMO) precoding) , transmit beamforming, and generating symbols for transmission. Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols. The processor 260 may also perform operations relating to network access (e.g. initial access) and/or downlink synchronization, such as generating the content of synchronization signal blocks (SSBs) , generating the system information, etc. In some embodiments, the processor 260 also generates an indication of beam direction, e.g. BAI, which may be scheduled for transmission by a scheduler 253. The processor 260 performs other network-side processing operations described herein, such as determining the location of the ED 110, determining where to deploy the NT-TRP 172, etc. In some embodiments, the processor 260 may generate signaling, e.g. to configure one or more parameters of the ED 110 and/or one or more parameters of the NT-TRP 172. Any signaling generated by the processor 260 is sent by the transmitter 252. Note that “signaling” , as used herein, may alternatively be called control signaling. Signaling may be transmitted in a physical layer control channel, e.g. a physical downlink control channel (PDCCH) , in which case the signaling may be known as dynamic signaling. Signaling transmitted in a downlink physical layer control channel may be known as downlink control information (DCI) . Siganling transmitted in an uplink physical layer control channel may be known as uplink control information (UCI) . Signaling transmitted in a sidelink physical  layer control channel may be known as sidelink control information (SCI) . Signaling may be included in a higher-layer (e.g., higher than physical layer) packet transmitted in a physical layer data channel, e.g. in a physical downlink shared channel (PDSCH) , in which case the signaling may be known as higher-layer signaling, static signaling, or semi-static signaling. Higher-layer signaling may also refer to radio resource control (RRC) protocol signaling or Media Access Control –Control Element (MAC-CE) signaling.
The scheduler 253 may be coupled to the processor 260. The scheduler 253 may be included within or operated separately from the T-TRP 170. The scheduler 253 may schedule uplink, downlink, sidelink, and/or backhaul transmissions, including issuing scheduling grants and/or configuring scheduling-free (e.g., “configured grant” ) resources. The T-TRP 170 further includes a memory 258 for storing information and data. The memory 258 stores instructions and data used, generated, or collected by the T-TRP 170. For example, the memory 258 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by the processor 260.
Although not illustrated, the processor 260 may form part of the transmitter 252 and/or part of the receiver 254. Also, although not illustrated, the processor 260 may implement the scheduler 253. Although not illustrated, the memory 258 may form part of the processor 260.
The processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 258. Alternatively, some or all of the processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC.
Although the NT-TRP 172 is illustrated as a drone only as an example, the NT-TRP 172 may be implemented in any suitable non-terrestrial form, such as satellites and high altitude platforms, including international mobile telecommunication base stations and unmanned aerial vehicles, for example. Also, the NT-TRP 172 may be known by other names in some implementations, such as a non-terrestrial node, a non-terrestrial network device, or a non-terrestrial base station. The NT-TRP 172 includes a transmitter 272 and a receiver 274 coupled to one or more antennas 280. Only one antenna 280 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas may alternatively be panels. The transmitter 272 and the receiver 274 may be integrated as a transceiver. The NT-TRP 172 further includes a processor 276 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to T-TRP 170, and processing a transmission received over backhaul from the T-TRP 170. Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. MIMO precoding) ,  transmit beamforming, and generating symbols for transmission. Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols. In some embodiments, the processor 276 implements the transmit beamforming and/or receive beamforming based on beam direction information (e.g. BAI) received from the T-TRP 170. In some embodiments, the processor 276 may generate signaling, e.g. to configure one or more parameters of the ED 110. In some embodiments, the NT-TRP 172 implements physical layer processing, but does not implement higher layer functions such as functions at the medium access control (MAC) or radio link control (RLC) layer. As this is only an example, more generally, the NT-TRP 172 may implement higher layer functions in addition to physical layer processing.
The NT-TRP 172 further includes a memory 278 for storing information and data. Although not illustrated, the processor 276 may form part of the transmitter 272 and/or part of the receiver 274. Although not illustrated, the memory 278 may form part of the processor 276.
The processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 278. Alternatively, some or all of the processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC. In some embodiments, the NT-TRP 172 may actually be a plurality of NT-TRPs that are operating together to serve the ED 110, e.g. through coordinated multipoint transmissions.
The T-TRP 170, the NT-TRP 172, and/or the ED 110 may include other components, but these have been omitted for the sake of clarity.
One or more steps of the embodiment methods provided herein may be performed by corresponding units or modules, according to FIG. 4. FIG. 4 illustrates units or modules in a device, such as in the ED 110, in the T-TRP 170, or in the NT-TRP 172. For example, a signal may be transmitted by a transmitting unit or by a transmitting module. A signal may be received by a receiving unit or by a receiving module. A signal may be processed by a processing unit or a processing module. Other steps may be performed by an AI or machine learning (ML) module. The respective units or modules may be implemented using hardware, one or more components or devices that execute software, or a combination thereof. For instance, one or more of the units or modules may be a circuit such as an integrated circuit. Examples of an integrated circuit includes a programmed FPGA, a GPU, or an ASIC. For instance, one or more of the units or modules may be logical such as a logical function performed by a circuit, by a portion of an integrated circuit, or by software instructions executed by a processor. It will be appreciated that where the modules are implemented using software for execution by a processor for example, the modules  may be retrieved by a processor, in whole or part as needed, individually or together for processing, in single or multiple instances, and that the modules themselves may include instructions for further deployment and instantiation.
Additional details regarding the EDs 110, the T-TRP 170, and the NT-TRP 172 are known to those of skill in the art. As such, these details are omitted here.
The solution described in the application is applicable to a next generation (e.g. 6G or later) network, or a legacy (e.g. 5G, 4G, 3G or 2G) network.
The proposed 6G system architecture is defined to support 6G XaaS services by using techniques such as network function virtualization and network slicing. The 6G system architecture utilizes service-based interactions between 6G services.
The 6G system leverages service-based architecture and XaaS concept. XaaS services in the 6G system are categorized into three layers. For illustrative purpose, the 6G system conceptual structure is shown in FIG. 5.
An infrastructure layer includes infrastructures supporting 6G services. Among them are wireless networks (e.g., a RAN, and a core network (CN) ) infrastructures, cloud/data center infrastructures, satellite networks, storage/database infrastructures, and sensing networks, and etc. These infrastructures can be provided by a single provider or by multiple providers.
Each of the infrastructures could have its control and management functions, denoted as C/M functions, for infrastructure management. Each of these infrastructures is one type of infrastructure as a service.
A control and management (C/M) layer includes control and management services of the 6G system. They are developed and deployed by using slicing techniques and utilizing resource provided by infrastructure layer. In the 6G system conceptual structure:
- resource management (RM) as a service provides a capability of life-cycle management of a variety of slices and over-the-air resource assignment to wireless devices.
- mission management (MM) as a service provides a capability to program provisioning of XaaS services at service layer to provide mission services. A 6G mission is defined as a service provided to customers by the 6G system. A mission can be a type of services which is provided by a single 6G XaaS service or a type of services that needs contributions from multiple XaaS services.
- confederation network (CONET) as a service provides a capability to enable multiple partners jointly provide 6G services. This capability is provided by confederation formation, mutual authentication, mutual authorization among partners and negotiation of agreement on recording and retracing of selected actions performed by partners, in order to assure a trustworthy environment of 6G system operations.
- service provisioning management (SPM) as a service provides a capability of control and management of 6G service access by customers and provisioning of requested services. The capability is provided by unified mutual authentication, authorization and policy, key management, quality of service (QoS) assurance and charging between any pair of XaaS service provider and customer. The customers include end-customers not only in physical world, but also digital representatives in digital world.
- connectivity management (CM) as a service leverages 5G connectivity management functions, but with extension to include digital world.
- protocol as a service provides a capability to design service customized protocol stacks for identified interfaces. The protocol stacks could be pre-defined for on-demand selection, or could be on-demand designed.
- network security as a service provides a capability for owners of infrastructures to detect potential security risks of their infrastructures.
- XaaS services in C/M Layer support control and management of the 6G system itself and also provide support to verticals if requested. One example is that RM service can serve RAN for over-the-air resource management and can also provide service to a vertical for the vertical’s over-the-air resource allocation to its end-customers. The XaaS in C/M layer can be deployed by using slicing technique.
A service layer includes 6G services which provide services to customers. In the 6G system conceptual structure:
- AI service is denoted as NET4AI as a service. Artificial intelligence service provides AI capability to support a variety of AI applications.
- Service of data collection, data sanitization, data analysis and data delivery are denoted as DAM as a service. This service provides a capability of lifecycle management of statistic data, including acquisition, de-privatization, analysis and delivery of data which are information statistic data from any types of sensors, devices, network functions, and etc.
- Service of storage and sharing of data is denoted as NET4Data as a service. This service provides a capability to trustworthily storage and share data under the control of owners of data and following recognized authorities’ regulations on control of identified data.
- Service to provide digital world is denoted as NET4DW as a service. Digital world service provides a capability to construct, control and manage digital world. Digital world is defined as digital realization of physical world.
- 6G block chain service is denoted as NET4BC as a service. This service provides a capability to support 6G block chain services.
- 6G connectivity service is denoted as NET4CON as a service. Enhanced connectivity service, e.g., network for connectivity (NET4CON) as a service. This service provides a capability to support exchange of messages and data among  new 6G services.
All XaaS services at this layer are developed and deployed by using resource provided in infrastructure and utilizing network function virtualization and slicing techniques. the capability of each of 6G services is provided by its control and management functions and service specific data process functions.
In addition to support 6G XaaS services at service layer, 6G system leverages 5G system for provisioning of vertical services. The difference between 6G XaaS services and other verticals are that a vertical is a pure customer which needs other XaaS services to enable its operation, while each of XaaS services provide their capabilities to 6G customers.
Any pair of XaaS services of the 6G system could also be mutual customer and provider of each other. Some of example are that: an infrastructure owner provides its resource to XaaS services in service layer and C/M layer; RM services may need the capabilities provided by NET4AI, DAM and NET4DW for its resource management for vertical slicing; CONET service and NET4Data service may need the capability provided by NET4BC for their operation.
The key concepts of 6G system includes that:
- define basic XaaS Services by decoupling comprehensive types of services into basic XaaS services. A basic XaaS service provides unique capability to enable a specific type of service, such as NET4AI service, NET4DW service, DAM service, NET4Data service, block chain service, mission management service, etc.
- allow joint operation of the 6G system by multiple partners.
- define data plane of the 6G system which includes processing functions of data plane of XaaS services. Programing the interconnection of these functions, by mission management service, enables to support a variety of customized customer services.
- simplify 6G system architecture by categorizing basic control services and management services and combining them as basic XaaS services in C/M layer.
- define C/M Plane of the 6G system which includes C/M functions in XaaS services and may include 5G CP (e.g., AMF) depending on implementation options.
- define basic architecture structure (BAS) which is a unified basic structure with minimized number of interfaces and is independent of types of infrastructures.
- simplify standardization, development and deployment of the 6G system using the BAS concept, while supporting a variety of infrastructure deployment scenarios.
- adapt to a variety of deployment scenarios by applying the BAS or a subset of it to infrastructures based on capability, capacity and requirement of the infrastructure networks.
- leverage SBI interface concept and apply SBI interaction in both 6G C/M plane and 6G data plane.
- simplify SBI interfaces by introducing trustworthy gateways (GWs) in data plane and C/M plane of the 6G system.
- improve trustworthiness from perspectives of operation of the 6G system by introducing CONET capability, NET4BC capability and anonymous service provisioning provided by the trustworthy GWs in the C/M plane and data plane of the 6G system.
- improve trustworthiness from perspective of end customer privacy protection by unified mutual authentication, IDM, data sanitization and etc. provided by SPM service, DAM service and 6G Block Chain service.
- simplify roaming management of wireless devices, in physical world and digital world, by unified authentication including all participated partners and customers.
- support multiple development paths from 5G system to 6G system by defining multiple architecture options without incurring much efforts due to the introduction of the BAS concept.
- support backward compatibility by utilizing benefits of SBA and its add-on feature. 5G users can use the 6G system to access 5G services.
- support future extension by adding new XaaS services with minimized impact on standardization and deployment, due to the introduced anonymous service provisioning concept implemented in trustworthy GWs in 6G C/M plane and in 6G data plane.
As mentioned above, new applications and services would be supported in the future network, e.g., AI service, data service, sensing service and digital world service. These services can be developed and deployed by using resource provided by infrastructure (e.g., radio access network, data center or other infrastructure) and utilizing network function virtualization and slicing techniques. Any service could be referred to as anything as a service (XaaS) . In a XaaS module, there may be multiple network functions. These network functions could be classified into two categories: control/management (C/M) functions and data processing functions. The data processing functions are used for processing data and could only exist in a service layer of XaaS. The C/M functions are used for control and management and could exist in a service layer and C/M layer of XaaS. A service provider of XaaS could also be referred to as a XaaS service.
For illustrative purpose, FIG. 6 is a network scenario according to some embodiments of the present application. As shown in FIG. 6, a control and management trustworthy gateway (C/M-TW-GW) is a network function and could be defined as an endpoint of a C/M session at network side. The setup of the C/M session is for a device or a XaaS service to transmit the control message relating to the XaaS service. The C/M session could be defined as a secured logical connection between a device (e.g., a user equipment) and its serving C/M-TW-GW. The data trustworthy gateway (Data-TW-GW) is a network function and could be defined as an endpoint of data session of a device. The setup of the data session is for the device or the  XaaS service to participate in processing data. The data session could be defined as a secured logical connection between a device and its serving Data-TW-GW. The radio bearer (RB) handler is a network function and could be implemented as a radio access network (RAN) . The RB handler could be defined as a logical function which performs RB protocol stack operations after getting configurations. The RB handler could be connected to both other infrastructures (e.g., a core network and/or a third-party cloud) and C/M-TW-GW. Communications between the device and the RB handler could include a C/M RB or a data RB. The C/M RB could be defined as an over-the-air connection for carrying control signaling for over-the-air interface management and C/M plane messages. The data RB could be an over-the-air connection for carrying data plane traffic. In this scenario, there may be more network functions, e.g., an authentication server, and an authorization server.
As shown in FIG. 6, there are some interfaces used for connecting these NFs within the network scenario. For example, an interface I could be defined as a set of security features that enables a device to authenticate and access services via the network securely, and to protect against attacks on the radio interfaces. For another example, an interface II could be defined as a set of security features that enables a system shown in FIG. 6 to securely exchange C/M session between a device and a C/M-TW-GW or securely exchange data session between the device and the Data-TW-GW. For still another example, an interface III could be defined as a set of security features that enables the system to securely exchange C/M session between the XaaS service and the C/M-TW-GW or securely exchange data session between the XaaS service and a Data-TW-GW. For still another example, an interface IV could be a set of security features that enables XaaS service functions to exchange messages securely. For still another example, an interface V could be defined as a set of security features that enables secure communications among C/M-TW-GWs or a Data-TW-GWs. In other words, the interface I could support a connection between a device and an RB handler; the interface II could support a connection between a device and a C/M-TW-GW/Data-TW-GW; the interface III could support a connection between a XaaS service and a C/M-TW-GW/Data-TW-GW.
In this scenario, security procedures between a device (e.g., a UE) and network functions would be involved when the device is capable of connecting to a network. For example, when the device is capable of connecting to a C/M-TW-GW and/or connecting to a RAN infrastructure (e.g., an RB handler in FIG. 6) that is connected to both other infrastructures (e.g. a CN infrastructure, a third-party cloud) and C/M-TW-GWs, the security procedures may include a primary authentication and key agreement procedures. The primary authentication and key agreement procedures are to enable mutual authentication between the device and a severing network and to provide keying materials that can be used between the device and the severing network. The keying materials can be used for signaling security protection on the interface I and interface II in subsequent security procedures. For another example, when a service is requested by the device, the security procedures may include a secondary primary authentication and key agreement procedures. The secondary authentication and key agreement procedures are to enable mutual authentication between the device and the XaaS service, and to provide keying materials that can be used  between the device and the XaaS service in subsequent security procedures. The keying materials can be used for data security protection on an interface I and an interface II in subsequent security procedures. The primary authentication and key agreement procedures, and the second authentication and the key agreement procedures could be controlled or handled by a SPM in 6G XaaS service at C/M layer. Internet protocol security (IPsec) protocol or transport layer security (TLS) protocol can be used to implement on an interface III and an interface IV and an interface V for secure communications.
The primary authentication and key agreement procedures and the secondary authentication and key agreement procedures are controlled or handled by a SPM in 6G XaaS service at C/M layer (as shown in FIG. 6) . The following issues shall be addressed when implementing these procedures.
1) Who can join in a XaaS service? Is that a participator, e.g., a client, a UE? This participator could be un-trusted? What functions could be provided for authentication on legislation on the participator? Similarly, a XaaS service could be deployed by an un-trusted provided, so what functions could be provided for authentication on legislation on the XaaS service?
2) After successful authentication, a participator could be anonymously served by requested XaaS services, or the participator does not have a permission to access the XaaS services? In other words, the XaaS service does not know who uses this service, and the participator does not know who provides this service to him/her. Thus, what functions are responsible for anonymous authorization on the participator, and what methods for anonymous authorization shall be used?
3) What functions are responsible for providing keys for secure communications interface I or interface II. What methods of security protection on C/M session and Data session, or C/M RB (defined as an over-the-air connection for carrying control signaling for over-the-air interface management and C/M plane messages) and Data RB (defined as an over-the-air connection for carrying Data plane traffic)
4) Due to anonymous authorization on a participator, what functions are responsible for charging on the participator by a XaaS service provider. Anonymous charging policy should be addressed by these functions.
5) Due to anonymous authorizations and anonymous charging, there need a network function to identify these participators. This network function should be provided some functionalities, e.g., participator identification, identifiers from different providers should be mapped or aligned to a specific participator, identifier management.
6) How do these different network functions work together to provide the above security functionalities? What interfaces or signalling among these network functions.
In the present application, we introduce a SPM to handle or control mutual authentication service, key management service, anonymous authorization service, charging and policy service, and ID management service. These services are implemented by different network functions. For illustrative, purpose, in the followings, architectures of a SPM  will be described in combination with FIG. 7 to FIG. 9
FIG. 7 is an architecture of a SPM according to some embodiments of the present application.
A SPM-Authen could be responsible for authentication on a device and/or a XaaS service. The SPM-Authen could also be responsible for negotiation a shared key. The shared key could be known by the device and the network.
For example, a SPM-Authen could provide a unified mutual authentication service. In other words, the SPM-Authen service could provide a unified mutual authentication service for multiple un-trusted participators (e.g., a device, an end customer, an infrastructure provider or a XaaS service) . The unified mutual authentication service can be implemented by a SPM-Authen during a primary authentication procedure.
A SPM-Author could be responsible for service subscription negotiation with a XaaS service on behalf of a device. The SPM-Author could also be responsible for granting service permissions to devices. The SPM-Author could also be responsible for generating an authentication code which is used for validation on a device, a required service and a service provider that provides the required service to the device. In some implementations, the SPM-Author could further be responsible for setting up or configuring a secure tunnel between a device and a service provider. In some implementations, the secure tunnel could be established by other network functions, such as an access management function.
For example, a SPM-Author could provide an anonymous authorization service. In other words, the SPM-Author could provide authorization for a device to access a XaaS service anonymously. The anonymous authorization service can be implemented by SPM-Author during a secondary authentication/authorization procedure.
A SPM-IDM could provide ID management service. For example, the SPM-IDM could be responsible for maintaining or storing ID information of devices and the corresponding authentication materials (e.g. a certificate) of devices. A certificate of a device could be taken as a credential of the device that is used for a mutual authentication between the device and the SPM-Authen. For another example, a SPM-IDM could be responsible for generating, refreshing and revoking an ID of the device. For still another example, the SPM-IDM could be responsible for ID mapping and ID alignment. The motivation of the ID mapping is to provide anonymous ID mappings when a XaaS service/a network function cannot link a temporary ID of a device with this device. In other words, the temporary ID of the device could be mapped to another ID of the device that could be used to identify the device by the XaaS service/the network function. The ID alignment could provide an anonymous ID alignment when different un-trust network functions or XaaS service align data from different entities (e.g. organizations, and/or third parties) to a same device.
A SPM-UDM could be responsible for management on service profiles and service credentials.
A SPM-KMF could be responsible for negotiating a shared key. The shared key shall be known by the device. The SPM-KMF could also be responsible for generating session keys /RB keys. The session keys could be used for security  protection on interface II. The session keys may include keys used for protection of a C/M session or keys used for protection of a data session. The RB keys could be used for security protection on interface I. The RB keys may include keys used for protection of a C/M RB or keys used for protection of a data RB. Moreover, the SPM-KMF could be responsible for key refreshing and key revocation. The SPM-KMF could be responsible for security configuration/activation on a device and a network side.
A SPM-PCF could be responsible for charging policy. For example, the SPM-PCF could provide charging and policy service that provides policy and charging control rules for a session.
In some embodiments, a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF could be distributed among different network functions. In some embodiments, at least two of a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF could be integrated into a same one network function.
In some implementations, other architectures of SPM may be different from the architecture shown in the FIG. 7. For example, an architectures of SPM would not include all entities (i.e., a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF) shown in the FIG. 7.
According to embodiments related to the FIG. 7, we provide a framework for service provision management. This framework could provide unified mutual authentication service, anonymous authorization service, key management service, charging and policy service, and ID management service. In this framework, we provide interfaces among these different functions that shall implement the above services. Compared to prior arts (e.g., 3GPP 33.501 [1] ) , our framework has new features: (1) Decouple authentication with key management, which could reduce overhead during key refresh. (2) Decouple authentication with authorization, which could bring anonymous authorization. (3) With the help of IDM, it could provide anonymous communications and protect ID privacy.
For illustrative purpose, the FIG. 8 and FIG. 9 illustrates other architectures of SPM according to some embodiments of the present application. For example, an architecture of SPM shown in FIG. 8 could support a mutual authentication service. For another example, an architecture of SPM shown in FIG. 9 could support an anonymous authorization service.
In an embodiment, regarding to FIG. 8, all entities (e.g., a client, a SMP-Authen, a XaaS service) register to a certificate authority (CA) to obtain their certificates. A trust SPM-IDM shall generate an authentication ID for a client, register to a CA on behalf of the client, and keep the client’s authentication materials (e.g., certificate) that corresponding to the authentication ID. A SPM-Authen is responsible for authentication on a client, and responsible for negotiation a shared key with a SPM-KMF.
In another embodiment, regarding to FIG. 9, a client shall subscribe a XaaS service with the help of the network.  In other words, A SPM-Author negotiates with XaaS service providers on behalf of the client for the service subscriptions. This could avoid XaaS service providers from knowing the real ID of the client. These service subscriptions are kept in a SPM-UDM. Thus, it could provide anonymous service subscription with XaaS services for the client. When a client requests XaaS services, A SPM-Author could grant permissions to the client after the client is successfully authenticated by a SPM-Authen. Thus, these XaaS service providers can’ t associate these services with the specific client. A session key that is used for service data security protection, or a secure communication between the client and the XaaS service, may be negotiated by a SPM-KMF.
According to these architectures mentioned above, a unified mutual authentication service, an anonymous authorization service, a key management service, a charging and policy service, and an ID management service could be provided by different entities. Based on the architectures, a procedure of authentication could be decoupled with a procedure of key management, and it could reduce signaling overhead during key refreshing. Moreover, a procedure of authentication could be decoupled with a procedure of authorization, and an anonymous authentication could be supported. Furthermore, an anonymous communication and a privacy protection on the ID of the device could be provide with the help of the SPM-IDM.
FIG. 10 is a schematic flowchart of a method for communication according to some embodiments of the present application. The following separately describes steps involved in the method 500 in detail. The FIG. 10 could illustrate an example of a call flow of a procedure of authentication, authorization and key management. A SPM-UDM could be taken as an example of a first SPM NF, a SPM-Author could be taken as an example of a second SPM NF, a SPM-IDM could be taken as an example of a third SPM NF, a SPM-Authen could be taken as an example of a fourth SPM NF, and SPM-KMF could be taken as an example of a fifth SPM NF.
At S501, a second SPM NF transmits a first message to a first SPM NF.
The second SPM NF could transmit the first message to the first SPM NF directly or indirectly. After receiving a request for authorizing a service to a device, the second SPM NF could transmit the first message. The request might be transmitted from the device or an access management function.
The first message is used to request first information of a service. The first information of the service is used for granting the device a permission to access the service. For example, the first information may include but not be limited to: information of a subscription of a service, information of a service provider that provides the request service. The first information of the service for the device could also be referred to as a profile of the service, or a service profile.
The first message includes a first ID of the device. The first ID of the device is used in a communication between the device and a serving network. In order to protect a real ID of a device, the device could use a temporary ID to communicate with a service provider or a network function (e.g., a C/M-TW-GW, a Data-TW-GW, or SPM-author) . A real ID of a device  (also be referred to as a device’s real ID) could be used for identifying the device. The first ID of the device could be a temporary ID.
In some embodiments, the first message could further include an ID of a requested service, or an ID of a service provider that provides the requested service.
The first SPM NF shall transmit a message (e.g., a second message) to the second SPM NF, and this message includes the first information of the service. However, since one or more temporary IDs of a device may be used in communications between the device and network functions, the first SPM NF may not know which device that an ID of the device included in the first message is associated with. Therefore, an identification of the device shall be implemented with the help of a SPM-IDM.
At S502, the first SPM NF determines an ID of a communication related to an authentication and/or authorization procedure of the service for the device.
The ID of the communication is associated to the first ID of the device.
Since a temporary ID of a device may be used in communications between the device and network functions, different temporary IDs of a same device may be used on communications related to different network functions. Due to the ID of the communication is associated to the first ID of the device, the ID of the communication can be used to identify the device by at least one network function related to the authentication and/or authorization procedure. For example, a SPM-Authen, a SPM-Author, a SPM-IDM, or a SPM-UDM could use this ID to identify the device in an authentication/authorization procedure.
At S503, the first SPM NF transmits a third message to a third SPM NF.
The third message includes the first ID of the device and the ID of the communication mentioned.
The third message is used to obtain a second ID of the device. The first information of the service is related to the second ID of the device. The second ID of the device may be a temporary ID.
In some implementations, a same device may use different temporary IDs in different communications. For example, a device may use a temporary ID (e.g., a temporary ID #1) to subscribe a service, and a service subscription could be generated by a service provider and be related to the temporary ID #1. A SPM-UDM could store the service subscription. However, the device may use another temporary ID (e.g., a temporary ID #2) to request a permission to access the service, and a SPM-UDM may not identify the device according to the temporary ID #2. In this scenario, the SPM-UDM could transmit a message to a SPM-IDM to query the temporary ID #1. The SPM-IDM could inform the SPM-UDM that which device the temporary ID #1 is associated with.
At S504, the third SPM NF determines the second ID of the device.
The third SPM NF could determine the second ID of the device according to the first ID of the device.
In other words, the third SPM NF could query an ID of the device that is associated with the first information of the service according to an ID of the device included in the third message.
At S505, the third SPM NF transmits a fourth message to the first SPM.
The fourth message includes the second ID of the device. The fourth message could be a response to the third message.
At S506, the first SPM NF implements identification on the device.
The first SPM implements identification on the device according to the second ID of the device. The first SPM could determine the information of the requested service that the second ID of the device is associated with. For example, the first SPM NF could select a service profile from a plurality of service profiles according to the second ID of the device.
At S507, the first SPM NF transmits a second message to the second SPM NF.
The second message includes the information of the service associated with the second ID of the device. The second message could further include the ID of the communication mentioned in S502. The second message could be a response to the first message.
At S508, the second SPM NF transmits a seventh message to a fourth SPM NF.
The seventh message is used to request an authentication of the service for the device.
The seventh message includes the ID of the communication. The seventh message could further include an ID of the requested service or an ID of a service provider that provides the requested service.
The fourth SPM NF could implement the authentication after obtaining authentication materials (e.g., a credential of the service for the device, and a credential of the device) from other network functions. Moreover, the fourth SPM NF could transmit a message (e.g., an eight message) to indicate a result of the authentication.
At S509, the fourth SPM NF transmits a first request to the first SPM NF.
The first request is used to request a credential of the service for the device that is associated with the second ID of the device and the first information of the service. The credential of the service for the device is used for an authentication on the service or an authentication on a service provider that provides the service.
The first request includes the ID of the communication mentioned in S502. The first request further includes an ID of the requested service or an ID of a service provider that provides the requested service.
In some embodiments, the first information of the service could be generated in a procedure of service subscription. In this procedure, the second ID of the device is used, and the second SPM NF may obtain the first information of the service from a service provider. The second SPM NF could transmit a request (e.g., a second request) to the first SPM  NF to indicate a storage of a credential of the service for the device. This request includes the first information of the service and the second ID of the device. Correspondingly, the first SPM NF could generate the credential of the service for the device that is associated with the second ID of the device and the first information of the service. Furthermore, the first SPM NF could transmit a message (e.g., a sixth message) to indicate a generation of the credential of the service for the device.
At S510, the first SPM NF transmits a fifth message to the fourth SPM NF.
The fifth message includes the credential of the service for the device. The fifth message could be a response to the first request. The credential of the service for the device is obtained by the first SPM NF according to the ID of the communication mentioned in S502.
At S511, the fourth SPM NF transmits a third request for a credential of the device to the third SPM NF.
For example, all entities (e.g., a device, a SPM-Authen, a XaaS service) shall register to a CA to obtain their certificates. The SPM-IDM could register to the CA on behalf of a device and obtain a certificate of the device (also be referred to as a device’s certificate) . The SPM-IDM could store or maintain the device’s certificate. The device’s certificate could be used for an authentication of the device (e.g., a mutual authentication between the device and a SPM-Authen) . The device’s certificate could be taken as an example of the credential of the device. The SPM-Authen is responsible for authentication on a client, and responsible for negotiation a shared key with a SPM-KMF.
In some embodiments, a SPM-IDM shall generate an ID of a device and this ID of the device is used to register to the CA on behalf of the device by the SPM-IDM. This ID of the device could be referred to as an authentication ID of the device or device’s authentication ID. A certificate of a device could be associated with the device’s authentication ID.
At S512, the third SPM NF transmits a message to the fourth SPM NF.
The message (e.g., an eleventh message) could be considered as a response to the third request. The message includes the credential of the device.
At S513, the fourth SPM NF implements an authenticate on the device and a service provider.
The fourth SPM NF implements an authentication on the device and an authentication on the requested service/aservice provider that provided the requested service according to the credential of the device and the credential of the service for the device.
At S514, the fourth SPM NF transmits an eighth message to the second SPM NF.
The eighth message includes an indication of a result of the authentication. The eighth message could be a response to the seventh message.
At S515, the second SPM NF transmits a ninth message to a fifth SPM NF.
The ninth message is used to request keys used for security protection of a communication associated with the  service.
At S516, the fifth SPM NF generates information of the keys.
For example, the fifth SPM NF could generate keys for protection of a C/M session, keys for protection of a data session and so on. The C/M session and/or the data session is associated with the service.
At S517, the fifth SPM NF transmits a tenth message to the second SPM NF.
The tenth message includes information of the keys. The tenth message could be a response of the ninth message. The information of the keys could be used for generation or configuration of these keys.
In some implementations, the fourth SPM NF transmits a request for a temporary ID of the device to the SPM-IDM, when a new temporary ID of the device is needed.
In some embodiments, the fourth SPM NF transmits a fourth request for a third ID of the device to the third SPM NF. The fourth request could include a fourth ID of the device or the ID of the communication mentioned in S502. The fourth ID of the device could be used for a mutual authentication between the device and the fourth SPN NF, and the fourth ID of the device could be associated with the credential of the device. For example, an authentication ID of a device could be taken as an example of a fourth ID of the device.
The third SPM NF could generate the third ID of the device according to the fourth request. The third SPM NF could transmit a twelfth message to the fourth SPM NF. The twelfth message includes the third ID of the device and could be a response of the fourth request.
As mentioned above, at least two of a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF could be integrated into the same one network function. In an embodiment, a SPM-Author and a SPM-IDM are integrated into a network function. In another embodiment, a SPM-Author and a SPM-Authen are integrated into a network function. There are other integration methods for at least two of a SPM-Authen, a SPM-Author, a SPM-IDM, a SPM-UDM, a SPM-KMF and a SPM-PCF, which is not limited.
For illustrative purpose, it is supposed that a second SPM NF and a third SPM NF are integrated into one network function (e.g., a third network function) . In this scenario, the third network function shall transmit messages that include messages transmitted by the second SPM NF and messages transmitted by the third SPM NF. The third network function shall receive messages that include messages received by the second SPM NF and messages received by the third SPM NF. For example, the third network function transmits a message that corresponds to the first message in S501; correspondingly, a first SPM NF receives this message. For another example, the first SPM NF transmits a message that corresponds to the second message in S507; correspondingly, the third network function receives this message. For still another example, the first SPM NF transmits a message that corresponds to the third message in S503; correspondingly, the third network function receives the  third message.
For illustrative purpose, in the following, an example of a call flow of a procedure of a mutual authentication will be described in combination with FIG. 11.
FIG. 11 is a schematic flowchart of a method 600 according to some embodiments of the present application. The basic concepts about these embodiments are:
1) Decouple authentication with ID management. An authentication ID is introduced for authentication on a client, but, the real ID is used for identification the client. This could protect ID privacy. (2) Provide a unified mutual authentication. This service provides a unified mutual authentication for multiple un-trusted participators (e.g. clients, infrastructure providers, XaaS services) . (3) Provide anonymous communications. This service provides anonymous commination services among different providers. This is because temporary IDs that are mapped to a specific client, are used for communications, these different providers cannot link these temporary IDs to the specific client.
The following separately describes steps involved in the method 600 in detail.
At S601, a device transmits a message 1 to a SPM-Authen.
The message 1 could include an access request and could be represented by an access_request in FIG. 11.
The device could transmit the message 1 to the SPM-Authen directly or indirectly.
The message 1 shall include an ID of the device. The ID of the device is used in a communication between the device and a serving network.
In an embodiment, the message 1 includes an ID of the device that is pre-assigned to the device when the device registers to a CA. This ID of the device could be taken as an example of an authentication ID of the device.
In another embodiment, the message 1 includes a temporary ID of the device, e.g., a temporary ID #3.
In some implemenatations, the message 1 could further include an ID of a requested XaaS service.
At S602, the SPM-Authen transmits a message 2. Correspondingly, a SPM-IDM receives the message 2.
The message 2 is used to request authentication materials of the device and could be represented by an auth_material_request in FIG. 11. The authentication materials of the device may include device’s certificate.
The message 2 includes the ID of the device mentioned in S601.
At S603, the SPM-IDM transmits a message 3. Correspondingly, the SPM-Authen receives the message 3.
The message 3 includes the authentication materials of the device and could be represented by an auth_material_response in FIG. 11. The authentication materials are corresponding to the ID of the device mentioned in S602.
In an embodiment, the authentication materials are obtained according to the authentication ID of the device.
In another embodiment, the authentication materials are obtained according to a temporary ID of the device,  e.g., the temporary ID #3.
At S604, the SPM-Authen launches a mutual authentication between the device and the SPM-Authen.
For example, the mutual authentication could be implemented according to an extensible authentication protocol-transport layer security (EAP-TLS) method, or other authentication solutions.
This authentication mentioned above could be taken as an example of a primary authentication.
In some implementations, in order to provide privacy protection of device’s real ID and anonymous communications, a temporary ID of the device may be involved in a communication between the device and the network. In this scenario, the method 600 could further include step S605 to S607.
For example, when the mutual authentication is performed according to the authentication ID of the device, the SPM-Authen shall request a temporary ID of the device for privacy protection.
For another example, the SPM-Authen may request a new temporary ID (e.g., a temporary ID #4) of the device for next time window according to a current temporary ID (e.g., the temporary ID #3) of the device.
At S605, the SPM-Authen transmits a message 5. Correspondingly, a SPM-IDM receives the message 5.
The message 5 is used to request a temporary ID (e.g., a temporary ID #4) of the device. The message 5 could be represented by a Tem_ID_request in FIG. 11. The message 5 could be taken as an example of the fourth request mentioned in the method 500.
The message 5 includes an ID of the device, e.g., the authentication ID of the device or the temporary ID #3 mentioned above.
At S606, the SPM-IDM generates a temporary ID of the device.
For example, the temporary ID #4 is generated related to the authentication ID of the device or the temporary ID #3. Moreover, the SPM-IDM could store or maintain the temporary ID of the device.
At S607, the SPM-IDM transmits a message 7. Correspondingly, the SPM-Authen receives the message 7.
The message 7 could be a response of the message 5 and could be represented by a Tem_ID_reponse in FIG. 11.
The message 7 includes a temporary ID of the device. For example, the message 7 includes the temporary ID #4 mentioned above.
The message 7 could be taken as an example of the twelfth message mentioned in the method 500.
At S608, the SPM-Authen transmits a message 8. Correspondingly, a SPM-KMF receives the message 8.
The message 8 is used to request a shared key for the device and network. The message 8 could be represented by a Nego_sharekey_request in FIG. 11.
The message 8 shall include a temporary ID of the device. The shared key could be associated with this  temporary ID of the device. The shared key could be used to generate keys used for protection of a communication between the device and the network. For example, keys used for protection of a C/M session between the device and a C/M-TW-GW could be generated based on the shared key.
In an embodiment, when the mutual authentication is performed according to the authentication ID of the device, the SPM-Authen shall request and obtain a temporary ID of the device for privacy protection. The message 8 could include this temporary ID of the device and the shared key is associated with this temporary ID.
In another embodiment, when the mutual authentication is performed according to a temporary ID of the device (e.g., the temporary ID #3) , this temporary ID could be included in the message 8 to request the shared key. In this scenario, the shared key is associated with the temporary ID #3. In other words, steps S605 to S607 could be skipped in this scenario.
In still another embodiment, when the mutual authentication is performed according to a temporary ID of the device (e.g., the temporary ID #3) , a new temporary ID of the device (e.g., the temporary ID #4) could be generated. When the message 8 includes this new temporary ID of the device (i.e., the temporary ID #4) , the shared key is generated and associated with the temporary ID #4.
In some implementations, the message 8 could further include information generated during the mutual authentication.
At S609, the SPM-KMF transmits a message 9. Correspondingly, the SPM-Authen receives the message 9.
The SPM-KMF could negotiate a shared key with the SPM-Authen.
The message 9 shall include the shared key. For illustrative purpose, the shared key could be a root key, or a long-term key, e.g., an extended master session key.
The message 9 could be a response of the message 8, and could be represented by a Nego_sharekey_reponse in FIG. 11.
At S610, the SPM-KMF transmit a message 10. Correspondingly, the device receives the message 10.
The message 10 is a response for the access request and could be represented by an access_reponse in FIG. 11. The message 10 could include the shared key and the ID of the device that the shared key is associated with.
According to the above-mentioned technical solution, interfaces for a unified mutual authentication service could be provided. Moreover, different from the current authentication procedure, the authentication could be decoupled with the ID management, and the authentication could be decoupled with the key management. It could provide privacy protection of identify and enable anonymous communications.
In an embodiment, regarding to FIG. 11, when a client sends an access request to a SPM-Authen directly or in directly. This access request shall include ID of the client, this ID is pre-assigned to the client when the client registers to the  CA.This ID could be an authentication ID. This access request may include an ID of a request XaaS service. This access request corresponds to the message 1 in S601. The SPM-Authen sends an auth_mateiral request to a SPM-IDM. The request shall include the ID of the client. The auth_mateiral request corresponds to the message 2 in S602. The SPM-IDM sends an auth_material response to the SPM-Authen. This response shall include authentication materials that corresponding to the ID of the client. The auth_material response corresponds to the message 3 in S603. Later, the SPM-Authen launches a mutual authentication between the client and the SPM-Authen. A method of how to implement the mutual authentication could be EAP-TLS, or other existing authentication solutions. The SPM-Authen sends a TemID_request to the SPM-IDM. The TemID_request corresponds to the message 5 in S605. The SPM-IDM generates a temporary ID and sends a TemID_response that including the temporary ID to the SPM-Authen. The TemID_response corresponds to the message 7 in S607. The SPM-Authen sends a Nego_sharekey request to a SPM-KMF. This request may include the temporary ID, information that generated during a mutual authentication. The Nego_sharekey request corresponds to the message 8 in S608. The SPM-KMF sends a Nego_sharekey response to the SPM-Authen. This response may include a negotiated shared key. The Nego_sharekey response corresponds the message 9 in S609. The SPM-Authen sends an access response that including the temporary ID, the negotiated shared key, to the client. The access response corresponds to the message 10 in S610.
In this embodiment, we provide interfaces for a unified mutual authentication service and provide a procedure about how to implement mutual authentication service. Different from 3GPP, 33.501, we decouple authentication with ID management and decouple authentication with key management. This could bring some benefits, e.g., ID privacy protection, have a higher efficiency for communications, provide anonymous communications.
In some embodiments, a device may subscribe a service provided by a XaaS service with the help of the network. SPM-Author could negotiate with a service provider on behalf of the device for a service subscription. It could avoid the service provider from knowing a real ID of the device. The service subscription could be stored in a SPM-UDM. It could provide anonymous service subscription with the XaaS service for the device. When a device requests a service provided by the XaaS service, a SPM-Author could grant permission to the device after the device is successfully authenticated by a SPM-Authen. A session key used for security protection on service data or used for security protection of a communication between the device and the XaaS service, may be negotiated by a SPM-KMF.
For illustrative purpose, in the following, an example of a call flow of a procedure of a service subscription and an example of a call flow of a procedure of a service establishment will be described in combination with FIG. 12 and FIG. 13, respectively. The basic concepts about these embodiments are: (1) Decouple service profile and ID profile. Service profile is kept in a SPM-UDM, and ID profile is kept in a SPM-IDM. This separation enables authentication and authorization to be decouple. This decouple could enable service ID and client ID to be decouple. (2) Decouple client ID with service ID. We  decouple client ID with service ID, so that a SPM-Author only knows a specific XaaS service is authorized, but does not the exact client. At the same time, a SPM-Authen only knows the exact client, but does not know which XaaS service is provide to the client. This could protect client ID privacy and service privacy. (3) Decouple authentication and authorization. We decouple authentication and authorization, these functionalities are separated and implemented by a SPM-Authen and a SPM-Author, respectively. Since multiple XaaS services are deployed into the network, a SPM-Author is responsible for authorization on XaaS services, on behalf of XaaS services themselves. This brings flexible service managements.
FIG. 12 is a schematic flowchart of a method 700 according to some embodiments of the present application. FIG. 12 illustrates an example of a call flow of a procedure of a service subscription. The following separately describes steps involved in the method 700 in detail.
At S701, a device transmits a message 1. Correspondingly, a SPM-Author receives the message 1.
The message 1 is used to request for a subscription to a service for the device. The message 1 could be represented by a subscribe_request in the FIG. 12.
The service could be provided by a XaaS service. The message 1 could include a temporary ID of the device and information of a requested service. The information of the requested service could include but not limited to: at least one of the service’s ID, the service’s name, a type of the service, requirements for the service.
At S702, the SPM-Author negotiates the service subscription with a XaaS service.
The SPM-Author could negotiate with a XaaS service (i.e., a service provider) on behalf of the device for the service subscription, and obtain a service subscription for the device. The service subscription is corresponding to the temporary ID of the device.
At S703, the SPM-Author transmits a message 3. Correspondingly, a SPM-UDM receives the message 3.
The message 3 is used to request for a storage of the service subscription. The message 3 could be represented by a subs_store_request in the FIG. 12.
The message 3 could include the service subscription and the temporary ID of the device. The message 3 could be taken as an example of the second request mentioned in the method 500.
At S704, the SPM-UDM transmits a message 4. Correspondingly, the SPM-Author receives the message 4.
The SPM-UDM could generate a service credential that is associated with the device’s temporary ID and the service subscription. The SPM-UDM could store or maintain the service credential.
The message 4 is a response to the request for the storage of the service subscription. The message 4 could be represented by a subs_store_reponse in the FIG. 12.
The message 4 could indicate a complete generation of the service credential. The message 4 could be taken as  an example of the sixth message mentioned in the method 500.
At S705, the SPM-Author transmits a message 5. Correspondingly, the device receives the message 5.
The message 5 could be a response to the request for the service subscription for the device. The message 5 could include the service subscription. The message 5 could be represented by a subscribe_response in the FIG. 12.
In an embodiment, regarding to the FIG. 12, when a client sends a subscribe request to request for a subscription with a XaaS service, to a SPM-Author. This request shall include a temporary ID of the client, requested service information. This request corresponds to the message 1 in S701. The SPM-author negotiates with a XaaS service provider on behalf of the client for the service subscriptions and obtains a service subscription for the client. The SPM-author sends a subs_store request that including the service subscription and the temporary ID of the client, to a SPM-UDM. The subs_store request corresponds the message 3 in S703. The SPM_UDM may generate a service credential that is associated with the client’s temporary and the service subscription. The SPM_UDM sends a subs_store response to the SPM-Author that may indicate a completely generation service credential. The subs_store response corresponds to the message 4 in S704. The SPM-Author sends a subscribe response to the client. This response may include the service subscription. The subscribe response corresponds the message 5 in S705.
FIG. 13 is a schematic flowchart of a method 800 according to some embodiments of the present application. FIG. 8 illustrates an example of a call flow of a procedure of a service establishment. The following separately describes steps involved in the method 800 in detail.
At S801, a device transmits a message 1 to a SPM-Author.
The message 1 is used to request a service for the device. The message 1 could be represented by a service_request in the FIG. 13.
The message 1 could include a temporary ID of the device. The message 1 could further include information of a requested service. The information of the requested service could include but not limited to: at least one of the service’s ID, the service’s name, a type of the service, requirements for the service.
At S802, the SPM-Author selects a service and generates an authentication code.
The SPM-Author could select a service for the device according to the information of the requested service. For example, the SPM-Author could select a service according to requirements for the requested service.
In some embodiments, the SPM-Author could generate an authentication code that is associated with the temporary ID of the device and an ID of the service.
At S803, the SPM-Author transmits a message 3 to a SPM-Authen.
The message 3 is used to request an authentication of the service for the device. The message 3 could be represented by an auth_request in the FIG. 13.
The message 3 could include the temporary ID of the device. In some embodiments, the SPM-Author could further the authentication code.
In some embodiments, the message 3 could be taken as an example of the seventh message mentioned in the method 500.
At S804, the SPM-Authen transmits a message 4 to a SPM-UDM.
The message 4 is used to request authentication material and could be represented by an auth_material_request in the FIG. 13. The message 4 could include the temporary ID of the device.
For example, the authentication material could include the service credential mentioned in method 700.
The message 4 could be taken as an example of the first request mentioned in the method 500.
At S805, the SPM-UDM transmits a message 5 to the SPM-Authen.
The message 5 is a response to the request for authentication material and could be represented by an auth_material_reponse in the FIG. 13.
The message 5 could include a service credential that is associated with the temporary ID of the device.
The message 5 could be taken as an example of the fifth message mentioned in the method 500.
At S806, the SPM-Authen authenticates the device and the service.
The SPM-Authen could authenticate the device and the service according to the service credential and the authentication code. This authentication could be referred to as a second authentication.
In some implementations, the temporary ID of the device mentioned in method 700 is different from the temporary ID mentioned in method 800. For example, temporary ID #1 of the device may be used at a procedure of a subscription of service #1, and the service credential stored in the SPM-UDM is associated with the temporary ID #1. However, the device may use temporary ID #2 to request the service #1 at a procedure of establishment of the service #1. In this scenario, since the SPM-IDM is responsible for ID mapping, the relationship between the temporary ID #1 and the temporary ID #2 could be obtained from the SPM-IDM.
At S807, the SPM-Authen transmits a message 7 to the SPM-Author.
The message 7 could be a response to the request for the authentication and could be represented by an auth_reponse in the FIG. 13. The message 7 shall indicate a result of the authentication.
The message 7 could be taken as an example of the eighth message mentioned in the method 500.
At S808, the SPM-Author transmits a message 8 to a SPM-KMF.
The message 8 could be used to request key materials and could be represented by a keymaterial_request in the FIG. 13. These key materials could be used for security protection of service data on the interface I and/or interface II in  subsequent security procedures.
The message 8 could include the temporary ID of the device. The message 8 could be taken as an example of the ninth message mentioned in the method 500.
At S809, the SPM-KMF transmits a message 9 to the SPM-Author.
The SPM-KMF could generate security parameters for configuration on a security tunnel between the device and the XaaS service. The message 9 could include these security parameters.
The message 9 could be represented by a keymaterial_reponse in the FIG. 13. The message 9 could be taken as an example of the tenth message mentioned in the method 500.
At S810, the SPM-Author sets up a secure tunnel between the device and a XaaS service.
In some implementations, the secure tunnel between the device and the XaaS service could be set up by other network function, e.g., an access management function. In this scenario, the SPM-Author could transmit a message to the network function that are responsible for the setup of the secure tunnel.
At S811, the SPM-Author transmits a message 11 to the device.
The message 11 could be a response to the service request of the device and could be represented by a service_reponse in the FIG. 13. The message 11 could include security parameters.
According to the above-mentioned technical solution, interfaces for an anonymous authorization for services could be provided. Moreover, different from the current authorization procedure, the service profile and the ID profile could be decoupled according to the embodiments mentioned above. It could provide anonymous authorization, and could protect device’s ID privacy and the service privacy.
In an embodiment, regarding to FIG. 13, when a client sends a service request to a SPM-Author. This request shall include a temporary ID of the client, a required service information. The service request corresponds to the message 1 in S801. The SPM-Author may select a service according to the requirement of the service information. The SPM-Author generates an authentication code that is associated with the temporary ID of the client and the service information (e.g., service ID) . The SPM-Author sends an auth_request to a SPM-Authen. This auth_request may include the authentication code and the temporary ID of the client. The auth_request corresponds to the message 3 in S803. The SPM-Authen sends an auth_material request to a SPM_UDM. This request may include the temporary ID of the client. This request corresponds to the message 4 in S804. The SPM_UDM sends an auth_material response to the SPM-Authen. This response may include a service credential that is associated with the temporary ID of the client. The auth_material response corresponds to the message 5 in S805. The SPM-Authen authenticates the client and the service according to the service credential and the authentication code. The SPM-Authen sends an auth_response to the SPM-Author. This response may include a completed authentication result. The  auth_response corresponds to the message 7 in S807. The SPM-Author sends a keymaterial_request to a SPM-KMF. The keymaterial_request corresponds to the message 8 in S808. This SPM-KMF may generate security parameters for configuration on a secure tunnel between the client and the XaaS service. The SPM-KMF sends a keymaterial_response that including the security parameters to the SPM-Author. The keymaterial_response corresponds to the message 9 in S809. The SPM-Author sets up a secure tunnel between the client and the XaaS service. The SPM-Author sends a service response to the client. This response may include security parameters. The service response corresponds to the message 11 in S811.
In this embodiment, we provide interfaces for an anonymous authorization service and provide a procedure about how to implement anonymous authorization service. Different from 3GPP, 33.501, we decouple service profile and ID profile, and thus it could enable client ID and service ID to be decoupled. This could provide anonymous authorization and protect client ID privacy and service privacy.
For illustrative purpose, in the following, an example of a call flow of a procedure of a key management will be described in combination with FIG. 14. The key management service could provide a hierarchy key management for the device. The key management service could be provided by one or more KMFs. For example, a SPM-KMF-Session could generate keys for security protection on interface II, and a SPM-KMF-RB could generate keys for security protection on interface I.
In an embodiment, a SPM-KMF-Session and a SPM-KMF-RB could be distributed among different network functions. For example, a KMF #1 and a KMF #2 could be different network function, where the KMF #1 could be taken as an example of the SPM-KMF-Session and the KMF #2 could be taken as an example of the SPM-KMF-RB. In another embodiment, a SPM-KMF-Session and a SPM-KMF-RB could be integrated into one network function, e.g., a KMF #3.
The key management service could generate security parameters, and configure security parameters to the device side and the network side (e.g., configuring security parameters to an RB handler, a C/M-TW-GW or a Data-TW-GW) before activation of security protection on signaling or data.
For illustrative purpose, FIG. 14 is a schematic flowchart of a method 1000 according to some embodiments of the present application. The basic concepts about these embodiments are: decouple authentication/authorization and key management. We decouple authentication and key management. Key for security protection on signals in interface I an interface II are generated after a primary authentication procedure, and keys for security protection on data in interface I and interface II are generated after a secondary authentication/authorization procedure. All keys are generated by a SPM-KMF. This could be simple for key managements, and flexible for service managements.
The key management service may provide a hierarchy key management for a client, for example, SPM-KMF-RB generates RB keys for security protection on interface I, and a SPM-KMF-Session. This enables an efficient cryptographic method for signaling protection and data protection. The key management service provides security parameters generation, and  how to configure security parameters to a client side and a network side (e.g. RB handler, serving C/M-TW-GW or serving Data-TW-GW) , before activation of the signaling protection and data protection.
The following separately describes steps involved in the method 900 in detail.
At S901, a primary authentication or a second authentication is implemented.
For example, a primary authentication could be implemented according to the method 600.
For another example, a second authentication could be implemented according to the method 800.
At S902, a SPM-KMF-Session receives a request (represented by a key_request in the FIG. 14) for keys.
The step S902 could include S902a or S902b.
At S902a, a SPM-Authen transmits a message 2a to the SPM-KMF-Session.
After a successful primary authentication, a SPM-Authen could transmit a message 2a to the SPM-KMF-Session to request keys.
At S902b, a SPM-Author transmits a message 2b to the SPM-KMF-Session.
After a successful second authentication, a SPM-Author could transmit a message 2b to the SPM-KMF-Session to request keys.
The message 2a or message 2b could include a temporary ID of the device. The message 2a or message 2b could further include a shared key. For example, the message 2a or message 2b includes the shared key mentioned in the method 600.
At S903, the SPM-KMF-Session generates session keys.
The session keys could be used for security protection on interface II. The session keys may include keys used for protection of a C/M session or keys used for protection of a data session.
The session keys could be associated with the temporary ID of the device, the shared key and an ID of the SPM-KMF-Session.
At S904, the SPM-KMF-Session transmits a message 4 to a SPM-KMF-RB.
The message 4 could be used to request for RB keys and be represented by a RBkey_request in the FIG. 14. The RB keys could be used for security protection on interface I. The RB keys may include keys used for protection of the C/M RB or keys used for protection of the data RB.
The message 4 could include the temporary ID of the device and the ID of the SPM-KMF-Session.
At S905, the SPM-KMF-RB generates RB keys.
The RB keys could be associated with the temporary ID of the device and an ID of the SPM-KMF-RB.
At S906, the SPM-KMF-RB transmits a message 6 to the SPM-KMF-Session.
The message 6 is a response to the request for the RB keys and could be represented by a RBkey_reponse in the  FIG. 14. The message 6 could indicate a successful generation of the RB keys.
At S907, the SPM-KMF-Session implements security activation on a network side.
At S908, the SPM-KMF-Session transmits a response (represented by a key_response in the FIG. 14) to the request for the keys.
The step S908 may include S908a or S908b.
At S908a, the SPM-KMF-Session transmits a message 8a to the SPM-Authen.
For a key management procedure related to a primary authentication, the SPM-KMF-Session transmits a message 8a to the SPM-Authen. The message 8a could be used to configure keys used for protection of a C/M-session.
At S908b, the SPM-KMF-Session transmits a message 8b to the SPM-Author.
For a key management procedure related to a second authentication, the SPM-KMF-Session transmits a message 8a to the SPM-Author. The message 8b could be used to configure keys used for protection of a data session.
At S909, security configuration on the device.
According to the above-mentioned technical solution, interfaces for key management could be provided. Moreover, different from the key management procedure, the keys for security protection is generated by the KMF according to the embodiments mentioned above. It provides an efficient cryptographic method for signaling protection and data protection. It could provide flexibilities or scalabilities for the network.
As mentioned above, a device may use a temporary ID that is different from the one associated with a service credential stored in the SPM-UDM. In this scenario, the SPM-IDM may transmit message to indicate relationship between different IDs of the device. For illustrative purpose, in the following, an example of a call flow of a procedure of authentication, authorization and key management will be described in combination with FIG. 15.
In an embodiment, regarding to FIG. 14, after a successful primary authentication procedure (seen in FIG. 11) or a successful secondary authentication/authorization procedure (seen in FIG. 13) , a SPM-Authen or SPM-Author may send a key request to a SPM-KMF-Session. This request may include a temporary ID of a client. This request corresponds to the message 2a in S902a or the message 2b in S902b. This request may include a shared key that a negotiated shared key in FIG. 8.The SPM-KMF-Session generates a session key for security protection on interface II. This session key is associated with the temporary ID of the client, the negotiated shared key, the ID of the SPM-KMF-Session. A step for generating the session key by the SPM-KMF corresponds to the step S903. The SPM-KMF-Session sends an RB key request to a SPM-KMF-RB. This request may include the ID of the SPM-KMF-Session and the temporary ID of the client. This request corresponds to the message 4 in S904. The SPM-KMF-RB generates an RB key. This RB key is associated with the ID of the SPM-KMF-RB and the temporary ID of the client. A step for generating the RB key corresponds to the step S905. The SPM-KMF-RB sends an  RB key response to the SPM-KMF-Session. The RB key response corresponds to the message 6 in S906. The SPM-KMF-Session implements security activation on a network side. The SPM-KMF-Session sends a key response to the SPM-Authen or the SPM-Author. The key response corresponds to the message 8a in S908a or the message 8b in S908b. Then, security configuration on the client is triggered.
In this embodiment, we provide interfaces for a key management service and provide a procedure about how to implement key management service. Different from 3GPP, 33.501, a function, SPM-KMF, enables an efficient cryptographic method for signaling protection and data protection. This could provide flexibilities or scalabilities for the network.
For illustrative purpose, FIG. 15 is an example of a method 1000 according to some embodiments of the present application.
At S1001, a device transmits a message 1 to an access management function.
The access management function could be a gateway, or an AMF in 5th generation network.
The message 1 is used to request an access to a service. The message 1 could include a temporary ID of the device, e.g., a current temporary ID of the device.
In some embodiments, the message 1 could further include a service ID and an ID of a service provider that provides or deploys the service.
In some embodiments, the message 1 could further include requirements for a service required by the device.
At S1002, the access management function transmits a message 2 to a SPM-Author.
The message 2 is used to request an authorization of the service for the device. The message 2 could include the temporary ID of the device.
In some embodiments, the message 2 may include at least one of: the ID of the service, the ID of the service provider, or requirements for a requested service.
At S1003, the SPM-Author transmits a message 3 to a SPM-UDM.
The message 3 is used to request service profile. The service profiles may include but not limited to: information of subscription of the service, or information of the service provider.
The message 3 include the temporary ID of the device. In some embodiments, the message 3 could further include the ID of the service and the ID of the service provider.
The message 3 could be taken as an example of the first message in the method 500.
At S1004, the SPM-UDM creates a temporary session ID.
The SPM-UDM could generate or create a temporary ID of a session that is a communication related to the authentication and/or authorization procedure of the service for the device.
The temporary ID of the session (also be referred to as a temporary session ID) is associated with the temporary ID of the device. The temporary session ID is used for link-ability of different IDs of the device, and can avoid disclosure of these IDs of the device. In other word, the usage of the temporary could protect ID privacy.
The temporary session ID could be used at a communication related to the authentication and/or authorization procedure of the service for the device.
At S1005, the SPM-UDM transmits a message 5 to a SPM-IDM.
The message 5 is used to request an ID query. The message 5 could include the temporary ID of the device and the temporary session ID.
The message 5 could be taken as an example of the third message in the method 500.
At S1006, the SPM-IDM implements ID mapping.
In an embodiment, during the ID mapping, the SPM-IDM could query other ID (s) of the device according to the current temporary ID of the device. The SPM-IDM could determine an ID of the device that is associated with device’s service profiles.
At S1007, the SPM-IDM transmits a message 7 to the SPM-UDM.
The message 7 is a response to the request for ID query. The message 7 could include the ID of the device that is associated with the device’s service profiles.
The message 7 could be taken as an example of the fourth message in the method 500.
At S1008, the SPM-UDM implements identification on the device.
The SPM-UDM could identify the device based on the message 7.
At S1009, the SPM-IDM transmits a message 9 to the SPM-Author.
The message 9 could be a response to the request of service profile. The message 9 could include the temporary session ID and the device’s service profiles.
The message 9 could be taken as an example of the second message in the method 500.
Optionally, at S1010, the SPM-Author selects one or more service for the device.
In some embodiments, the SPM-Author could select a service from a plurality of services for the device based on the service requirement.
At S1011, the SPM-Author transmits a message 11 to the SPM-Authen.
The message 11 is a request for authentication on the device and the service. The message 11 could be taken as an example of the seventh message in the method 500.
The message 11 could include the temporary session ID, and at least one of: the service’s ID or the ID of the  service provider.
At S1012, the SPM-Authen transmits a request for security materials.
At S1013, the SPM-Authen receive a response to the request for security materials.
The step S1012 may include S1012a and S1012b. Correspondingly, the step S1013 could include S1013a and S1013b.
At S1012a, the SPM-Authen transmits a message 12a to the SPM-UDM.
The message 12a may be used to request security materials stored at the SPM-UDM side. The message 12a could include the temporary session ID, and at least one of: the service’s ID or the ID of the service provider.
The security materials stored at the SPM-UDM side could be used for authentication on the selected service or the selected service provider. For example, the security materials stored at the SPM-UDM side could include a service credential.
The message 12a could be taken as an example of the first request in the method 500.
At S1013a, the SPM-UDM transmits a message 13a to the SPM-Authen.
The message 13a could be a response to the message 12a. The message 13a could include security materials that are stored at the SPM-UDM side and associated with the service’s ID.
The message 13a could be taken as an example of the fifth message in the method 500.
At S1012b, the SPM-Authen transmits a message 12b to the SPM-IDM.
The message 12b may be used to request security materials stored at the SPM-IDM side. The message 12b could include the temporary session ID. The security materials stored at the SPM-IDM side could be used for authentication on the device. For example, the security materials stored at the SPM-IDM side could include the device’s certificate.
The message 12b could be taken as an example of the third request in the method 500.
At S1013b, the SPM-IDM transmits a message 13b to the SPM-Authen.
The message 13b could be a response to the message 12b. The message 13b could include security materials stored at the SPM-IDM side.
The message 13b could be taken as an example of the eleventh message in the method 500.
At S1014, the SPM-Authen implements authentication on the device and the service provider.
The SPM-Authen implements authentication on the device and authentication on the selected service provider/the selected service.
At S1015, the SPM-Authen transmits a message 15 to the SPM-Author.
The message 15 could be a response to the request for the authentication on the device and the service. The message 15 could include an indication of a result of the authentication.
The message 15 could be taken as an example of the eighth message in the method 500.
At S1016, the SPM-Author implements authorization for the device.
The SPM-Author could implement service authorization for the device according to the result of the authentication.
In some embodiments, when the authentication is failed, the SPM-Author could transmit a message 20 to the device. In this scenario, the message 20 could indicate a failure of the authentication.
In some embodiments, when the authentication successes, the SPM-Author could determine whether a security protection is needed. In this scenario, the message 20 could indicate a success of the authentication.
At S1017, the SPM-Author transmits a message 17 to a SPM-KMF.
The message 17 is used to request for key materials. The message 17 could include the temporary ID of the device.
The message 17 could be taken as an example of the ninth message in the method 500.
At S1018, the SPM-KMF generates keys materials.
The SPM-KMF could generate key materials that used for security protection on communications on interface I and/interface II when the service is implemented.
At S1019, the SPM-KMF transmits a message 19 to the SPM-Author.
The message 19 could include these key materials.
The message 19 could be taken as an example of the tenth message in the method 500.
At S1020, the SPM-Author transmits a message 20 to the access management function.
The message 20 could include key materials, and at least one of: the service’s ID and the service provider’s ID.
At S1021, the access management function setups a secure tunnel among the device, the service provider and the network.
At S1022, the access management function transmits a message 21 to the device.
The message 21 could be a response to the request of the access to the service.
The message 21 could include an indication of authentication result.
The method proposed in embodiments of the present application is described in detail above, and a communication apparatus provided by the present application will be described in detail below.
FIG. 16 is a schematic block diagram of a communication apparatus 10 according to some embodiments of the present application. The communication apparatus may be a communication device or an apparatus applied to the communication device and capable of realizing corresponding functions of any one of the network functions in the  embodiments of the present application, for example, the apparatus may be a chip, a chip system or a circuit, which is not limited. The communication device may be a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF, or the chip installed in any one of these network functions.
The communication apparatus 10 includes a processing module 11. The processing module 11 may be a processor, a processing circuit, a processing board, a processing unit, or a processing device, et al. The processing module 11 is configured to implement processing and/or operations implemented inside the communication apparatus except sending the receiving actions.
The communication apparatus 10 may further include a communication module 12. The communication unit 12 is configured to implement a sending action and/or a receiving action. The communication module 12 also may be called a transceiver module, a transceiver, or a transceiver device, et al, and is configured to implement operations of receiving (which may be referred to as inputting) and/or sending (which may be referred to as an outputting) .
For example, if the communication apparatus 10 corresponds to the first SPM NF in FIG. 10, the communication module 12 could be configured to receive the first message. The communication module 12 could further be configured to transmit the first message.
For another example, if the communication apparatus 10 corresponds to the second SPM NF in FIG. 10, the communication module 12 could be configured to transmit the first message. The communication module 12 could further be configured to receive the first message.
For still another example, if the communication apparatus 10 corresponds to the third SPM NF in FIG. 10, the communication module 12 could be configured to receive the third message. The communication module 12 could further be configured to transmit the fourth message.
Briefly, the operations and/or functions of the apparatus 10 are intended to implement corresponding steps of the foregoing method embodiments.
FIG. 17 is a schematic block diagram of a communication apparatus according to an embodiment of the present application. The communication apparatus 20 includes at least one processor 21. The at least one processor 21 is coupled to at least one memory 22. The at least one memory 22 is configured to store one or more instructions and/or executable computer code. The at least one processor 21 is configured to invoke the one or more instructions and/or executable computer code, so that the communication apparatus 20 implements the method provided in the embodiments of the present application.
Optionally, the communication apparatus 20 may further include the at least one memory 22.
Optionally, the communication apparatus 20 may further include at least one communication interface 23, and the at least one communication interface 23 is configured to input and/or output information or data.
In an implementation, the communication apparatus 20 may be any one of the network functions in the method embodiments. For example, the communication apparatus 20 may be a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF. In this implementation, the processor 21 may be a baseband apparatus, and the communication interface 23 may be a radio frequency apparatus.
In another implementation, the communication apparatus 20 may be a chip (or a chip system) installed at a communication device such as a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF. In this implementation, the processor 21 may be a circuit, for example, a logic circuit, an integrated circuit, etc. The communication interface 23 may be a transceiver, an interface circuit, an input/output interface, a bus, a module, a pin, or other types of interfaces.
An embodiment of the present application further provides a communication system. The communication system may include any one of communication apparatuses according to any one of the method embodiments. For example, the communication system may include one or more of the following network functions: a first SPM NF, a second SPM NF, a third SPM NF, a fourth SPM NF or a fifth SPM NF. The communication system may further include a device (e.g., a UE) or other network functions, which is not limited.
An embodiment of the present application further provides a computer storage medium, and the computer storage medium may store one or more instructions for executing any of the foregoing methods.
An embodiment of the present application further provides a computer program product, and the computer program product may store one or more instructions for executing any of the foregoing methods.
In the embodiments of this application, “and/or” describes an association relationship between associated objects and represents that three relationships may exist. For example, A and/or B may represent the following three cases: Only A exists, both A and B exist, and only B exists. The character “/” generally indicates an “or” relationship between the associated objects. “At least one” means one or more. “At least one of A and B” , similar to “A and/or B” , describes an association relationship between associated objects and represents that three relationships may exist. For example, at least one of A and B may represent the following three cases: Only A exists, both A and B exist, and only B exists.
Besides, the use of a singular form of “a” , “an” and “the” in the embodiments of the present application and the claims appended hereto is also intended to include a plural form, unless otherwise clearly indicated herein by context.
A person of ordinary skill in the art will be aware that, in combination with the examples described in the embodiments disclosed in this specification, units and algorithm steps may be implemented by using electronic hardware or a combination of computer software and electronic hardware. Whether the functions are performed by using hardware or software depends on particular applications and design constraint conditions of the technical solutions. A person skilled in the art may  use different methods to implement the described functions for each particular application, but it should not be considered that the embodiment goes beyond the scope of this application.
It would be understood by a person skilled in the art that, for the purpose of convenience and brevity, in a detailed working process of the foregoing system, apparatus, and unit, reference may be made to a corresponding process in the foregoing method embodiments, and details are not described herein again.
In the several embodiments provided in this application, the disclosed system, apparatus, and method may be implemented in other manners. For example, the described apparatus embodiment is merely an example. For example, the unit division is a logical function division and other methods of division may be used in an actual embodiment. For example, a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented using various communication interfaces. The indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.
In addition, function units in the embodiments of this application may be integrated into one processing unit, each of the units may exist alone physically, or two or more units may be integrated into one unit.
When the functions are implemented in the form of a software functional unit and sold or used as an independent product, the functions may be stored in a computer-readable storage medium. The technical solutions of this application may be implemented in the form of a software product. The software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods described in the embodiments of this application. The foregoing storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a ROM, a RAM, a magnetic disk, an optical disc or the like.
The units described as separate parts may be or may not be physically separate, and parts displayed as units may be or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected based on actual requirements to achieve the objectives of the solutions of the embodiments. In addition, functional units in the embodiments of this application may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units are integrated into one unit.
The foregoing descriptions are merely specific implementations of this application, but are not intended to limit the protection scope of this application. Any variation or replacement readily figured out by a person skilled in the art within the technical scope disclosed in this application shall fall within the protection scope of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (43)

  1. A method for communication, performed by a first service provision management (SPM) network function (NF) , comprising:
    receiving a first message from a second SPM NF, wherein the first message is used to request first information of a service, the first message comprises a first identifier (ID) of a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service;
    determining an ID of a communication associated with an authentication and/or authorization procedure of the service for the device based on the first message, wherein the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure; and
    transmitting a second message to the second SPM NF, wherein the second message comprises the first information of the service and the ID of the communication.
  2. The method according to claim 1, further comprising:
    transmitting a third message to a third SPM NF, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device; and
    receiving a fourth message from the third SPM NF, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device.
  3. The method according to claim 1 or 2, further comprising:
    determining the first information of the service based on the second ID of the device.
  4. The method according to any one of claims 1 to 3, further comprising:
    receiving a first request for a credential of the service for the device from a fourth SPM NF, wherein the first request comprises the ID of the communication, and the first request further comprises an ID of the service or an ID of a service provider that provides the service; and
    transmitting a fifth message to the fourth SPM NF, wherein the fifth message comprises the credential of the service for the device.
  5. The method according to any one of claims 1 to 4, further comprising:
    receiving a second request from the second SPM NF, wherein the second request comprises the second ID of the device and the first information of the service; and
    generating and storing a credential of the service for the device, wherein the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  6. The method according to claim 5, further comprising:
    transmitting a sixth message to the second SPM NF, wherein the sixth message indicates a generation of the credential of the service for the device.
  7. A method for communication, performed by a second SPM NF, comprising:
    transmitting a first message to a first SPM NF, wherein the first message comprises a first ID of the device, the first message is used to request first information of a service for a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; and
    receiving a second message from the first SPM NF, wherein the second message comprises the first information of the service and an ID of a communication associated with an authentication and/or authorization procedure of the service for the device, the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure.
  8. The method according to claim 7, further comprising:
    transmitting a seventh message to a fourth SPM NF, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and
    receiving an eighth message from the fourth SPM NF, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
  9. The method according to claim 7 or 8, further comprising:
    transmitting a ninth message to a fifth SPM NF, wherein the ninth message is used to request keys used for protection of a communication associated with the service; and
    receiving a tenth message from the fifth SPM NF, wherein the tenth message comprises information of the keys.
  10. The method according to any one of claims 7 to 9, further comprising:
    transmitting a second request to the first SPM NF, wherein the second request comprises the second ID of the device and  the first information of the service, the second request indicates a storage of a credential of the service for the device, and the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  11. The method according to claim 10, further comprising:
    receiving a sixth message from the first SPM NF, wherein the sixth message indicates a generation of the credential of the service for the device.
  12. A method for communication, performed by a third SPM NF, comprising:
    receiving a third message from a first SPM NF, wherein the third message comprise a first ID of a device and an ID of a communication associated with an authentication and/or authorization procedure of a service for the device, the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure, the third message is used to obtain a second ID of the device, and the second ID is associated with first information of the service, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service; and
    transmitting a fourth message to the first SPM NF, wherein the fourth message comprises the second ID of the device.
  13. The method according to claim 10, further comprising:
    receiving a third request for a credential of the device from a fourth SPM NF, wherein the third request comprises the ID of the communication; and
    transmitting an eleventh message to the fourth SPM NF, wherein the eleventh message comprises the credential of the device.
  14. The method according to claim 10 or 11, further comprising:
    receiving a fourth request for a third ID of the device from the fourth SPM NF, wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF;
    generating the third ID of the device according to the fourth request; and
    transmitting a twelfth message to the fourth SPM NF, wherein the twelfth message comprises the third ID of the device.
  15. A method for communication, performed by a fourth SPM NF, comprising:
    transmitting a first request to a first SPM NF, wherein the first request is used to request a credential of a service for a device, the first request comprises an ID of a communication associated with an authentication and/or authorization procedure of the service for the device, the ID of the communication is associated to a first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure, and the credential of  the service for the device is used for an authentication of the service for the device; and
    receiving a fifth message from the first SPM NF, wherein the fifth message comprises the credential of the service for the device.
  16. The method according to claim 15, further comprising:
    transmitting a third request for a credential of the device to a third SPM NF, wherein the third request comprises the ID of the communication; and
    receiving an eleventh message from the third SPM NF, wherein the eleventh message comprises the credential of the device.
  17. The method according to claim 15 or 16, further comprising:
    receiving a seventh message from a second SPM NF, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and
    transmitting an eighth message to the second SPM NF, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
  18. The method according to any one of claims 15 to 17, further comprising:
    transmitting a fourth request for a third ID of the device to a third SPM NF, wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF; and
    receiving a twelfth message from the third SPM NF, wherein the twelfth message comprises the third ID of the device.
  19. A method for communication, performed by a communication system, wherein the communication system comprises a first SPM NF and a second SPM NF, and the method comprises:
    the second SPM NF transmitting a first message to the first SPM NF, wherein the first message is used to request first information of a service, the first message comprises a first ID of a device, the first information of the service is associated with a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service;
    the first SPM NF determining an ID of a communication associated with an authentication and/or authorization procedure of the service for the device based on the first message, wherein the ID of the communication is associated to the first ID of the device and is used to identify the device by at least one network function associated with the authentication and/or authorization procedure; and
    the first SPM NF transmitting a second message to the second SPM NF, wherein the second message comprises the first information of the service and the ID of the communication.
  20. The method according to claim 19, further comprising:
    the second SPM NF transmitting a second request to the first SPM NF, wherein the second request comprises the second ID of the device and the first information of the service; and
    the first SPM NF generating and storing a credential of the service for the device, wherein the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  21. The method according to claim 19 or 20, further comprising:
    the first SPM NF transmitting a sixth message to the second SPM NF, wherein the sixth message indicates a generation of the credential of the service for the device.
  22. The method according to any one of claims 19 to 21, wherein the communication system further comprises a third SPM NF, and the method further comprises:
    the first SPM NF transmitting a third message to the third SPM NF, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device; and
    the third SPM NF transmitting a fourth message to the first SPM NF, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device.
  23. The method according to claim 22, wherein the communication system further comprises a fourth SPM NF, and the method further comprises:
    the second SPM NF transmitting a seventh message to the fourth SPM NF, wherein the seventh message is used to request an authentication of the service for the device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and
    the fourth SPM NF transmitting an eighth message to the second SPM NF, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
  24. The method according to claim 23, further comprising:
    the fourth SPM NF transmitting a first request for a credential of the service for the device to the first SPM NF, wherein the first request comprises the ID of the communication, and the first request further comprises an ID of the service or an ID of a service provider that provides the service; and
    the first SPM NF transmitting a fifth message to the fourth SPM NF, wherein the fifth message comprises the credential of the service for the device.
  25. The method according to claim 23 or 24, further comprising:
    the fourth SPM NF transmitting a third request for a credential of the device to the third SPM NF, wherein the third request comprises the ID of the communication; and
    the third SPM NF transmitting an eleventh message to the fourth SPM NF wherein the eleventh message comprises the credential of the device.
  26. The method according to any one of claims 23 to 25, further comprising:
    the fourth SPM NF transmitting a fourth request for a third ID of the device to the third SPM NF, wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and the fourth SPM NF; and
    the third SPM NF transmitting a twelfth message to the fourth SPM NF, wherein the twelfth message comprises the third ID of the device.
  27. The method according to any one of claims 23 to 26, wherein the communication system further comprises a fifth SPM NF, and the method further comprises:
    the third SPM NF transmitting a ninth message to the fifth SPM NF, wherein the ninth message is used to request keys used for protection of a communication associated with the service; and
    the fifth SPM NF transmitting a tenth message to the third SPM NF, wherein the tenth message comprises information of the keys.
  28. A method for communication, comprising:
    transmitting a first message, wherein the first message comprises a first ID of the device, the first message is used to request first information of a service for a device, the first information of the service is related to a second ID of the device, the first information of the service is used for granting the device a permission to access the service, the first ID of the device is used in a communication between the device and a serving network, and the second ID of the device is associated with the service;
    receiving a third message, wherein the third message is used to obtain the second ID of the device, and the third message comprises the ID of the communication and the first ID of the device;
    transmitting a fourth message, wherein the fourth message comprises the second ID of the device, the second ID of the device is determined based on the first ID of the device; and
    receiving a second message, wherein the second message comprises the first information of the service and the ID of the communication.
  29. The method according to claim 28, further comprising:
    transmitting a seventh message, wherein the seventh message is used to request an authentication of the service for the  device, the seventh message comprises the ID of the communication, and the seventh message further comprises an ID of the service or an ID of a network function that provides the service; and
    receiving an eighth message, wherein the eighth message comprises an indication of a result of the authentication of the service for the device.
  30. The method according to claim 28 or 29, further comprising:
    transmitting a ninth message, wherein the ninth message is used to request keys used for protection of a communication related to the service; and
    receiving a tenth message, wherein the tenth message comprises information of the keys.
  31. The method according to any one of claim 28 to 30, further comprising:
    transmitting a second request, wherein the second request comprises the second ID of the device and the first information of the service, the second request indicates a storage of a credential of the service for the device, and the credential of the service for the device is associated with the second ID of the device and the first information of the service.
  32. The method according to any one of claim 28 to 31, further comprising:
    receiving a sixth message, wherein the sixth message indicates a generation of the credential of the service for the device.
  33. The method according to any one of claim 28 to 32, further comprising:
    receiving a third request for a credential of the device, wherein the third request comprises the ID of the communication; and
    transmitting an eleventh message, wherein the eleventh message comprises the credential of the device.
  34. The method according to any one of claim 28 to 33, further comprising:
    receiving a fourth request for a third ID of the device wherein the fourth request comprises a fourth ID of the device or the ID of the communication, and the fourth ID of the device is used for a mutual authentication between the device and a serving network;
    generating the third ID of the device according to the fourth request; and
    transmitting a twelfth message, wherein the twelfth message comprises the third ID of the device.
  35. A communication apparatus, wherein the communication apparatus comprises a processor, the processor is configured to execute one or more instructions stored in a memory, to enable the communication apparatus to implement the method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 11, or the method according to any one of claims 12 to 14, or the method according to any one of claims 15 to 18, or the method according to any one of claims 19 to 27, or the method according to any one of claims 28 to 34 .
  36. The communication apparatus according to claim 35, wherein the communication apparatus further comprises the  memory.
  37. The communication apparatus according to claim 35 or 36, wherein the communication apparatus comprises a communication interface, and the communication interface is configured to input and/or output information or data.
  38. A communication apparatus, wherein the communication apparatus comprises a function or unit to implement the method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 11, or the method according to any one of claims 12 to 14, or the method according to any one of claims 15 to 18, or the method according to any one of claims 19 to 27, or the method according to any one of claims 28 to 34.
  39. A communication apparatus, wherein the communication apparatus comprises a circuit and a communication interface, the communication interface is configured to receive information and/or data that is to be processed by the circuit, and transmit the information and/or data to the circuit; and the circuit is configured to implement the method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 11, or the method according to any one of claims 12 to 14, or the method according to any one of claims 15 to 18, or the method according to any one of claims 19 to 27, or the method according to any one of claims 28 to 34.
  40. The communication apparatus according to claim 39, wherein the communication interface is further configured to output information and/or data processed by the circuit.
  41. A communication system, comprising one or more communication apparatuses of:
    a communication apparatus that performs the method according to any one of claims 1 to 6;
    a communication apparatus that performs the method according to any one of claims 7 to 11;
    a communication apparatus that performs the method according to any one of claims 12 to 14;
    a communication apparatus that performs the method according to any one of claims 15 to 18;
    a communication apparatus that performs the method according to any one of claims 19 to 27; and
    a communication apparatus that performs the method according to any one of claims 28 to 34.
  42. A computer readable storage medium, comprising one or more instructions, wherein when the one or more instructions are run on a computer, the computer implements the method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 11, or the method according to any one of claims 12 to 14, or the method according to any one of claims 15 to 18, or the method according to any one of claims 19 to 27, or the method according to any one of claims 28 to 34.
  43. A computer program product, comprising one or more instructions, wherein when the one or more instructions are run on a computer, the computer implements the method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 11, or the method according to any one of claims 12 to 14, or the method according to any one of claims 15 to 18, or the method according to any one of claims 19 to 27, or the method according to any one of claims 28 to 34.
PCT/CN2024/071620 2023-09-29 2024-01-10 Method and apparatus for communication Pending WO2025065973A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202363586453P 2023-09-29 2023-09-29
US63/586,453 2023-09-29

Publications (1)

Publication Number Publication Date
WO2025065973A1 true WO2025065973A1 (en) 2025-04-03

Family

ID=95204599

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/071620 Pending WO2025065973A1 (en) 2023-09-29 2024-01-10 Method and apparatus for communication

Country Status (1)

Country Link
WO (1) WO2025065973A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200359218A1 (en) * 2019-05-09 2020-11-12 Samsung Electronics Co., Ltd. Apparatus and method for providing mobile edge computing services in wireless communication system
US20220094546A1 (en) * 2020-09-24 2022-03-24 Huawei Technologies Co., Ltd. Authentication method and system
US20220159090A1 (en) * 2019-04-19 2022-05-19 Apple Inc. Lightweight Support of Information Centric Network Services in Cellular Network
US20230300613A1 (en) * 2020-07-20 2023-09-21 Samsung Electronics Co., Ltd. Methods and systems for establishing secure communication in wireless communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220159090A1 (en) * 2019-04-19 2022-05-19 Apple Inc. Lightweight Support of Information Centric Network Services in Cellular Network
US20200359218A1 (en) * 2019-05-09 2020-11-12 Samsung Electronics Co., Ltd. Apparatus and method for providing mobile edge computing services in wireless communication system
US20230300613A1 (en) * 2020-07-20 2023-09-21 Samsung Electronics Co., Ltd. Methods and systems for establishing secure communication in wireless communication system
US20220094546A1 (en) * 2020-09-24 2022-03-24 Huawei Technologies Co., Ltd. Authentication method and system

Similar Documents

Publication Publication Date Title
Ghosh et al. 5G evolution: A view on 5G cellular technology beyond 3GPP release 15
KR102367135B1 (en) SEAL system and method for provisioning service-to-service communication in SEAL system of wireless communication network
CN104662997A (en) Systems and methods for device-to-device communication in the absence of network coverage
US11722890B2 (en) Methods and systems for deriving cu-up security keys for disaggregated gNB architecture
US20220174761A1 (en) Communications method and apparatus
US20240163666A1 (en) Method and device for authenticating network access request through terminal-to-terminal connection in mobile communication system
CN116939588A (en) Communication method and device
CN116391397A (en) Method and device for network intercommunication
CN116567590A (en) Authorization method and device
WO2025065973A1 (en) Method and apparatus for communication
WO2025065974A1 (en) Method and apparatus for communication
US10412056B2 (en) Ultra dense network security architecture method
WO2025065972A1 (en) Method and apparatus for communication
WO2025065970A1 (en) Method and apparatus for communication
CN120050800A (en) Communication method and device
WO2025065976A1 (en) Method and apparatus for communication
WO2025065977A1 (en) Method and apparatus for authentication
WO2025065975A1 (en) Method and apparatus for communication
WO2025044063A1 (en) Data processing method and related products
WO2025065969A1 (en) Method and apparatus for communication
CN117440356A (en) Communication methods and devices
WO2025156453A1 (en) Method, apparatus and system for communication
WO2025044064A1 (en) Communication system and related products
WO2025066064A1 (en) Communication method, apparatus, and system for mission session
WO2025044065A1 (en) Configuration method and related products

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24869545

Country of ref document: EP

Kind code of ref document: A1