[go: up one dir, main page]

WO2025091172A1 - Generating new keys for authentication and key management for applications - Google Patents

Generating new keys for authentication and key management for applications Download PDF

Info

Publication number
WO2025091172A1
WO2025091172A1 PCT/CN2023/127872 CN2023127872W WO2025091172A1 WO 2025091172 A1 WO2025091172 A1 WO 2025091172A1 CN 2023127872 W CN2023127872 W CN 2023127872W WO 2025091172 A1 WO2025091172 A1 WO 2025091172A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
message
aanf
akma
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2023/127872
Other languages
French (fr)
Inventor
Leyi Zhang
Shilin You
Yuze LIU
Peilin Liu
Zhen XING
Wei Ma
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to PCT/CN2023/127872 priority Critical patent/WO2025091172A1/en
Publication of WO2025091172A1 publication Critical patent/WO2025091172A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • This disclosure is directed generally to digital wireless communications.
  • LTE Long-Term Evolution
  • 3GPP 3rd Generation Partnership Project
  • LTE-A LTE Advanced
  • 5G The 5th generation of wireless system, known as 5G, advances the LTE and LTE-A wireless standards and is committed to supporting higher data-rates, large number of connections, ultra-low latency, high reliability and other emerging business needs.
  • AKMA Authentication and Key Management Applications
  • a wireless communication method includes receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device, and transmitting, to a data management function, an authentication request message comprising the identifier.
  • a wireless communication method includes transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device, wherein the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.
  • the above-described methods are embodied in the form of processor-executable code and stored in a non-transitory computer-readable storage medium.
  • the code included in the computer readable storage medium when executed by a processor, causes the processor to implement the methods described in this patent document.
  • a device that is configured or operable to perform the above-described methods is disclosed.
  • FIG. 1 shows an example timing diagram for the generation of the K AF from K AKMA .
  • FIG. 2 shows an example timing diagram for an AKMA Application Key request via a Network Exposure Function (NEF) .
  • NEF Network Exposure Function
  • FIG. 3 shows an example timing diagram for refreshing the K AF when an internal Application Function (AF) directly sends the Subscription Permanent Identifier (SUPI) or the Generic Public Subscription Identifier (GPSI) to the AKMA Anchor Function (AAnF) .
  • AF Application Function
  • SUPI Subscription Permanent Identifier
  • GPSI Generic Public Subscription Identifier
  • AAA AKMA Anchor Function
  • FIG. 4 shows an example timing diagram for refreshing the K AF when an external AF indirectly sends the GPSI to the AAnF via the NEF.
  • FIG. 5 shows an example timing diagram for refreshing the K AF when an internal AF directly sends the SUPI or the GPSI to the AAnF after receiving a request from the AAnF.
  • FIG. 6 shows an example timing diagram for refreshing the K AF when an external AF indirectly sends the GPSI to the AAnF via the NEF, and after receiving a request from the AAnF forwarded by the NEF.
  • FIG. 7 shows a flowchart of an example method for wireless communications.
  • FIG. 8 shows a flowchart of another example method for wireless communications.
  • FIG. 9 shows an exemplary block diagram of a hardware platform that may be a part of a network device or a communication device.
  • FIG. 10 shows an example of wireless communication including a base station (BS) and user equipment (UE) based on some implementations of the disclosed technology.
  • BS base station
  • UE user equipment
  • the Authentication and Key Management Applications (AKMA) service enables the authentication and generation of application keys based on 3GPP credentials for all User Equipment (UE) types in the 5G NR System, especially Internet of Things (IoT) devices, thereby ensuring that the security between the UE and the applications in the 5G system can be bootstrapped.
  • UE User Equipment
  • IoT Internet of Things
  • a user can log in to an application service only based on the 3GPP credential which is the permanent key stored in the user’s tamper-resistant smart card (e.g., Universal Integrated Circuit Card (UICC) ) .
  • the application service provider can also delegate the task of user authentication to the mobile network operator by using AKMA.
  • the AKMA architecture and procedures are specified in Technical Specification (TS) 33.535, entitled “Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS) . ”
  • the AKMA procedures specify that when the lifetime of the AKMA application key K AF expires, the AF may reject UE’s access to the AF or refresh the K AF based on its policy. If AF decides to continue the UE’s access to the AF after the expiration of K AF , the AF shall request a new K AF by sending a Naanf_AKMA_ApplicationKey_Get request to AAnF. AAnF needs to request Unified Data Management (UDM) to trigger a primary (re-) authentication to get K AKMA , which will be further used to generate K AF .
  • UDM Unified Data Management
  • Embodiments of the disclosed technology provide a mechanism that enables AKMA application key refresh for AAnF without a valid AKMA context.
  • 3GPP TS 33.535 clause 6.2.1 specifies the procedure used by the AF to request application function specific AKMA keys from the AAnF, when the AF is located inside the operator's network, and is shown in FIG. 1.
  • the UE and the AKMA AF need to know whether to use AKMA. This knowledge is implicit to the specific application on the UE and the AKMA AF or indicated by the AKMA AF to the UE (see clause 6.5) .
  • the operations shown in the timing diagram in FIG. 1 include:
  • the UE shall generate the AKMA Anchor Key (K AKMA ) and the A-KID from the K AUSF before initiating communication with an AKMA Application Function.
  • K AKMA AKMA Anchor Key
  • A-KID the A-KID from the K AUSF
  • the UE may derive K AF before sending the message or afterwards.
  • the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the K AF for the UE.
  • the AF also includes its identity (AF_ID) in the request.
  • AF_ID consists of the FQDN of the AF and the Ua*security protocol identifier (see Annex A. 4) .
  • the latter parameter identifies the security protocol that the AF will use with the UE.
  • the AAnF shall check whether the AAnF can provide the service to the AF based on the configured local policy or based on the authorization information available in the signalling (i.e., Oauth2.0 token) . If it succeeds, the following procedures are executed. Otherwise, the AAnF shall reject the procedure.
  • the AAnF shall verify whether the subscriber is authorized to use AKMA based on the presence of the UE specific K AKMA key identified by the A-KID.
  • K AKMA is not present in the AAnF, the AAnF shall continue with step 4 with an error response.
  • the AAnF Once receiving the request from the AF, if the AAnF determines this specific AF needs GPSI, according to its local policy, the AAnF sends a Nudm_SDM_Get Request to the UDM to fetch the GPSI of the UE. If the specific AF does not need GPSI, the AAnF shall continue with step 5.
  • the UDM responds with the GPSI of the UE.
  • the AAnF shall store the received GPSI as part of UE’s AKMA context.
  • the AAnF derives the AKMA Application Key (K AF ) from K AKMA if it does not already have K AF .
  • K AF The key derivation of K AF shall be performed as specified in Annex A. 4.
  • the AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, K AF and the K AF expiration time. Whether to send SUPI or GPSI is determined by AAnF based on the local policy.
  • the AF sends the Application Session Establishment Response to the UE. If the information in step 4 indicates failure of AKMA key request, the AF shall reject the Application Session Establishment by including a failure cause. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
  • Naanf_AKMA_ApplicationKey_AnonUser_Get request is used by the AF.
  • the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with K AF and the K AF expiration time.
  • the A-KID functions as a temporary user identifier.
  • 3GPP TS 33.535 clause 6.3 specifies the procedure used by the AF to request K AF from the AAnF via NEF, when the AF is located outside the operator's network, and as shown in FIG. 2.
  • the operations shown in the timing diagram in FIG. 2 include:
  • the AF When the AF is about to request AKMA Application Key for the UE from the AAnF, e.g. when UE initiates application session establishment request as in clause 6.2.1, the AF discovers the HPLMN of the UE based on the A-KID and sends the request towards the AAnF via NEF service API.
  • the request shall include the A-KID and the AF_ID and optionally UE Id not needed indication.
  • the AF In the case of architecture without CAPIF support, the AF is locally configured with the API termination points for the service. In the case of architecture with CAPIF support, the AF obtains the service API information from the CAPIF core function via the Availability of service APIs event notification or Service Discover Response as specified in TS 23.222.
  • the NEF discovers and selects an AAnF as defined in clause 6.7.
  • the NEF sends a Naanf_AKMA_ApplicationKey_Get request to the selected AAnF with the A-KID to request the KAF for the UE.
  • the AAnF shall process the request in the same way as specified in clause 6.2.1 with following changes:
  • the AAnF generates the K AF as specified in clause 6.2.1 and sends the response to the NEF with the K AF , the K AF expiration time (K AF exptime) and SUPI.
  • the NEF forwards the response to the AF with the K AF , the K AF expiration time (K AF exptime) and optionally GPSI (external ID) .
  • the NEF uses the Nudm_SubscriberDataManagement service which is specified in TS 29.503 to translate SUPI to GPSI (external ID) and optionally include GPSI (external ID) in the response. If UE Id not needed indication is received in the incoming request, the NEF shall not provide the GPSI (external ID) to AF. The NEF shall not send the SUPI to the AF.
  • 3GPP TS 33.501 clause 14.2.6 specifies the following table, which illustrates the authentication related services for home network triggered primary (re) authentication initiation that UDM provides.
  • This service operation allows the NF to request UDM to trigger a primary (re-) authentication as described in clause 6.1.5.
  • an AF that is located inside the operator’s network is configured to directly send the UE’s authorization to the AAnF.
  • an AF being located inside the operator’s network is indicative of the AF being a trusted entity in the network.
  • the operations shown in the timing diagram in FIG. 3 include:
  • the UE When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message.
  • the AF After receiving the request message, the AF checks the status of K AF . If the K AF timer has expired, the AF will request to get a new K AF .
  • the AF selects the AAnF and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the K AF for the UE.
  • the AF also includes its identity (AF_ID) and UE’s SUPI/GPSI in the request.
  • the AF can decide whether to send SUPI or GPSI based on its local policy, eg, prioritizing GPSI and send SUPI when lack of GPSI, prioritizing SUPI and send GPSI when lack of SUPI, or arbitrarily send SUPI or GPSI, etc.
  • the AF is configured to send Naanf_AKMA_ApplicationKey_AnonUser_Get request to AAnF and include GPSI in the request.
  • the AAnF sends an authentication request message to the UDM, including the UE’s SUPI/GPSI received from the AF. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 5 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 5 will be skipped.
  • the UDM If the UDM receives UE’s GPSI from the AAnF, the UDM first finds SUPI according to GPSI, then starts the home network triggered primary authentication procedure. If the UDM receives UE’s SUPI from the AAnF, it directly starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate K AKMA and A-KID and send them to AAnF.
  • the UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 7, 8 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 7 will be continued.
  • the AAnF If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the AF to indicate a failure of K AF refresh.
  • the AF shall reject the Application Session Establishment by including a failure cause. Steps 9-11 shall be skipped.
  • the AAnF derives the AKMA Application Key (K AF ) from K AKMA .
  • the AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI/GPSI, K AF and the K AF expiration time. Whether to send SUPI or GPSI is determined by AAnF based on the local policy. In the scenarios of anonymous user access, the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with K AF and the K AF expiration time.
  • the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or K AF is refreshed.
  • the UE can calculate the new A-KID and K AF .
  • UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
  • step 6 can be performed before step 5, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
  • step 6 the result of primary authentication can also be sent by other NF to the AAnF in a notification message, e.g., AUSF, AMF.
  • a notification message e.g., AUSF, AMF.
  • the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, and then use the SUPI to request home network triggered primary authentication.
  • the UDM has no need to find SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 5.
  • an AF that is located outside the operator’s network is configured to send the UE’s authorization to the AAnF via NEF.
  • an AF being located outside the operator’s network is indicative of the AF being a non-trusted entity in the network.
  • the operations shown in the timing diagram in FIG. 4 include:
  • the UE When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message
  • the AF After receiving the request message, the AF checks the status of K AF . If the K AF timer has expired, the AF will request to get a new K AF .
  • the AF discovers the HPLMN of the UE based on the A-KID and sends the request towards the AAnF via NEF service API.
  • the request shall include the A-KID, the AF_ID and UE’s GPSI in the request.
  • the NEF discovers and selects an AAnF.
  • the NEF sends a Naanf_AKMA_ApplicationKey_Get request to the selected AAnF with the A-KID, the AF_ID and UE’s GPSI to request the K AF for the UE.
  • the AAnF sends an authentication request message to the UDM, including the GPSI of the UE. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 7 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 7 will be skipped.
  • the UDM first finds SUPI according to received GPSI, then starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate K AKMA and A-KID and send them to AAnF.
  • the UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 9-11 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 9 will be continued.
  • the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the NEF to indicate a failure of K AF refresh.
  • the NEF forwards the response to AF.
  • the AF shall reject the Application Session Establishment by including a failure cause. Steps 12-15 shall be skipped.
  • the AAnF derives the AKMA Application Key (K AF ) from K AKMA .
  • the AAnF sends Naanf_AKMA_ApplicationKey_Get response to the NEF with SUPI, K AF and the K AF expiration time.
  • the NEF forwards the response to the AF with the K AF and the K AF expiration time (K AF exptime) and optionally GPSI (external ID) .
  • the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or K AF is refreshed.
  • the UE can calculate the new A-KID and K AF .
  • UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
  • step 8 can be performed before step 7, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
  • step 8 the result of primary authentication can also be sent by another NF to the AAnF in a notification message, eg. AUSF, AMF.
  • a notification message eg. AUSF, AMF.
  • step 6 the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, and then use the SUPI to request home network triggered primary authentication.
  • the UDM has no need to find the SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 7.
  • an AF that is located inside the operator’s network is configured to send the UE’s authorization to the AAnF after receiving a request.
  • the operations shown in the timing diagram in FIG. 5 include:
  • the UE When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message.
  • the AF After receiving the request message, the AF checks the status of K AF . If the K AF timer has expired, the AF will request to get a new K AF .
  • the AF selects the AAnF and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the K AF for the UE.
  • the AF also includes its identity (AF_ID) in the request.
  • the AAnF checks the AKMA context of the UE according to the A-KID. If there is an AKMA context of the UE stored in the AAnF, steps 5 and 6 can be skipped. If there is no AKMA context of the UE stored in the AAnF, step 5 will be continued.
  • the AAnF shall request the UE’s identification from the AF before sending the authentication request message.
  • the AF responds to the AAnF with the GPSI/SUPI of the UE.
  • the AF can decide whether to send SUPI or GPSI based on its local policy, eg, prioritizing GPSI and send SUPI when lack of GPSI, prioritizing SUPI and send GPSI when lack of SUPI, or arbitrarily send SUPI or GPSI, etc.
  • the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with K AF and the K AF expiration time.
  • the AAnF sends an authentication request message to the UDM, including the SUPI/GPSI of the UE. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 8 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 8 will be skipped.
  • the UDM If the UDM receives UE’s GPSI from the AAnF, the UDM first finds SUPI according to GPSI, then starts the home network triggered primary authentication procedure. If the UDM receives UE’s SUPI from the AAnF, it directly starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate K AKMA and A-KID and send them to AAnF.
  • the UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 10, 11 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 10 will be continued.
  • the AAnF If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the AF to indicate a failure of K AF refresh.
  • the AF shall reject the Application Session Establishment by including a failure cause. Steps 12-14 shall be skipped.
  • the AAnF derives the AKMA Application Key (K AF ) from K AKMA .
  • the AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI/GPSI, K AF and the K AF expiration time. Whether to send SUPI or GPSI is determined by AAnF based on the local policy. In the scenarios of anonymous user access, the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with K AF and the K AF expiration time.
  • the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or K AF is refreshed.
  • the UE can calculate the new A-KID and K AF .
  • UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
  • step 9 can be performed before step 8, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
  • step 9 the result of primary authentication can also be sent by other NF to the AAnF in a notification message, e.g., AUSF, AMF.
  • a notification message e.g., AUSF, AMF.
  • step 7 the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, then use the SUPI to request home network triggered primary authentication. If so, the UDM has no need to find the SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 8.
  • an AF that is located outside the operator’s network is configured to send the UE’s authorization to the AAnF after receiving a request.
  • the operations shown in the timing diagram in FIG. 6 include:
  • the UE When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message.
  • the AF After receiving the request message, the AF checks the status of K AF . If the K AF timer has expired, the AF will request to get a new K AF .
  • the AF discovers the HPLMN of the UE based on the A-KID and sends the request towards the AAnF via NEF service API.
  • the request shall include the A-KID and the AF_ID in the request.
  • the NEF discovers and selects an AAnF.
  • the NEF sends a Naanf_AKMA_ApplicationKey_Get request to the selected AAnF with the A-KID and the AF_ID to request the K AF for the UE.
  • the AAnF checks the AKMA context of the UE according to the A-KID. If there is an AKMA context of the UE stored in the AAnF, steps 7-10 can be skipped. If there is no AKMA context of the UE stored in the AAnF, step 7 will be continued.
  • the AAnF shall send request message to NEF to get the UE’s identification before sending the authentication request message.
  • NEF forwards the request to AF.
  • the AF responds to the NEF with the GPSI of the UE.
  • NEF forwards the response to AAnF with the GPSI of the UE.
  • the AAnF sends an authentication request message to the UDM, including the GPSI of the UE. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 12 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 12 will be skipped.
  • the UDM first finds SUPI according to received GPSI, then starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate K AKMA and A-KID and send them to AAnF.
  • the UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 14-16 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 14-16 will be continued.
  • the AAnF If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the NEF to indicate a failure of K AF refresh.
  • the NEF forwards the response to AF.
  • the AF shall reject the Application Session Establishment by including a failure cause. Steps 17-21 shall be skipped.
  • the AAnF derives the AKMA Application Key (K AF ) from K AKMA .
  • the AAnF sends Naanf_AKMA_ApplicationKey_Get response to the NEF with SUPI, K AF and the K AF expiration time.
  • the NEF forwards the response to the AF with the K AF and the K AF expiration time (K AF exptime) and optionally GPSI (external ID) .
  • step 13 can be performed before step 12, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
  • step 13 the result of primary authentication can also be sent by other NF to the AAnF in a notification message, eg. AUSF, AMF.
  • a notification message eg. AUSF, AMF.
  • step 11 the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, then use the SUPI to request home network triggered primary authentication.
  • the UDM has no need to find the SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 12.
  • NF Network Function
  • NF service is specified for NEF:
  • Embodiments of the disclosed technology provide mechanisms that enable AKMA application key refresh for AAnF without valid AKMA context. Specifically, the following two methods for AAnF without valid AKMA context to acquire the GPSI of UE are designed.
  • AF sends UE’s identification directly to AAnF.
  • the AF directly sends the SUPI or the GPSI to the AAnF.
  • the AF sends GPSI to the NEF, and NEF forwards the UE’s identification to AAnF.
  • the AAnF can directly use it for authentication request even if it does not have the valid AKMA context.
  • AF sends UE’s identification after receiving request.
  • the AF sends the SUPI or the GPSI to the AAnF after receiving the request from AAnF.
  • the AF sends the UE’s identification to the NEF after receiving the request from NEF. This method required the AAnF to check its AKMA context based on the received A-KID first. If it finds that there is no valid AKMA context of UE, it will further request the AF to provide UE’s identification.
  • an NF service for AF and an NF service for NEF can be designed.
  • FIG. 7 shows a flowchart of an example wireless communication method 700.
  • the method 700 includes, at operation 710, receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device.
  • the method 700 includes, at operation 720, transmitting, to a data management function, an authentication request message comprising the identifier.
  • FIG. 8 shows a flowchart of an example wireless communication method 800.
  • the method 800 includes, at operation 810, transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device.
  • the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.
  • a wireless communication method comprising receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device; and transmitting, to a data management function, an authentication request message comprising the identifier.
  • the anchor function receiving the first message corresponds to step 3 of Embodiment #1, or step 5 of Embodiment #2, or step 6 of Embodiment #3, or step 10 of Embodiment #4.
  • the identifier of the wireless device is a SUPI or a GPSI.
  • the anchor function transmitting the authentication request message to the data management function corresponds to step 4 of Embodiment #1, or step 6 of Embodiment #2, or step 7 of Embodiment #3, or step 11 of Embodiment #4.
  • a wireless communication method comprising transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device, wherein the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.
  • the application function transmitting the first message to the anchor function corresponds to step 3 of Embodiment #1, or step 5 of Embodiment #2, or step 6 of Embodiment #3, or step 10 of Embodiment #4.
  • the identifier of the wireless device is a SUPI or a GPSI.
  • anchor function is an AKMA (Authentication and Key Management for Applications) Anchor Function (AAnF)
  • application function is an Application Function
  • the authentication request message is a Nudm_UECM_AuthTrigger Request
  • the wireless device is a user equipment (UE)
  • the identifier is a Generic Public Subscription Identifier (GPSI) or a Subscription Permanent Identifier (SUPI)
  • the data management function is a Unified Data Management (UDM) function.
  • GPSI Generic Public Subscription Identifier
  • SUPI Subscription Permanent Identifier
  • UDM Unified Data Management
  • the first message is Naanf_AKMA_ApplicationKey_Get Request or Naanf_AKMA_ApplicationKey_AnonUser_Get Request.
  • the first message can be initiated by NEF or AF, and is a service operation that is used by an NF to request the AMKA Application Key information for the UE.
  • the third message is received from the data management function, and wherein the third message is Nudm_UECM_AuthTrigger Response.
  • the third message allows the NF to request the Unified Data Management (UDM) to trigger a primary (re-) authentication.
  • UDM Unified Data Management
  • AUSF Authentication Server Function
  • AMF Access and Mobility Management Function
  • An apparatus for wireless communication comprising a processor, configured to implement a method recited in one or more of solutions 1 to 15.
  • a non-transitory computer readable program storage medium having code stored thereon, the code, when executed by a processor, causing the processor to implement a method recited in one or more of solutions 1 to 15.
  • FIG. 9 shows an exemplary block diagram of a hardware platform 900 that may be a part of a network device (e.g., base station) or a communication device (e.g., a user equipment (UE) ) .
  • the hardware platform 900 includes at least one processor 910 and a memory 905 having instructions stored thereupon. The instructions upon execution by the processor 910 configure the hardware platform 900 to perform the operations described in FIGS. 1 to 8 and in the various embodiments described in this patent document.
  • the transmitter 915 transmits or sends information or data to another device.
  • a network device transmitter can send a message to a user equipment.
  • the receiver 920 receives information or data transmitted or sent by another device.
  • a user equipment can receive a message from a network device.
  • FIG. 10 shows an example of a wireless communication system (e.g., a 5G or NR cellular network) that includes a base station 1020 and one or more user equipment (UE) 1011, 1012 and 1013.
  • the UEs access the BS (e.g., the network) using a communication link to the network (sometimes called uplink direction, as depicted by dashed arrows 1031, 1032, 1033) , which then enables subsequent communication (e.g., shown in the direction from the network to the UEs, sometimes called downlink direction, shown by arrows 1041, 1042, 1043) from the BS to the UEs.
  • a wireless communication system e.g., a 5G or NR cellular network
  • the UEs access the BS (e.g., the network) using a communication link to the network (sometimes called uplink direction, as depicted by dashed arrows 1031, 1032, 1033) , which then enables subsequent communication (e.
  • the BS send information to the UEs (sometimes called downlink direction, as depicted by arrows 1041, 1042, 1043) , which then enables subsequent communication (e.g., shown in the direction from the UEs to the BS, sometimes called uplink direction, shown by dashed arrows 1031, 1032, 1033) from the UEs to the BS.
  • the UE may be, for example, a smartphone, a tablet, a mobile computer, a machine to machine (M2M) device, an Internet of Things (IoT) device, and so on.
  • M2M machine to machine
  • IoT Internet of Things
  • a computer-readable medium may include removable and non-removable storage devices including, but not limited to, Read Only Memory (ROM) , Random Access Memory (RAM) , compact discs (CDs) , digital versatile discs (DVD) , etc. Therefore, the computer-readable media can include a non-transitory storage media.
  • program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • Computer-or processor-executable instructions, associated data structures, and program modules represent examples of program code for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps or processes.
  • a hardware circuit implementation can include discrete analog and/or digital components that are, for example, integrated as part of a printed circuit board.
  • the disclosed components or modules can be implemented as an Application Specific Integrated Circuit (ASIC) and/or as a Field Programmable Gate Array (FPGA) device.
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • DSP digital signal processor
  • the various components or sub-components within each module may be implemented in software, hardware or firmware.
  • the connectivity between the modules and/or components within the modules may be provided using any one of the connectivity methods and media that is known in the art, including, but not limited to, communications over the Internet, wired, or wireless networks using the appropriate protocols.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Techniques are described for generating new keys for authentication and key management applications (AKMA). An example wireless communication method includes receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device, and transmitting, to a data management function, an authentication request message comprising the identifier. Another example wireless communication method includes transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device, wherein the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.

Description

GENERATING NEW KEYS FOR AUTHENTICATION AND KEY MANAGEMENT FOR APPLICATIONS TECHNICAL FIELD
This disclosure is directed generally to digital wireless communications.
BACKGROUND
Mobile telecommunication technologies are moving the world toward an increasingly connected and networked society. In comparison with the existing wireless networks, next generation systems and wireless communication techniques will need to support a much wider range of use-case characteristics and provide a more complex and sophisticated range of access requirements and flexibilities.
Long-Term Evolution (LTE) is a standard for wireless communication for mobile devices and data terminals developed by 3rd Generation Partnership Project (3GPP) . LTE Advanced (LTE-A) is a wireless communication standard that enhances the LTE standard. The 5th generation of wireless system, known as 5G, advances the LTE and LTE-A wireless standards and is committed to supporting higher data-rates, large number of connections, ultra-low latency, high reliability and other emerging business needs.
SUMMARY
Methods, systems, and devices for generating new keys for Authentication and Key Management Applications (AKMA) are described. In a 5G system, the AKMA service aims at establishing authenticated communications between users and application functions, and ensures the security of communication users and applications. Embodiments of the disclosed technology provide mechanisms for refreshing keys with a valid AKMA context.
In an example aspect, a wireless communication method includes receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device, and transmitting, to a data management function, an authentication request message comprising the identifier.
In another example aspect, a wireless communication method includes transmitting, by an application function to an anchor function, a first message comprising an identifier of a  wireless device, wherein the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.
In yet another example aspect, the above-described methods are embodied in the form of processor-executable code and stored in a non-transitory computer-readable storage medium. The code included in the computer readable storage medium when executed by a processor, causes the processor to implement the methods described in this patent document.
In yet another example aspect, a device that is configured or operable to perform the above-described methods is disclosed.
The above and other aspects and their implementations are described in greater detail in the drawings, the descriptions, and the claims.
BRIEF DESCRIPTION OF THE DRAWING
FIG. 1 shows an example timing diagram for the generation of the KAF from KAKMA.
FIG. 2 shows an example timing diagram for an AKMA Application Key request via a Network Exposure Function (NEF) .
FIG. 3 shows an example timing diagram for refreshing the KAF when an internal Application Function (AF) directly sends the Subscription Permanent Identifier (SUPI) or the Generic Public Subscription Identifier (GPSI) to the AKMA Anchor Function (AAnF) .
FIG. 4 shows an example timing diagram for refreshing the KAF when an external AF indirectly sends the GPSI to the AAnF via the NEF.
FIG. 5 shows an example timing diagram for refreshing the KAF when an internal AF directly sends the SUPI or the GPSI to the AAnF after receiving a request from the AAnF.
FIG. 6 shows an example timing diagram for refreshing the KAF when an external AF indirectly sends the GPSI to the AAnF via the NEF, and after receiving a request from the AAnF forwarded by the NEF.
FIG. 7 shows a flowchart of an example method for wireless communications.
FIG. 8 shows a flowchart of another example method for wireless communications.
FIG. 9 shows an exemplary block diagram of a hardware platform that may be a part of a network device or a communication device.
FIG. 10 shows an example of wireless communication including a base station (BS) and user equipment (UE) based on some implementations of the disclosed technology.
DETAILED DESCRIPTION
In 5G New Radio (NR) , the Authentication and Key Management Applications (AKMA) service enables the authentication and generation of application keys based on 3GPP credentials for all User Equipment (UE) types in the 5G NR System, especially Internet of Things (IoT) devices, thereby ensuring that the security between the UE and the applications in the 5G system can be bootstrapped. Using AKMA, a user can log in to an application service only based on the 3GPP credential which is the permanent key stored in the user’s tamper-resistant smart card (e.g., Universal Integrated Circuit Card (UICC) ) . The application service provider can also delegate the task of user authentication to the mobile network operator by using AKMA. The AKMA architecture and procedures are specified in Technical Specification (TS) 33.535, entitled “Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS) . ”
According to TS 33.535, the AKMA procedures specify that when the lifetime of the AKMA application key KAF expires, the AF may reject UE’s access to the AF or refresh the KAF based on its policy. If AF decides to continue the UE’s access to the AF after the expiration of KAF, the AF shall request a new KAF by sending a Naanf_AKMA_ApplicationKey_Get request to AAnF. AAnF needs to request Unified Data Management (UDM) to trigger a primary (re-) authentication to get KAKMA, which will be further used to generate KAF. However, if the UE’s AKMA context is invalid or deleted in AAnF, AAnF cannot find the SUPI of the UE according to the A-KID contained in the received Naanf_AKMA_ApplicationKey_Get request message. Therefore, the absence of valid AKMA context in AAnF will always cause a failure in the KAF refresh procedure. In such scenarios, how to derive a new KAF when the UE’s AKMA context is invalid or deleted in AAnF needs to be considered. Embodiments of the disclosed technology provide a mechanism that enables AKMA application key refresh for AAnF without a valid AKMA context.
The example headings for the various sections below are used to facilitate the understanding of the disclosed subject matter and do not limit the scope of the claimed subject matter in any way. Accordingly, one or more features of one example section can be combined with one or more features of another example section. Furthermore, 5G terminology is used for the sake of clarity of explanation, but the techniques disclosed in the present document are not  limited to 5G technology only, and may be used in wireless systems that implemented other protocols.
Examples of AKMA protocols in 3GPP TS 33.535
3GPP TS 33.535 clause 6.2.1 specifies the procedure used by the AF to request application function specific AKMA keys from the AAnF, when the AF is located inside the operator's network, and is shown in FIG. 1. Before communication between the UE and the AKMA AF can start, the UE and the AKMA AF need to know whether to use AKMA. This knowledge is implicit to the specific application on the UE and the AKMA AF or indicated by the AKMA AF to the UE (see clause 6.5) . The operations shown in the timing diagram in FIG. 1 include:
1. The UE shall generate the AKMA Anchor Key (KAKMA) and the A-KID from the KAUSF before initiating communication with an AKMA Application Function. When the UE initiates communication with the AKMA AF, it shall include the derived A-KID (see clause 6.1) in the Application Session Establishment Request message. The UE may derive KAF before sending the message or afterwards.
2. If the AF does not have an active context associated with the A-KID, then the AF selects the AAnF as defined in clause 6.7, and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE. The AF also includes its identity (AF_ID) in the request.
AF_ID consists of the FQDN of the AF and the Ua*security protocol identifier (see Annex A. 4) . The latter parameter identifies the security protocol that the AF will use with the UE.
The AAnF shall check whether the AAnF can provide the service to the AF based on the configured local policy or based on the authorization information available in the signalling (i.e., Oauth2.0 token) . If it succeeds, the following procedures are executed. Otherwise, the AAnF shall reject the procedure.
The AAnF shall verify whether the subscriber is authorized to use AKMA based on the presence of the UE specific KAKMA key identified by the A-KID.
If KAKMA is present in AAnF, the AAnF shall continue with step 3.
If KAKMA is not present in the AAnF, the AAnF shall continue with step 4 with an error response.
3. Once receving the request from the AF, if the AAnF determines this specific AF needs GPSI, according to its local policy, the AAnF sends a Nudm_SDM_Get Request to the UDM to fetch the GPSI of the UE. If the specific AF does not need GPSI, the AAnF shall continue with step 5.
4. The UDM responds with the GPSI of the UE. The AAnF shall store the received GPSI as part of UE’s AKMA context.
5. The AAnF derives the AKMA Application Key (KAF) from KAKMA if it does not already have KAF.
The key derivation of KAF shall be performed as specified in Annex A. 4.
6. The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI, KAF and the KAF expiration time. Whether to send SUPI or GPSI is determined by AAnF based on the local policy.
7. The AF sends the Application Session Establishment Response to the UE. If the information in step 4 indicates failure of AKMA key request, the AF shall reject the Application Session Establishment by including a failure cause. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
3GPP TS 33.535 clause 6.2.2 specifies that in some scenarios, anonymous user access to the AF is desirable (e.g., UE identification is not required at the AF) . For allowing such anonymous user access to the AF, the procedure detailed in clause 6.2.1 of the present document is used with the following changes:
- in step 2, instead of Naanf_AKMA_ApplicationKey_Get request, Naanf_AKMA_ApplicationKey_AnonUser_Get request is used by the AF; and
- in step 6, the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with KAF and the KAF expiration time.
The A-KID functions as a temporary user identifier.
3GPP TS 33.535 clause 6.3 specifies the procedure used by the AF to request KAF from the AAnF via NEF, when the AF is located outside the operator's network, and as shown in FIG. 2. The operations shown in the timing diagram in FIG. 2 include:
1. When the AF is about to request AKMA Application Key for the UE from the AAnF, e.g. when UE initiates application session establishment request as in clause 6.2.1, the AF discovers the HPLMN of the UE based on the A-KID and sends the request towards the  AAnF via NEF service API. The request shall include the A-KID and the AF_ID and optionally UE Id not needed indication.
NOTE: In the case of architecture without CAPIF support, the AF is locally configured with the API termination points for the service. In the case of architecture with CAPIF support, the AF obtains the service API information from the CAPIF core function via the Availability of service APIs event notification or Service Discover Response as specified in TS 23.222.
2. If the AF is authorized by the NEF to request KAF, including the authorization after verification of the AF_ID in step 1, the NEF discovers and selects an AAnF as defined in clause 6.7.
3. The NEF sends a Naanf_AKMA_ApplicationKey_Get request to the selected AAnF with the A-KID to request the KAF for the UE.
The AAnF shall process the request in the same way as specified in clause 6.2.1 with following changes:
If KAKMA is present in AAnF, the AAnF shall continue with step 4 in this clause.
If KAKMA is not present in the AAnF, the AAnF shall continue with step 5 in this clause with an error response.
4. The AAnF generates the KAF as specified in clause 6.2.1 and sends the response to the NEF with the KAF, the KAF expiration time (KAF exptime) and SUPI.
5. The NEF forwards the response to the AF with the KAF, the KAF expiration time (KAF exptime) and optionally GPSI (external ID) . Based on local policy, the NEF uses the Nudm_SubscriberDataManagement service which is specified in TS 29.503 to translate SUPI to GPSI (external ID) and optionally include GPSI (external ID) in the response. If UE Id not needed indication is received in the incoming request, the NEF shall not provide the GPSI (external ID) to AF. The NEF shall not send the SUPI to the AF.
3GPP TS 33.501 clause 14.2.6 specifies the following table, which illustrates the authentication related services for home network triggered primary (re) authentication initiation that UDM provides.
Table 1: NF services for authentication trigger provided by UDM
Service operation name: Nudm_UECM_AuthTrigger.
Description: This service operation allows the NF to request UDM to trigger a primary (re-) authentication as described in clause 6.1.5.
Input, Required: SUPI.
Input, Optional: None.
Output, Required: Success/Failure.
Output, Optional: None.
Examples of the Application Function (AF) directly sending UE authentication
Embodiment #1. In some embodiments, and as shown in FIG. 3, an AF that is located inside the operator’s network is configured to directly send the UE’s authorization to the AAnF. In an example, an AF being located inside the operator’s network is indicative of the AF being a trusted entity in the network. The operations shown in the timing diagram in FIG. 3 include:
1. When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message.
2. After receiving the request message, the AF checks the status of KAF. If the KAF timer has expired, the AF will request to get a new KAF.
3. The AF selects the AAnF and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE. The AF also includes its identity (AF_ID) and UE’s SUPI/GPSI in the request. The AF can decide whether to send SUPI or GPSI based on its local policy, eg, prioritizing GPSI and send SUPI when lack of GPSI, prioritizing SUPI and send GPSI when lack of SUPI, or arbitrarily send SUPI or GPSI, etc. In the scenarios of anonymous user access, where the SUPI is not stored at the AF, the AF is configured to send Naanf_AKMA_ApplicationKey_AnonUser_Get request to AAnF and include GPSI in the request.
4. The AAnF sends an authentication request message to the UDM, including the UE’s SUPI/GPSI received from the AF. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger  the home network triggered primary authentication, step 5 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 5 will be skipped.
5. If the UDM receives UE’s GPSI from the AAnF, the UDM first finds SUPI according to GPSI, then starts the home network triggered primary authentication procedure. If the UDM receives UE’s SUPI from the AAnF, it directly starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate KAKMA and A-KID and send them to AAnF.
6. The UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 7, 8 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 7 will be continued.
7. If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the AF to indicate a failure of KAF refresh.
8. The AF shall reject the Application Session Establishment by including a failure cause. Steps 9-11 shall be skipped.
9. The AAnF derives the AKMA Application Key (KAF) from KAKMA.
10. The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI/GPSI, KAF and the KAF expiration time. Whether to send SUPI or GPSI is determined by AAnF based on the local policy. In the scenarios of anonymous user access, the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with KAF and the KAF expiration time.
11. Since the A-KID is also refreshed, the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or KAF is refreshed. Upon receiving the response, the UE can calculate the new A-KID and KAF. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
Note 1: If the UDM decides to trigger the home network triggered primary authentication, step 6 can be performed before step 5, which means the UDM can respond to AAnF with a  confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
Note 2: In step 6, the result of primary authentication can also be sent by other NF to the AAnF in a notification message, e.g., AUSF, AMF.
Note 3: If the AAnF receives UE’s GPSI from the AF in step 4, the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, and then use the SUPI to request home network triggered primary authentication. In this case, the UDM has no need to find SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 5.
Embodiment #2. In some embodiments, and as shown in FIG. 4, an AF that is located outside the operator’s network is configured to send the UE’s authorization to the AAnF via NEF. In an example, an AF being located outside the operator’s network is indicative of the AF being a non-trusted entity in the network. The operations shown in the timing diagram in FIG. 4 include:
1. When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message
2. After receiving the request message, the AF checks the status of KAF. If the KAF timer has expired, the AF will request to get a new KAF.
3. The AF discovers the HPLMN of the UE based on the A-KID and sends the request towards the AAnF via NEF service API. The request shall include the A-KID, the AF_ID and UE’s GPSI in the request.
4. If the AF is authorized by the NEF to request KAF, including the authorization after verification of the AF_ID in step 3, the NEF discovers and selects an AAnF.
5. The NEF sends a Naanf_AKMA_ApplicationKey_Get request to the selected AAnF with the A-KID, the AF_ID and UE’s GPSI to request the KAF for the UE.
6. The AAnF sends an authentication request message to the UDM, including the GPSI of the UE. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 7 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 7 will be skipped.
7. The UDM first finds SUPI according to received GPSI, then starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate KAKMA and A-KID and send them to AAnF.
8. The UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 9-11 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 9 will be continued.
9. If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the NEF to indicate a failure of KAF refresh.
10. The NEF forwards the response to AF.
11. The AF shall reject the Application Session Establishment by including a failure cause. Steps 12-15 shall be skipped.
12. The AAnF derives the AKMA Application Key (KAF) from KAKMA.
13. The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the NEF with SUPI, KAF and the KAF expiration time.
14. The NEF forwards the response to the AF with the KAF and the KAF expiration time (KAF exptime) and optionally GPSI (external ID) .
15. Since the A-KID is also refreshed, the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or KAF is refreshed. Upon receiving the response, the UE can calculate the new A-KID and KAF. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
Note 1: If the UDM decides to trigger the home network triggered primary authentication, step 8 can be performed before step 7, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
Note 2: In step 8, the result of primary authentication can also be sent by another NF to the AAnF in a notification message, eg. AUSF, AMF.
Note 3: In step 6, the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, and then use the SUPI to request home network triggered primary authentication. In this case, the UDM has no need to find the SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 7.
Examples of the AF sending UE authentication after receiving a request
Embodiment #3. In some embodiments, and as shown in FIG. 5, an AF that is located inside the operator’s network is configured to send the UE’s authorization to the AAnF after receiving a request. The operations shown in the timing diagram in FIG. 5 include:
1. When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message.
2. After receiving the request message, the AF checks the status of KAF. If the KAF timer has expired, the AF will request to get a new KAF.
3. The AF selects the AAnF and sends a Naanf_AKMA_ApplicationKey_Get request to AAnF with the A-KID to request the KAF for the UE. The AF also includes its identity (AF_ID) in the request.
4. The AAnF checks the AKMA context of the UE according to the A-KID. If there is an AKMA context of the UE stored in the AAnF, steps 5 and 6 can be skipped. If there is no AKMA context of the UE stored in the AAnF, step 5 will be continued.
5. If there is no AKMA context of the UE, the AAnF shall request the UE’s identification from the AF before sending the authentication request message.
6. The AF responds to the AAnF with the GPSI/SUPI of the UE. The AF can decide whether to send SUPI or GPSI based on its local policy, eg, prioritizing GPSI and send SUPI when lack of GPSI, prioritizing SUPI and send GPSI when lack of SUPI, or arbitrarily send SUPI or GPSI, etc. In the scenarios of anonymous user access, the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with KAF and the KAF expiration time.
7. The AAnF sends an authentication request message to the UDM, including the SUPI/GPSI of the UE. Then, the UDM decides whether to trigger the home network triggered primary authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 8 will be continued. If the UDM decides not to trigger the home  network triggered primary authentication, step 8 will be skipped.
8. If the UDM receives UE’s GPSI from the AAnF, the UDM first finds SUPI according to GPSI, then starts the home network triggered primary authentication procedure. If the UDM receives UE’s SUPI from the AAnF, it directly starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate KAKMA and A-KID and send them to AAnF.
9. The UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 10, 11 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 10 will be continued.
10. If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the AF to indicate a failure of KAF refresh.
11. The AF shall reject the Application Session Establishment by including a failure cause. Steps 12-14 shall be skipped.
12. The AAnF derives the AKMA Application Key (KAF) from KAKMA .
13. The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AF with SUPI/GPSI, KAF and the KAF expiration time. Whether to send SUPI or GPSI is determined by AAnF based on the local policy. In the scenarios of anonymous user access, the AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AF with KAF and the KAF expiration time.
14. Since the A-KID is also refreshed, the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or KAF is refreshed. Upon receiving the response, the UE can calculate the new A-KID and KAF. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.
Note 1: If the UDM decides to trigger the home network triggered primary authentication, step 9 can be performed before step 8, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send  a notification to the AAnF to indicate the failure.
Note 2: In step 9, the result of primary authentication can also be sent by other NF to the AAnF in a notification message, e.g., AUSF, AMF.
Note 3: In step 7, the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, then use the SUPI to request home network triggered primary authentication. If so, the UDM has no need to find the SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 8.
Embodiment #4. In some embodiments, and as shown in FIG. 6, an AF that is located outside the operator’s network is configured to send the UE’s authorization to the AAnF after receiving a request. The operations shown in the timing diagram in FIG. 6 include:
1. When the UE initiates communication with the AKMA AF, it shall include the derived A-KID in the Application Session Establishment Request message.
2. After receiving the request message, the AF checks the status of KAF. If the KAF timer has expired, the AF will request to get a new KAF.
3. The AF discovers the HPLMN of the UE based on the A-KID and sends the request towards the AAnF via NEF service API. The request shall include the A-KID and the AF_ID in the request.
4. If the AF is authorized by the NEF to request KAF, including the authorization after verification of the AF_ID in step 3, the NEF discovers and selects an AAnF.
5. The NEF sends a Naanf_AKMA_ApplicationKey_Get request to the selected AAnF with the A-KID and the AF_ID to request the KAF for the UE.
6. The AAnF checks the AKMA context of the UE according to the A-KID. If there is an AKMA context of the UE stored in the AAnF, steps 7-10 can be skipped. If there is no AKMA context of the UE stored in the AAnF, step 7 will be continued.
7. If there is no AKMA context of the UE, the AAnF shall send request message to NEF to get the UE’s identification before sending the authentication request message.
8. NEF forwards the request to AF.
9. The AF responds to the NEF with the GPSI of the UE.
10. NEF forwards the response to AAnF with the GPSI of the UE.
11. The AAnF sends an authentication request message to the UDM, including the GPSI of the UE. Then, the UDM decides whether to trigger the home network triggered primary  authentication based on its policy. If the UDM decides to trigger the home network triggered primary authentication, step 12 will be continued. If the UDM decides not to trigger the home network triggered primary authentication, step 12 will be skipped.
12. The UDM first finds SUPI according to received GPSI, then starts the home network triggered primary authentication procedure. After the primary authentication is successfully completed, the AUSF shall generate KAKMA and A-KID and send them to AAnF.
13. The UDM sends Nudm_UECM_AuthTrigger Response to inform AAnF whether the home network triggered primary authentication is successfully performed. If the home network triggered primary authentication is successful, step 14-16 will be skipped. If the home network triggered primary authentication is failed or is not performed according to UDM’s policy, step 14-16 will be continued.
14. If the AAnF is informed that the home network triggered primary authentication is failed or is not performed, the AAnF sends Naanf_AKMA_ApplicationKey_Get Response to the NEF to indicate a failure of KAF refresh.
15. The NEF forwards the response to AF.
16. The AF shall reject the Application Session Establishment by including a failure cause. Steps 17-21 shall be skipped.
17. The AAnF derives the AKMA Application Key (KAF) from KAKMA .
18. The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the NEF with SUPI, KAF and the KAF expiration time.
19. The NEF forwards the response to the AF with the KAF and the KAF expiration time (KAF exptime) and optionally GPSI (external ID) .
20. Since the A-KID is also refreshed, the AF shall send an error response to inform UE the A-KID it used is expired, where the error cause value indicates the A-KID or KAF is refreshed. Upon receiving the response, the UE can calculate the new A-KID and KAF. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF. Note 1: If the UDM decides to trigger the home network triggered primary authentication, step 13 can be performed before step 12, which means the UDM can respond to AAnF with a confirmation of triggering primary authentication first, and then trigger the primary authentication. In this case, if the primary authentication procedure is failed, UDM can then send a notification to the AAnF to indicate the failure.
Note 2: In step 13, the result of primary authentication can also be sent by other NF to the AAnF in a notification message, eg. AUSF, AMF.
Note 3: In step 11, the AAnF can also choose to first send a Nudm_SDM_Get Request to the UDM to fetch the SUPI of the UE, then use the SUPI to request home network triggered primary authentication. In this case, the UDM has no need to find the SUPI according to GPSI and can directly start the home network triggered primary authentication procedure in step 12.
In some embodiments, and in order to realize steps 5 and 6 in Embodiment #3 and steps 8 and 9 in Embodiment #4, the following Network Function (NF) service is specified for AF:
Table 2: NF Service provided by AF
In some embodiments, and in order to realize step 7 and 10 in Embodiment #4, the following NF service is specified for NEF:
Table 3: NF Service provided by NEF
Embodiments of the disclosed technology, as described in the context of FIGS. 3-6, provide mechanisms that enable AKMA application key refresh for AAnF without valid AKMA context. Specifically, the following two methods for AAnF without valid AKMA context to acquire the GPSI of UE are designed.
(1) AF sends UE’s identification directly to AAnF. For an internal AF, the AF directly sends the SUPI or the GPSI to the AAnF. For external AF, the AF sends GPSI to the NEF, and NEF forwards the UE’s identification to AAnF. With the received identification from the UE, the AAnF can directly use it for authentication request even if it does not have the valid AKMA context.
(2) AF sends UE’s identification after receiving request. For an internal AF, the AF sends the SUPI or the GPSI to the AAnF after receiving the request from AAnF. For an external AF, the AF sends the UE’s identification to the NEF after receiving the request from NEF. This method required the AAnF to check its AKMA context based on the received A-KID first. If it finds that there is no valid AKMA context of UE, it will further request the AF to provide UE’s identification.
In some embodiments, and in order to implement the second method in Embodiment #4, an NF service for AF and an NF service for NEF can be designed.
Example methods and implementations of the disclosed technology
FIG. 7 shows a flowchart of an example wireless communication method 700. The method 700 includes, at operation 710, receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device.
The method 700 includes, at operation 720, transmitting, to a data management function, an authentication request message comprising the identifier.
FIG. 8 shows a flowchart of an example wireless communication method 800. The method 800 includes, at operation 810, transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device. In some embodiments, the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.
The described features can be implemented to further provide one or more of the following technical solutions:
1. A wireless communication method, comprising receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device; and transmitting, to a data management function, an authentication request message comprising the identifier. In some examples, the anchor function receiving the first message corresponds to step 3 of Embodiment #1, or step 5 of Embodiment #2, or step 6 of Embodiment #3, or step 10 of Embodiment #4. In some examples, the identifier of the wireless device is a SUPI or a GPSI. In some examples, the anchor function transmitting the authentication request message to the data management function corresponds to step 4 of Embodiment #1, or step 6 of Embodiment #2, or step 7 of Embodiment #3, or step 11 of Embodiment #4.
2. A wireless communication method, comprising transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device, wherein the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier. In some examples, the application function transmitting the first message to the anchor function corresponds to step 3 of Embodiment #1, or step 5 of Embodiment #2, or step 6 of Embodiment #3, or step 10 of Embodiment #4. In some examples, the identifier of the wireless device is a SUPI or a GPSI.
3. The method of solution 1 or 2, wherein the anchor function is an AKMA (Authentication and Key Management for Applications) Anchor Function (AAnF) , the application function is an Application Function, the authentication request message is a Nudm_UECM_AuthTrigger Request, the wireless device is a user equipment (UE) , the identifier is a Generic Public Subscription Identifier (GPSI) or a Subscription Permanent Identifier (SUPI) , and the data management function is a Unified Data Management (UDM) function.
4. The method of solution 3, wherein the application function is a trusted entity, and wherein the application function selects, based on a local policy, either the GPSI or the SUPI to include in the authentication request message. In some examples, the application function being a trusted entity corresponds to the application function being inside the operator’s network.
5. The method of solution 3, wherein the application function is a non-trusted entity, and wherein the identifier is the GPSI. In some examples, the application function being a non-trusted entity corresponds to the application function being outside the operator’s network.
6. The method of solution 3, wherein the first message is Naanf_AKMA_ApplicationKey_Get Request or Naanf_AKMA_ApplicationKey_AnonUser_Get Request. In some examples, the first message can be initiated by NEF or AF, and is a service operation that is used by an NF to request the AMKA Application Key information for the UE.
7. The method of any of solutions 1 to 3, wherein the anchor function is further configured to transmit, prior to receiving the first message, a second message comprising a request for the identifier of the wireless device.
8. The method of any of solutions 1 to 7, wherein the anchor function is further configured to receive a third message comprising a response to the authentication request message.
9. The method of solution 8, wherein the third message is received from the data management function, and wherein the third message is Nudm_UECM_AuthTrigger Response. In some examples, the third message allows the NF to request the Unified Data Management (UDM) to trigger a primary (re-) authentication.
10. The method of solution 8, wherein the third message is a notification message received from an alternate network function.
11. The method of solution 10, wherein the alternate network function is an Authentication Server Function (AUSF) or an Access and Mobility Management Function (AMF) .
12. The method of any of solutions 1 to 11, wherein the anchor function excludes a valid key authentication context of the wireless device.
13. The method of solution 12, wherein the application function is a trusted entity, and wherein the authentication request message is received by the anchor function directly from the application function.
14. The method of solution 12, wherein the application function is not a trusted entity, and wherein the authentication request message is received by the anchor function via an exposure function.
15. The method of solution 14, wherein the exposure function is a Network Exposure Function.
16. An apparatus for wireless communication comprising a processor, configured to implement a method recited in one or more of solutions 1 to 15.
17. A non-transitory computer readable program storage medium having code stored thereon, the code, when executed by a processor, causing the processor to implement a method recited in one or more of solutions 1 to 15.
FIG. 9 shows an exemplary block diagram of a hardware platform 900 that may be a part of a network device (e.g., base station) or a communication device (e.g., a user equipment (UE) ) . The hardware platform 900 includes at least one processor 910 and a memory 905 having instructions stored thereupon. The instructions upon execution by the processor 910 configure the hardware platform 900 to perform the operations described in FIGS. 1 to 8 and in the various embodiments described in this patent document. The transmitter 915 transmits or sends information or data to another device. For example, a network device transmitter can send a  message to a user equipment. The receiver 920 receives information or data transmitted or sent by another device. For example, a user equipment can receive a message from a network device.
The implementations as discussed above will apply to a wireless communication. FIG. 10 shows an example of a wireless communication system (e.g., a 5G or NR cellular network) that includes a base station 1020 and one or more user equipment (UE) 1011, 1012 and 1013. In some embodiments, the UEs access the BS (e.g., the network) using a communication link to the network (sometimes called uplink direction, as depicted by dashed arrows 1031, 1032, 1033) , which then enables subsequent communication (e.g., shown in the direction from the network to the UEs, sometimes called downlink direction, shown by arrows 1041, 1042, 1043) from the BS to the UEs. In some embodiments, the BS send information to the UEs (sometimes called downlink direction, as depicted by arrows 1041, 1042, 1043) , which then enables subsequent communication (e.g., shown in the direction from the UEs to the BS, sometimes called uplink direction, shown by dashed arrows 1031, 1032, 1033) from the UEs to the BS. The UE may be, for example, a smartphone, a tablet, a mobile computer, a machine to machine (M2M) device, an Internet of Things (IoT) device, and so on.
Some of the embodiments described herein are described in the general context of methods or processes, which may be implemented in one embodiment by a computer program product, embodied in a computer-readable medium, including computer-executable instructions, such as program code, executed by computers in networked environments. A computer-readable medium may include removable and non-removable storage devices including, but not limited to, Read Only Memory (ROM) , Random Access Memory (RAM) , compact discs (CDs) , digital versatile discs (DVD) , etc. Therefore, the computer-readable media can include a non-transitory storage media. Generally, program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-or processor-executable instructions, associated data structures, and program modules represent examples of program code for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps or processes.
Some of the disclosed embodiments can be implemented as devices or modules using hardware circuits, software, or combinations thereof. For example, a hardware circuit  implementation can include discrete analog and/or digital components that are, for example, integrated as part of a printed circuit board. Alternatively, or additionally, the disclosed components or modules can be implemented as an Application Specific Integrated Circuit (ASIC) and/or as a Field Programmable Gate Array (FPGA) device. Some implementations may additionally or alternatively include a digital signal processor (DSP) that is a specialized microprocessor with an architecture optimized for the operational needs of digital signal processing associated with the disclosed functionalities of this application. Similarly, the various components or sub-components within each module may be implemented in software, hardware or firmware. The connectivity between the modules and/or components within the modules may be provided using any one of the connectivity methods and media that is known in the art, including, but not limited to, communications over the Internet, wired, or wireless networks using the appropriate protocols.
While this document contains many specifics, these should not be construed as limitations on the scope of an invention that is claimed or of what may be claimed, but rather as descriptions of features specific to particular embodiments. Certain features that are described in this document in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or a variation of a sub-combination. Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results.
Only a few implementations and examples are described and other implementations, enhancements and variations can be made based on what is described and illustrated in this disclosure.

Claims (17)

  1. A wireless communication method, comprising:
    receiving, by an anchor function from an application function, a first message comprising an identifier of a wireless device; and
    transmitting, to a data management function, an authentication request message comprising the identifier.
  2. A wireless communication method, comprising:
    transmitting, by an application function to an anchor function, a first message comprising an identifier of a wireless device,
    wherein the anchor function is configured to transmit, to a data management function, an authentication request message comprising the identifier.
  3. The method of claim 1 or 2, wherein the anchor function is an AKMA (Authentication and Key Management for Applications) Anchor Function (AAnF) , the application function is an Application Function, the authentication request message is a Nudm_UECM_AuthTrigger Request, the wireless device is a user equipment (UE) , the identifier is a Generic Public Subscription Identifier (GPSI) or a Subscription Permanent Identifier (SUPI) , and the data management function is a Unified Data Management (UDM) function.
  4. The method of claim 3, wherein the application function is a trusted entity, and wherein the application function selects, based on a local policy, either the GPSI or the SUPI to include in the authentication request message.
  5. The method of claim 3, wherein the application function is a non-trusted entity, and wherein the identifier is the GPSI.
  6. The method of claim 3, wherein the first message is Naanf_AKMA_ApplicationKey_Get Request or Naanf_AKMA_ApplicationKey_AnonUser_Get Request.
  7. The method of any of claims 1 to 3, wherein the anchor function is further configured to transmit, prior to receiving the first message, a second message comprising a request for the identifier of the wireless device.
  8. The method of any of claims 1 to 7, wherein the anchor function is further configured to receive a third message comprising a response to the authentication request message.
  9. The method of claim 8, wherein the third message is received from the data management function, and wherein the third message is Nudm_UECM_AuthTrigger Response.
  10. The method of claim 8, wherein the third message is a notification message received from an alternate network function.
  11. The method of claim 10, wherein the alternate network function is an Authentication
    Server Function (AUSF) or an Access and Mobility Management Function (AMF) .
  12. The method of any of claims 1 to 11, wherein the anchor function excludes a valid key authentication context of the wireless device.
  13. The method of claim 12, wherein the application function is a trusted entity, and wherein the authentication request message is received by the anchor function directly from the application function.
  14. The method of claim 12, wherein the application function is not a trusted entity, and wherein the authentication request message is received by the anchor function via an exposure function.
  15. The method of claim 14, wherein the exposure function is a Network Exposure Function.
  16. An apparatus for wireless communication comprising a processor, configured to implement a method recited in one or more of claims 1 to 15.
  17. A non-transitory computer readable program storage medium having code stored thereon, the code, when executed by a processor, causing the processor to implement a method recited in one or more of claims 1 to 15.
PCT/CN2023/127872 2023-10-30 2023-10-30 Generating new keys for authentication and key management for applications Pending WO2025091172A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2023/127872 WO2025091172A1 (en) 2023-10-30 2023-10-30 Generating new keys for authentication and key management for applications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2023/127872 WO2025091172A1 (en) 2023-10-30 2023-10-30 Generating new keys for authentication and key management for applications

Publications (1)

Publication Number Publication Date
WO2025091172A1 true WO2025091172A1 (en) 2025-05-08

Family

ID=95583208

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/127872 Pending WO2025091172A1 (en) 2023-10-30 2023-10-30 Generating new keys for authentication and key management for applications

Country Status (1)

Country Link
WO (1) WO2025091172A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021201558A1 (en) * 2020-03-30 2021-10-07 Samsung Electronics Co., Ltd. Method and apparatus for providing akma service in wireless communication system
WO2022156933A1 (en) * 2021-01-22 2022-07-28 Telefonaktiebolaget Lm Ericsson (Publ) Routing indicator retrival for akma
CN115152257A (en) * 2020-02-19 2022-10-04 三星电子株式会社 Using keys derived from network access authentication apparatus and method for generating application specific key
CN115398946A (en) * 2020-04-28 2022-11-25 中兴通讯股份有限公司 Authentication server function selection in authentication and key agreement
WO2023008929A1 (en) * 2021-07-28 2023-02-02 Samsung Electronics Co., Ltd. Apparatus and method for communication establishment in authentication and key management for applications (akma)

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115152257A (en) * 2020-02-19 2022-10-04 三星电子株式会社 Using keys derived from network access authentication apparatus and method for generating application specific key
WO2021201558A1 (en) * 2020-03-30 2021-10-07 Samsung Electronics Co., Ltd. Method and apparatus for providing akma service in wireless communication system
CN115398946A (en) * 2020-04-28 2022-11-25 中兴通讯股份有限公司 Authentication server function selection in authentication and key agreement
WO2022156933A1 (en) * 2021-01-22 2022-07-28 Telefonaktiebolaget Lm Ericsson (Publ) Routing indicator retrival for akma
WO2023008929A1 (en) * 2021-07-28 2023-02-02 Samsung Electronics Co., Ltd. Apparatus and method for communication establishment in authentication and key management for applications (akma)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Authentication method selection and SUPI retrieval for N5GC", 3GPP DRAFT; S3-203170, vol. SA WG3, 30 October 2020 (2020-10-30), pages 1 - 7, XP051949746 *

Similar Documents

Publication Publication Date Title
US11632245B2 (en) Security key generation techniques
US8693642B2 (en) Emergency call handling in accordance with authentication procedure in communication network
US10708783B2 (en) Method for performing multiple authentications within service registration procedure
EP3958599B1 (en) Network roaming and intercommunication method and system
CN115299168B (en) Method and apparatus for switching
CN108293259B (en) NAS message processing and cell list updating method and equipment
CN115398946A (en) Authentication server function selection in authentication and key agreement
EP3427503B1 (en) Systems and methods for using gba for services used by multiple functions on the same device
JP7542676B2 (en) AKMA Certification Service Extension A-KID
US20250119736A1 (en) Enabling authentication and key management for application service for roaming users
WO2023213301A1 (en) Authentication method, communication apparatus, and computer-readable storage medium
CN117413554A (en) Key management method, device, equipment and storage medium
WO2025091172A1 (en) Generating new keys for authentication and key management for applications
US20230413047A1 (en) Network relay security
WO2025091171A1 (en) Updating or refreshing keys for authentication and key management for applications
WO2025118206A1 (en) Refreshing keys for authentication and key management for applications after authentication failures
US20250350938A1 (en) Key management method and apparatus, device, and storage medium
CN117413553A (en) Key management method, device, equipment and storage medium
WO2024113612A1 (en) Enabling home-network-triggered primary authentication in multi-registration scenario
WO2025156346A1 (en) User equipment identity management
CN114946231A (en) Techniques to manage access and mobility management function (AMF) relocation
US20250380131A1 (en) Method and apparatus for authentication of user equipment in wireless communication system
CN119790623A (en) Two-factor authentication
CN117014875A (en) Home network triggered User Equipment (UE) re-authentication
CN120498704A (en) Processing of access tokens for which claims are missing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23957052

Country of ref document: EP

Kind code of ref document: A1