[go: up one dir, main page]

WO2025093230A1 - Methods and related apparatuses for providing 5gc service access via a non integrated non 3gpp network - Google Patents

Methods and related apparatuses for providing 5gc service access via a non integrated non 3gpp network Download PDF

Info

Publication number
WO2025093230A1
WO2025093230A1 PCT/EP2024/078240 EP2024078240W WO2025093230A1 WO 2025093230 A1 WO2025093230 A1 WO 2025093230A1 EP 2024078240 W EP2024078240 W EP 2024078240W WO 2025093230 A1 WO2025093230 A1 WO 2025093230A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
entity
nswof
value
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2024/078240
Other languages
French (fr)
Inventor
German PEINADO GOMEZ
Saurabh Khare
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Technologies Oy
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to CN202480032908.2A priority Critical patent/CN121128138A/en
Publication of WO2025093230A1 publication Critical patent/WO2025093230A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • This disclosure is related to the field of mobile communication networks, in particular the provisioning of fifth generation core network (5GC) services to users and their associated devices via a non-integrated, non-Third Generation Partnership Project (3GPP) network.
  • 5GC fifth generation core network
  • 3GPP Third Generation Partnership Project
  • 5GC cellular networks find it necessary to “offload” some traffic (e.g., data). To do so, both user equipment (UE) and cellular networks need to have the capability of completing such offloads via a non-integrated, non-3GPP access network (e.g., a wireless, local area network, abbreviated “WLAN”).
  • WLAN wireless, local area network
  • the present disclosure sets forth exemplary methods and related devices for providing 5GC service access via a non-integrated, non-3GPP network.
  • one such method for providing 5GC services via a nonintegrated, non-3GPP access network may comprise: generating, by user equipment (UE), a non-seamless wireless offload (NSWOF) key after completing primary authentication; and directly sending an initialization message that comprises the NSWOF key to a first network function (NF) entity of a 5GC network to form a secure communication channel (e.g., an IP sec tunnel) directly between the UE and the first NF entity using the NSWOF key.
  • UE user equipment
  • NSWF non-seamless wireless offload
  • Such an exemplary method may further comprise forming the secure communication channel further comprises generating, by the UE, a temporary UE Identifier or receiving the temporary UE identifier and generating, by the UE, the NSWOF key.
  • generating the NSWOF key may comprise completing a first cryptographic process, wherein completing the first cryptographic process may further comprise receiving a CONSTANT value or a RAND value, FC value and a MSK value.
  • generating the NSWOF key may comprise completing a second cryptographic process, wherein completing the second cryptographic process may further comprise receiving the temporary UE identifier, an FC value and an MSK value.
  • the generation of the temporary UE Identifier may further comprise completing a third cryptographic process, wherein completing the third cryptographic process may further comprise receiving a CONSTANT value or a RAND value, an FC value and an MSK value.
  • such a method may further comprise generating, by the UE, an additional initialization message that comprises a generated temporary UE identifier and sending the additional initialization message and temporary UE identifier to the first NF entity within the formed secure communications channel.
  • the exemplary method may comprise completing the primary authentication by pre-configuring the UE with a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
  • a second exemplary method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating and sending, by a NF entity of a 5GC network, an electronic indicator to a second NF entity of the 5GC network that indicates that registration of UE via a nonintegrated, non-3GPP access is allowed; sending an indicator, by the first NF entity, to the UE that non-integrated, non-3GPP network registration is allowed; receiving, by the first NF entity, an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises NSWOF key directly from the UE; and forming a secure communications channel (e.g., an IP sec tunnel) directly between the UE and the first NF entity.
  • an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises NSWOF key directly from the UE
  • a secure communications channel e.g., an IP sec tunnel
  • this second exemplary method may comprise: (i) completing, at the first NF entity, a comparison process to authenticate a first communication session before proceeding with registration of the UE with the 5GC network; and/or (ii) sending, by the first NF entity, a registration message that includes a Non-Access Stratum, User Data Management, UE Configuration Management value, a previously generated Subscription Permanent Identifier (SUPI) value and a NSWOF address to a third NF entity of the 5GC network; and/or (iii) sending, by the first NF entity, a registration message to the third NF entity, wherein the registration message comprises a request that the third NF entity forward NSWOF specific data to the first NF entity, where the requested NSWOF data may comprise an identification of allowed 5GC services and the allowed 5GC services may comprise a service selected from a data service, a call service or a short message service.
  • such a second exemplary method may comprise sending, by the first NF
  • Third exemplary method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating, by a first NF entity of a 5GC network, a NSWOF key and a temporary UE Identifier; and sending, by the first NF entity, the generated NSWOF key, the temporary UE Identifier and a SUPI to a second NF entity of the 5GC network.
  • the third exemplary method may further comprise completing a first, cryptographic process to generate the NSWOF key, wherein the first cryptographic process may comprise receiving a RAND value or a CONSTANT value, an FC value and a MSK value.
  • the generation of the NSWOF key may comprise completing a second, cryptographic process, where the second cryptographic process may comprise receiving the temporary UE identifier value, an FC value and an MSK value.
  • the generation of the temporary UE Identifier may comprise completing a third cryptographic process, wherein completing the third cryptographic process may comprise receiving a CONSTANT value or a RAND value, an FC value, and a MSK value.
  • a fourth method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating and sending, by a third NF entity of a 5GC network, an electronic indicator to a second NF entity of the core 5G network that indicates that registration of UE via the nonintegrated, non-3GPP access network is allowed; receiving a Non-Seamless Unified Data Management, Subscriber Data Management, “get” message (“get message”) from a first NF entity of the 5GC network, the get message comprising a request to send non-seamless wireless offload network function (NSWOF) specific data to the first NF entity; and sending the NSWOF data to the first NF entity.
  • NWOF non-seamless wireless offload network function
  • the present disclosure also provides related apparatuses for providing 5GC services via a non-integrated, non-3GPP access network.
  • a non-integrated, non-3GPP access network e.g., a UE
  • a secure communication channel e.g., an IP sec tunnel
  • such an apparatus may further comprise means for preconfiguring a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
  • a second exemplary apparatus may comprise an apparatus in a 5GC network that provides 5GC services via a nonintegrated, non-3GPP access network.
  • Such an apparatus may comprise means for generating and sending a first indicator to a second NF entity of the 5GC network that indicates that registration of UE via the non-integrated, non-3GPP access network is allowed; means for sending a second indicator to the UE that non-integrated, non- 3GPP network registration is allowed; means for receiving an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises a NSWOF key directly from the UE; and means for forming a secure communications channel (e.g., an IP sec tunnel) directly between the UE and the apparatus.
  • initialization message an Internet Key Exchange Security Association Initialization message
  • Such an apparatus may provide 5GC services via a nonintegrated, non-3GPP access network, where the apparatus may comprise means for generating and sending an electronic indicator to a second NF entity of the 5GC network that indicates that registration of UE via the non-integrated, non-3GPP access network is allowed; means for receiving a Non-Seamless Unified Data Management, Subscriber Data Management, “get” message (“get message”) from a first NF entity of the 5GC network, the get message comprising a request to send non-seamless wireless offload network function (NSWOF) specific data to the first NF entity; and means for sending the NSWOF data to the first NF entity.
  • NSWF non-seamless wireless offload network function
  • the NSWOF specific data may identify the 5GC services that the UE may be allowed to access.
  • Figure 1 depicts an exemplary mobile communications network according to the present disclosure.
  • Figures 2A and 2B depict an exemplary message flow according to exemplary methods provided by the present disclosure.
  • Figures 3A and 3B depict exemplary block diagrams illustrating the generation of a non-seamless wireless offload network functions (NSWOF) key according to exemplary methods provided by the present disclosure.
  • NSWF non-seamless wireless offload network functions
  • Figure 4 depicts an exemplary block diagram illustrating the generation of a temporary UE ID according to exemplary methods provided by the present disclosure.
  • Figure 5 depicts a simplified block diagram of an apparatus, such as an electronic element of a 5GC network or an electronic element of non-integrated, non- 3GPP access network.
  • Figure 6 depicts a simplified block diagram of an apparatus, such as a UE.
  • Figure 6 depicts a simplified block diagram of an apparatus, such as a UE.
  • the term "comprises,” “comprising,” or variations thereof are intended to refer to a non-exclusive inclusion, such that a process, method, article of manufacture, or apparatus that comprises a list of elements does not include only those elements in the list but may include other elements not expressly listed or inherent to such process, method, article of manufacture, or apparatus.
  • data means information capable of being transmitted, received and/or stored in accordance with certain embodiments of the present disclosure.
  • telecommunication entity refers to: (a) electronic hardware-only circuit implementations (e.g., implementations in analog circuitry and/or digital circuitry) capable of completing one or more functions, such as network functions (NF) or UE functions; and/or (b) combinations of electronic circuits and computer program product(s) comprising software and/or firmware instructions stored on one or more electronic memories that work together to cause an apparatus to perform one or more NFs, UE functions or process steps described herein; and/or (c) electronic circuits, such as, for example, an electronic microprocessor(s), a portion of a microprocessor(s), processor, portion of a processor, electronic integrated circuit or electronic applications processor (collectively referred to herein as “processor”) that executes stored instructions (e.g., software or firmware) retrieved from at least one electronic memory that, when executed by the processor cause an apparatus or the element itself to perform one or more features,
  • stored instructions e.g., software or firmware
  • the phrase electronic “memory” means a non-transitory, electronic storage medium (e.g., volatile or nonvolatile memory device).
  • non-transitory, electronic storage media include, but are not limited to: a random access memory (RAM); a programmable read only memory (PROM); an erasable programmable read only memory (EPROM); a FLASH- EPROM; a magnetic computer readable medium (e.g., a floppy disk, hard disk, magnetic tape, any other magnetic medium); an optical computer readable medium (e.g., a compact disc read only memory (CD-ROM); a digital versatile disc (DVD); a Blu-Ray disc (BD), the like, or combinations thereof), or any other non-transitory medium from which an electronic processor can retrieve stored instructions that when executed cause an apparatus to perform one or more functions or steps in a process.
  • RAM random access memory
  • PROM programmable read only memory
  • EPROM erasable programmable read only memory
  • FLASH- EPROM e.
  • non-lntegrated means a telecommunications network that is not seamlessly connected or interoperable with a 3GPP-defined cellular network while the phrase “non-3GPP” means a telecommunications network that does not follow 3GPP standards for mobile communication.
  • Non-integrated, non-3GPP network is a private wireless network or WLAN built using technologies such as Wi-Fi, LoRa (Low Power Wide Area Network), or other proprietary wireless solutions. Such networks may be used for specific applications, such as in industrial Internet of Things (loT) deployments.
  • LoT industrial Internet of Things
  • the network 1 may comprise one or more UEs 2a to 2n configured to complete innovative functions and steps described herein and be in wireless communication with, and coupled to, one or more wireless access points (AP) 3a to 3n of an exemplary nonintegrated, non-3GPP access network 4 (e.g., a WLAN) via one or more telecommunication channels 5a to 5n.
  • AP wireless access points
  • each of the one or more wireless APs 3a to 3n may be configured to complete innovative functions and steps described herein.
  • the non-integrated, non-3GPP access network 4 may be in further communication with a core wireless network 6, such as a 5GC wireless network.
  • the core wireless network 6 may comprise a plurality of telecommunication network function (NF) entities, such as a non-seamless wireless offload (NSWOF) entity 8 (that may be referred to sometimes for simplicity as a “second NF entity”) configured to complete known non-seamless wireless offload network functions and steps (NSWOF), innovative functions and steps described herein (e.g., innovative NSWOF functions and steps), and to support NSWO authentication.
  • NF telecommunication network function
  • NSWOF entity 8 may be wirelessly connected to one or more non-integrated, non-3GPP access networks, such as network 4, and to an authentication server function (AUSF) entity 9 (that may be referred to sometimes for simplicity as a “first NF entity”) that is also a part of core network 6 via wired or wireless connection 10.
  • AUSF entity 9 may be referred to as an extensible authentication protocol (EAP) authenticator and may be further configured to complete known network functions and steps, innovative functions and steps described herein, and carry out authentication of the one or more UEs 2a to 2n, for example UE 2a, as well as store data for authentication of UEs 2a to 2n.
  • EAP extensible authentication protocol
  • FIG. 1 also depicts the ALISF entity 9 connected to a unified data management (UDM) entity 10 (that may be referred to sometimes for simplicity as a “third NF entity”) via wired or wireless means.
  • UDM entity 10 may be configured to complete known network functions and steps, innovative functions and steps described herein as well as store user subscription data, and decipher a subscription concealed identifier (SUCI), etc.
  • SUCI subscription concealed identifier
  • Figure 1 depicts telecommunication entities 8 to 10 as three separate and distinct elements, it should be understood that this is merely exemplary. Alternatively, one or more of the entities 8 to 10 may be combined together, or still further, may be separated into additional elements.
  • embodiments of the disclosure innovatively alter and/or expand the features, functions and steps of entities 8 to 10 as well as UEs 2a to 2n and APs 3a to 3n of the non-integrated, non-3GPP access network 4 to permit UEs 2a to 2n to securely register and connect to the 5GC network 6 in order to access 5GC services when neither a TNGF nor N3IWF are available (i.e. , without using 5G Non-Access Stratum (NAS) registration procedures via a non-3GPP access network).
  • NAS Non-Access Stratum
  • the UE 2a may comprise an Internet-of-Things (loT) compatible device, such as a mobile phone, laptop computer, personal computer, electronic server, household-appliance, and industrial device to name just a few nonlimiting examples of UE 2a .
  • LoT Internet-of-Things
  • FIG. 2A and 2B there is depicted an exemplary flow of communications involving elements and entities of the mobile network 1 that provide UE 2a with secure registration and connectivity to 5GC services via the non-integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF are available (i.e., without using 5G NAS registration procedures via a non-3GPP access network).
  • UE 2a may be pre-configured with the Fully Qualified Domain Name (“fqdn”) address of NSWOF entity 8 (i.e., complete primary authentication). Thereafter, steps 101 to 106 shown in Figure 2 (and as described in TS 33.501 , Annex S for NSWO based authentication) may be completed by a combination of element 2a, elements and corresponding entities of network 4 (e.g., a WLAN) and elements and corresponding entities 8, 9 and 10 of 5GC network 6.
  • fqdn Fully Qualified Domain Name
  • the UDM entity 10 may be configured to innovatively generate and send a “flag” (e.g., an electronic value, referred to herein as a “first” indicator) to the AUSF entity 9 (e.g., EAP authentication server) that indicates that registration of UEs via a non-integrated, non-3GPP access network, such as network 4, is allowed provided subscription data allows a UE (e.g., UE 2a) to be registered via a non-integrated, non-3GPP network such as network 4.
  • a “flag” e.g., an electronic value, referred to herein as a “first” indicator
  • such a flag may be configured and stored in a Unified Data Repository (UDR)(e.g., a database; not shown in Figure 1 ) that may be managed by the UDM entity 10.
  • UDR Unified Data Repository
  • the NSWOF entity 8 may be configured to provide an indicator (e.g., an electronic message) to the ALISF entity 9 and UDM entity 10 that non-integrated, non-3GPP network registration is supported by core network 6 via connections 11,12 in Figure 1 (hereafter referred to as a “second” indicator”)
  • the indicator may be provided during step 105, for example.
  • steps 108 to 115 shown in Figure 2A may be completed.
  • step 116 may be completed.
  • the NSWOF entity 8 has sent the “second” indicator to the AUSF entity 9 and UDM entity 10 (i.e. , that non-integrated, non-3GPP network registration is supported by core network 6) or (ii) the UDM entity 10 has sent the first indicator in step 107 to the AUSF entity 9 (i.e., that non-integrated, non-3GPP network registration is allowed by core network 6)
  • the AUSF entity 9 may be configured to generate a NSWOF key and a temporary UE Identifier.
  • the same NSWOF key and temporary UE identifier shall be generated by the UE 2a as well (i.e., any UE 2a to 2n that wishes to register with the core 5G network 6 via the a non-integrated, non-3GPP access network 4).
  • the AUSF 9 may send the so-generated NSWOF key and temporary UE identifier to UE 2a, or as described below, the UE 2a may generate these same key and identifier to form a secure communications channel (e.g., an IP sec tunnel).
  • the AUSF entity 9 may send the generated NSWOF key, UE temporary Identifier and a Subscription Permanent Identifier (SUPI) to the NSWO entity 8 via connection 11 , for example during step 116.
  • SUPI Subscription Permanent Identifier
  • the AUSF entity 9 may comprise at least one processor 502 configured to generate the NSWOF key 16 by executing electronic instructions stored in, and accessed and retrieved from, at least one memory (e.g., see Figure 5, memory 503) to complete a first, cryptographic Key Derivation Function (KDF) process that generates the NSWOF key 16.
  • KDF cryptographic Key Derivation Function
  • the processor 502 may receive a RAND value 13, a fixed constant (FC) value 15 and a Master Session Key (MSK) 14 value and then execute the first KDF process to generate the NSWOF key 16 during step 116 based on the received values 13, 14 and 15 and first KDF process.
  • FC values may be values determined by a telecommunications standard or adopted by a telecommunications vendor. In a further embodiment, the same FC value may be used by an ALISF entity 9 for each UE 2a to 2n to generate an NSWOF key 16. Regarding the MSK values, in an embodiment, MSK values may be generated by an ALISF entity 9 using known processes independently from a UE 2a to 2n.
  • the processor 502 may receive a CONSTANT value 13 instead of a RAND value, an FC value 15 and an MSK 14 value and then execute the first cryptographic KDF process to generate the NSWOF key 16 during step 116.
  • CONSTANT values may be determined by a telecommunications standard or adopted by a telecommunications vendor, In a further embodiment, the same CONSTANT value may be used by a AUSF entity 9 for each UE 2a to 2n to generate an NSWOF key 16.
  • the processor 502 may receive a temporary UE identifier value 17 instead of a CONSTANT or RAND value, an FC value 19 and an MSK 18 value and then execute a “second” cryptographic KDF process to generate the NSWOF key 20 during step 116.
  • the processor 502 upon receiving a CONSTANT value 21 (or a RAND value) an FC value 23 and an MSK value 22 the processor 502 (of AUSF 9 for example) may be configured to complete a third cryptographic KDF process in order to generate a temporary UE identifier 24 during step 116.
  • the ALISF entity 9 may send the generated NSWOF key, UE temporary Identifier and a SUPI to the NSWOF entity 8 via connection 11 , for example during step 116.
  • the non-integrated, non-3GPP access network 4 Upon receiving the third indicator, the non-integrated, non-3GPP access network 4 (e.g., one or more of the APs 3a to 3n) may be configured to send a similar indicator to the UE 2a that non-integrated, non-3GPP network registration is allowed (hereafter “fourth indicator”) during step 117b via connection 5, for example. Thereafter, the non-integrated, non-3GPP access network 4 (e.g., one or more of the APs 3a to 3n) may complete steps set forth in TS 33.501 , Annex S for NSWO based authentication).
  • the UE 2a may be configured to complete a registration process with the 5GC network 6 via the non- integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF are available (i.e., without using 5G NAS registration procedures).
  • the UE 2a may be pre-configured with the Fully Qualified Domain Name (“fqdn”) address of NSWOF entity 8. Accordingly, to form an IPSec tunnel between the UE 2a and the NWSOF entity 8 of core network 6 that ensures that the registration and communications between the UE 2a and core network 6 may be secure.
  • the UE 2a needs to derive the same NSWOF key and UE temporary identifier that was generated by an entity of the 5GC network 6 (e.g., AUSF entity 9).
  • a processor 604 of the UE 2a may receive a CONSTANT value 13, FC value 15 and a MSK 14 value and then complete the first cryptographic, KDF process discussed previously by executing electronic instructions stored in, and accessed and retrieved from, at least one memory (e.g., see Figure 6, memory 605) during step 119 to generate the NSWOF key 16.
  • the FC values may be determined by a telecommunications standard or adopted by a telecommunications vendor, In a further embodiment, the same FC value may be used by each UE 2a to 2n to generate an NSWOF key 16.
  • each UE 2a to 2n may generate an MSK value independently from an AUSF entity 9 using known processes.
  • the processor 604 may receive a RAND value 13 instead of a CONSTANT value, an FC value 15 and an MSK 14 value and then execute the first cryptographic KDF process to generate the NSWOF key 16 during step 119.
  • the processor 604 may receive a temporary UE identifier value 17 instead of a CONSTANT or RAND value, an FC value 19 and an MSK 18 value and then execute the second cryptographic KDF process discussed previously to generate the NSWOF key 20 during step 119.
  • the UE 2a may generate the NSWOF and temporary UE identifier values based on stored CONSTANT, RAND, FC and MSK values.
  • One or more of these values may be sent to the UE 2a from an element and corresponding entity of the 5GC network 6 (e.g., from the AUSF entity 9)
  • the RAND values 13, 21 in Figures 3A and 4 may be sent from an element and corresponding entity in core network 6 (e.g., from the AUSF entity 9) to the UE 2a.
  • the temporary UE identifier 17 in Figure 3B may be sent to the UE 2a from an entity of the 5GC network 6 (e.g., from the AUSF entity 9).
  • the FC and CONSTANT values are not sent to the UE 2a from an element and corresponding entity of the 5GC network 6.
  • the UE 2a Upon generating the NSWOF key using the embodiments described herein, the UE 2a then generates and directly sends an Internet Key Exchange Security Association Initialization message (referred to as “first initialization message”, abbreviated “IKE_SA_INIT”) that includes the NSWOF key directly to the NSWOF entity 8 during step 119a.
  • first initialization message abbreviated “IKE_SA_INIT”
  • the NSWOF entity 8 may be further configured to form a secure communications channel (e.g., an IP sec tunnel) directly between the UE 2a and NSWO entity 8 of 5GC network 6. Accordingly, the non-integrated, non-3GPP access network 4 does not have access to the established secure communications channel.
  • a secure communications channel e.g., an IP sec tunnel
  • the UE 2a may include a generated temporary UE identifier in an initialization message (referred to as “second initialization message”), and then send the second initialization message to the NSWO entity 8 during alternative step 119b.
  • second initialization message an initialization message
  • the NSWOF entity 8 Upon receiving the second initialization message the NSWOF entity 8 is configured to compare the received temporary UE identifier to its stored, temporary UE identifier. If the comparison results in a match then the NSWOF entity 8 is further configured to form a secure communications channel (e.g., an IP sec tunnel) between the UE 2a and NSWO entity 8 of 5GC network 6 during step 119b
  • a secure communications channel e.g., an IP sec tunnel
  • the UE 2a and NSWOF entity 8 may now begin an innovative process to register the UE 2a with the core network 6.
  • the UE 2a may send a first registration message that may include a temporary UE identifier within the now established, secure communications channel to the NSWOF entity 8 (referred to as “first communication session”).
  • first communication session a temporary UE identifier within the now established, secure communications channel
  • the NSWOF entity 8 Upon receiving the registration message that includes the temporary UE identifier the NSWOF entity 8 completes a comparison process to authenticate the first communication session before proceeding with the registration of the UE 2a with the 5GC network 6.
  • the NSWOF entity 8 may send a second registration message that includes a NAS User Data Management (“Nudm”), UE Configuration Management (UECM) value, a previously generated Subscription Permanent Identifier (SUPI) value and the address of the NSWOF entity 8 (“NSWOF address”) to the UDM entity 10.
  • Nudm NAS User Data Management
  • UECM UE Configuration Management
  • SUPI Subscription Permanent Identifier
  • the SUPI value may have been previously stored and available at the AUSF entity 9 and then sent to the NSWOF entity 8.
  • the UDM entity 10 Upon receiving the second registration message, the UDM entity 10 generates and sends a confirmation message to the NSWO entity 8 during step 122.
  • the NSWOF entity 8 may be configured to send a third registration message (e.g., q NonSeam less Unified Data Management, Subscriber Data Management, “get” message, i.e. , “Nudm_SDM_get operation” message or simply “get message”). during step 123 to the UDM entity 10.
  • the third registration message may comprise a request that the UDM entity 10 forward NSWOF specific data to the NSWOF entity 8.
  • the UDM entity 10 may send the requested NSWOF data to the NSWOF entity 8 during step 124.
  • NSWOF specific data may identify those 5GC services (e.g., limited services) that the UE 2a may be allowed to access after completing the secure authentication and registration process described herein.
  • the NSWOF entity 8 may send a limited service indication message to the UE 2a which allows the UE 2a (and its corresponding user) access to a limited range and number of 5GC services provided by the 5GC network 6.
  • a limited service may allow a data service but disallow call and/or short message services (SMS).
  • SMS short message services
  • an exemplary limited service may allow a call service but disallow datal and/or short message services (SMS).
  • SMS short message services
  • another an exemplary limited service may allow an SMS service but disallow data and/or short call services, to name just a few of the types of limited services that can be allowed and/or disallowed.
  • FIG. 5 there is depicted a simplified block diagram of a network apparatus 500 comprising an entity of the 5GC network 6 (e.g., NSWO entity 8, AUSF entity 9 or UDM entity 10) or of the non-integrated, non-3GPP access network 4 (e.g., APs 3a to 3n of a WLAN) in accordance with an exemplary embodiment.
  • entity of the 5GC network 6 e.g., NSWO entity 8, AUSF entity 9 or UDM entity
  • the non-integrated, non-3GPP access network 4 e.g., APs 3a to 3n of a WLAN
  • network apparatus refers to an element and its corresponding NFs of 5GC network 6 or of the non-integrated, non- 3GPP access network 4 (e.g., a WLAN) while the phrase “UE apparatus” (or UE) refers to UE 2a to 2n and its corresponding UE functions.
  • network apparatus 500 may be configured to provide one or more network-based operations and features and perform related steps within 5GC network 6 or non-integrated, non-3GPP access network 4. Moreover, network apparatus 500 may be configured to complete a plurality of core network functions (NFs). For example, apparatus 500 may be incorporated into one or more of the network entities 8, 9 and 10 described above and herein. [00105] In an embodiment, the network apparatus 500 may include means for completing one or more innovative NFs, features and steps. In embodiments, such means may comprise a combination of electronic elements, such as a network interface 501 , at least one electronic processor 502, and an electronic memory 503.
  • FIG. 6 there is illustrated a simplified block diagram of a user apparatus 600 which may comprise user equipment 2a (or 2b to 2n).
  • User apparatus 600, or portions therein, may be implemented in other network apparatuses or elements including base stations/WLAN APs 3a to 3n, as well as the other network elements.
  • user apparatus 600 may comprise means for completing one or more innovative UE functions, features and steps.
  • such means may comprise a combination of electronic elements, such as at least one antenna 601 in communication with an electronic transmitter 602 and an electronic receiver 603.
  • apparatus 600 may comprise separate transmit and receive antennas (not shown for simplicity).
  • User apparatus 600 may also include additional means, such as at least one electronic processor 604 configured to provide communication signals to, and receive communication electronic signals from, the transmitter and receiver, respectively, and to control the functioning of the apparatus.
  • Processor 604 may be configured to control the functioning of the transmitter and receiver by effecting control signaling via electrical leads or wirelessly to the transmitter and receiver.
  • processor 604 may be configured to control other elements of user apparatus 600 by effecting control signaling via electrical leads or wirelessly connecting processor 604 to other components, such as a display (not shown for simplicity) or an electronic memory 605.
  • Processors 502, 604 may, for example, be embodied in a variety of ways including electronic circuitry, at least one electronic processing core, one or more microprocessors with accompanying digital signal processor(s), one or more electronic processor(s) without an accompanying digital signal processor, one or more coprocessors, one or more multi-core processors, one or more electronic controllers, electronic processing circuitry, one or more computers, various other electronic processing elements including integrated circuits (for example, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and/or the like), or some combination thereof. Accordingly, although illustrated in Figures 5 and 6 as a single processor, in some example embodiments processors 502, 604 may comprise a plurality of electronic processors or processing cores.
  • user apparatus 600 may be configured to operate using one or more air interface standards, communication protocols, modulation types, access types, and/or the like.
  • Signals sent and received by the processor 604 may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to Wi-Fi, WLAN techniques, such as Institute of Electrical and Electronics Engineers (IEEE) 802.11 , 802.16, 802.3, ADSL, DOCSIS, and/or the like.
  • IEEE Institute of Electrical and Electronics Engineers
  • these signals may include speech data, user generated data, user requested data, and/or the like.
  • One or more memory elements 605 may be used to store information such as NSWOF keys, temporary UE identifiers, UE context information, and interact with processor 604 as known in the art.
  • user apparatus 600 and/or a cellular modem therein may be capable of operating in accordance with various communication protocols, such as first generation (1 G) communication protocols, second generation (2G or 2.5G) communication protocols, third-generation (3G) communication protocols, fourthgeneration (4G) communication protocols, fifth-generation (5G) communication protocols, Internet Protocol Multimedia Subsystem (IMS) communication protocols (for example, session initiation protocol (SIP) and/or the like.
  • communication protocols such as first generation (1 G) communication protocols, second generation (2G or 2.5G) communication protocols, third-generation (3G) communication protocols, fourthgeneration (4G) communication protocols, fifth-generation (5G) communication protocols, Internet Protocol Multimedia Subsystem (IMS) communication protocols (for example, session initiation protocol (SIP) and/or the like.
  • IMS Internet Protocol Multimedia Subsystem
  • user apparatus 600 may be capable of operating in accordance with 2G wireless communication protocols IS-136, Time Division Multiple Access TDMA, Global System for Mobile communications, GSM, IS-95, Code Division Multiple Access, CDMA, and/or the like.
  • user apparatus 600 may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service (GPRS), Enhanced Data GSM Environment (EDGE), and/or the like. Still further, for example, apparatus 600 may be capable of operating in accordance with 3G wireless communication protocols, such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like.
  • GPRS General Packet Radio Service
  • EDGE Enhanced Data GSM Environment
  • 3G wireless communication protocols such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like.
  • User apparatus 600 may be additionally capable of operating in accordance with (i) 3.9G wireless communication protocols, such as Long Term Evolution (LTE), Evolved Universal Terrestrial Radio Access Network (E-UTRAN), and/or the like, and (ii) 4G wireless communication protocols, such as LTE Advanced, 5G, and/or the like as well as similar wireless communication protocols that may be subsequently developed.
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • 4G wireless communication protocols such as LTE Advanced, 5G, and/or the like as well as similar wireless communication protocols that may be subsequently developed.
  • processors 502, 604 may include additional means, for example, circuitry for implementing audio/video and logic functions of apparatuses 500, 600.
  • processor 604 may comprise a digital signal processor device, a microprocessor device, an analog-to-digital converter, a digital-to-analog converter, and/or the like. Control and signal processing functions of user apparatus 600 may be allocated between these devices according to their respective capabilities.
  • processors 502,604 may retrieve and access software or firmware stored as electronic instructions to cause their respective apparatuses 500,600 to at least perform certain functions, features and/or steps.
  • processors 502, 604 may comprise means for performing authentication and registration processes, such as NSWOF key generation, and temporary UE identifier generation via one or more cryptographic KDF processes, security handshakes, and the like.
  • processor 604 may be configured to complete a connectivity process that allows user apparatus 600 to transmit and receive web content, such as location-based content, according to a protocol, such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like.
  • a protocol such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like.
  • each of the apparatuses 500, 600 shown in Figures 5 and 6, include means for completing one or more innovative functions, features and steps, including, but not limited to, the UE functions, features and steps or network side functions (e.g., NFs) features and steps set forth in the claims below.
  • such means may comprise a combination of electronic elements, such as one or more electronic transmitters, receivers, electronic comparison circuitry, electronic input/output (I/O) circuitry, electronic conductors (e.g., electronic buses), at least one electronic processor 502,604, at least one electronic memory 503, 605 that comprises stored electronic instructions (i.e., computer program code) where the respective at least one processor 502,604, in conjunction with the respective at least one memory 503, 605 and respective computer program code, being executed and/or arranged to cause the respective apparatus 500, 600 to at least perform at least the functions, features and steps described herein, including, but not limited to the functions, features and steps illustrated in Figures 1 to 6.
  • electronic elements such as one or more electronic transmitters, receivers, electronic comparison circuitry, electronic input/output (I/O) circuitry, electronic conductors (e.g., electronic buses), at least one electronic processor 502,604, at least one electronic memory 503, 605 that comprises stored electronic instructions (i.e., computer program code) where the respective at least one processor

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The secure registration and connectivity of user equipment to a limited range of services offered by fifth generation core networks is provided when access to the services is via a non-integrated, non-Third Generation Partnership Project access network.

Description

METHODS AND RELATED APPARATUSES FOR PROVIDING 5GC SERVICE
ACCESS VIA A NON INTEGRATED NON 3GPP NETWORK
TECHNICAL FIELD
[0001] This disclosure is related to the field of mobile communication networks, in particular the provisioning of fifth generation core network (5GC) services to users and their associated devices via a non-integrated, non-Third Generation Partnership Project (3GPP) network.
INTRODUCTION
[0002] This section introduces aspects that may help facilitate a better understanding of the inventive disclosure. Accordingly, the statements in this section are to be read in this light and are not to be understood as admissions about what is, or what is not, prior art.
[0003] Given the substantial demand for wireless communications and 5GC services, 5GC cellular networks find it necessary to “offload” some traffic (e.g., data). To do so, both user equipment (UE) and cellular networks need to have the capability of completing such offloads via a non-integrated, non-3GPP access network (e.g., a wireless, local area network, abbreviated “WLAN”).
[0004] However, challenges occur in providing UEs with secure registration and connectivity to 5GC services via a non-integrated, non-3GPP access network when neither a Trusted Non-3GPP Gateway Function (TNGF ) nor Non-3GPP InterWorking Function (N3IWF) are available (i.e., without using 5G Non-Access Stratum (NAS) registration procedures via a non-3GPP access network).
[0005] Accordingly, it is desirable to provide innovative solutions that alleviate the challenges outlined herein. SUMMARY
[0006] The present disclosure sets forth exemplary methods and related devices for providing 5GC service access via a non-integrated, non-3GPP network.
[0007] In an embodiment, one such method for providing 5GC services via a nonintegrated, non-3GPP access network may comprise: generating, by user equipment (UE), a non-seamless wireless offload (NSWOF) key after completing primary authentication; and directly sending an initialization message that comprises the NSWOF key to a first network function (NF) entity of a 5GC network to form a secure communication channel (e.g., an IP sec tunnel) directly between the UE and the first NF entity using the NSWOF key.
[0008] Such an exemplary method may further comprise forming the secure communication channel further comprises generating, by the UE, a temporary UE Identifier or receiving the temporary UE identifier and generating, by the UE, the NSWOF key.
[0009] In an embodiment, generating the NSWOF key may comprise completing a first cryptographic process, wherein completing the first cryptographic process may further comprise receiving a CONSTANT value or a RAND value, FC value and a MSK value.
[0010] Alternatively, generating the NSWOF key may comprise completing a second cryptographic process, wherein completing the second cryptographic process may further comprise receiving the temporary UE identifier, an FC value and an MSK value.
[0011] In an embodiment, the generation of the temporary UE Identifier may further comprise completing a third cryptographic process, wherein completing the third cryptographic process may further comprise receiving a CONSTANT value or a RAND value, an FC value and an MSK value.
[0012] In addition to the steps described above (and elsewhere herein), such a method may further comprise generating, by the UE, an additional initialization message that comprises a generated temporary UE identifier and sending the additional initialization message and temporary UE identifier to the first NF entity within the formed secure communications channel.
[0013] Still further, the exemplary method may comprise completing the primary authentication by pre-configuring the UE with a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
[0014] A second exemplary method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating and sending, by a NF entity of a 5GC network, an electronic indicator to a second NF entity of the 5GC network that indicates that registration of UE via a nonintegrated, non-3GPP access is allowed; sending an indicator, by the first NF entity, to the UE that non-integrated, non-3GPP network registration is allowed; receiving, by the first NF entity, an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises NSWOF key directly from the UE; and forming a secure communications channel (e.g., an IP sec tunnel) directly between the UE and the first NF entity.
[0015] This second method may further comprise comparing, by the first NF entity, a received temporary UE identifier to a stored, temporary UE identifier; and forming the secure communications channel directly between the UE and the first NF entity when the comparison results in a match.
[0016] Still further, this second exemplary method may comprise: (i) completing, at the first NF entity, a comparison process to authenticate a first communication session before proceeding with registration of the UE with the 5GC network; and/or (ii) sending, by the first NF entity, a registration message that includes a Non-Access Stratum, User Data Management, UE Configuration Management value, a previously generated Subscription Permanent Identifier (SUPI) value and a NSWOF address to a third NF entity of the 5GC network; and/or (iii) sending, by the first NF entity, a registration message to the third NF entity, wherein the registration message comprises a request that the third NF entity forward NSWOF specific data to the first NF entity, where the requested NSWOF data may comprise an identification of allowed 5GC services and the allowed 5GC services may comprise a service selected from a data service, a call service or a short message service. [0017] Yet further, such a second exemplary method may comprise sending, by the first NF entity, a limited service indication message to the UE which allows the UE access to a limited range and number of 5GC services provided by the 5GC network.
[0018] Third exemplary method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating, by a first NF entity of a 5GC network, a NSWOF key and a temporary UE Identifier; and sending, by the first NF entity, the generated NSWOF key, the temporary UE Identifier and a SUPI to a second NF entity of the 5GC network.
[0019] The third exemplary method may further comprise completing a first, cryptographic process to generate the NSWOF key, wherein the first cryptographic process may comprise receiving a RAND value or a CONSTANT value, an FC value and a MSK value.
[0020] Alternatively, the generation of the NSWOF key may comprise completing a second, cryptographic process, where the second cryptographic process may comprise receiving the temporary UE identifier value, an FC value and an MSK value.
[0021] In an embodiment, the generation of the temporary UE Identifier may comprise completing a third cryptographic process, wherein completing the third cryptographic process may comprise receiving a CONSTANT value or a RAND value, an FC value, and a MSK value.
[0022] A fourth method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating and sending, by a third NF entity of a 5GC network, an electronic indicator to a second NF entity of the core 5G network that indicates that registration of UE via the nonintegrated, non-3GPP access network is allowed; receiving a Non-Seamless Unified Data Management, Subscriber Data Management, “get” message (“get message”) from a first NF entity of the 5GC network, the get message comprising a request to send non-seamless wireless offload network function (NSWOF) specific data to the first NF entity; and sending the NSWOF data to the first NF entity. [0023] The method as in claim 28 wherein the NSWOF specific data identifies the 5GC services that the UE may be allowed to access.
[0024] In addition to exemplary methods, the present disclosure also provides related apparatuses for providing 5GC services via a non-integrated, non-3GPP access network. On such apparatus (e.g., a UE) may comprise means for generating an Internet Key Exchange Security Association Initialization message (“initialization message”) that includes a generated NSWOF key; and means for directly sending the initialization message to a first NF entity of a 5GC network to form a secure communication channel (e.g., an IP sec tunnel) directly between the apparatus and the first NF entity.
[0025] In an embodiment, such an apparatus may further comprise means for preconfiguring a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
[0026] A second exemplary apparatus (e.g., a NSWOF entity of the 5GC network) may comprise an apparatus in a 5GC network that provides 5GC services via a nonintegrated, non-3GPP access network. Such an apparatus may comprise means for generating and sending a first indicator to a second NF entity of the 5GC network that indicates that registration of UE via the non-integrated, non-3GPP access network is allowed; means for sending a second indicator to the UE that non-integrated, non- 3GPP network registration is allowed; means for receiving an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises a NSWOF key directly from the UE; and means for forming a secure communications channel (e.g., an IP sec tunnel) directly between the UE and the apparatus.
[0027] A third exemplary apparatus (e.g., authentication server function (AUSF) entity of the 5GC network) may also be included in a 5GC network. Such an apparatus may provide 5GC services via a non-integrated, non-3GPP access network, where the apparatus may comprise means for generating a NSWOF key and a temporary UE Identifier; and means for sending the generated NSWOF key, the temporary UE Identifier and a Subscription Permanent Identifier (SUPI) to a first NF entity of the 5GC network. [0028] A fourth exemplary apparatus (e.g., a Unified Data Management entity) may also be in a 5GC network. Such an apparatus may provide 5GC services via a nonintegrated, non-3GPP access network, where the apparatus may comprise means for generating and sending an electronic indicator to a second NF entity of the 5GC network that indicates that registration of UE via the non-integrated, non-3GPP access network is allowed; means for receiving a Non-Seamless Unified Data Management, Subscriber Data Management, “get” message (“get message”) from a first NF entity of the 5GC network, the get message comprising a request to send non-seamless wireless offload network function (NSWOF) specific data to the first NF entity; and means for sending the NSWOF data to the first NF entity.
[0029] In an embodiment, the NSWOF specific data may identify the 5GC services that the UE may be allowed to access.
BRIEF DESCRIPTION OF THE DRAWINGS
[0030] The present invention is illustrated by way of example and is not limited by the accompanying figures in which like reference numerals indicate similar elements and in which:
[0031] Figure 1 depicts an exemplary mobile communications network according to the present disclosure.
[0032] Figures 2A and 2B depict an exemplary message flow according to exemplary methods provided by the present disclosure.
[0033] Figures 3A and 3B depict exemplary block diagrams illustrating the generation of a non-seamless wireless offload network functions (NSWOF) key according to exemplary methods provided by the present disclosure.
[0034] Figure 4 depicts an exemplary block diagram illustrating the generation of a temporary UE ID according to exemplary methods provided by the present disclosure.
[0035] Figure 5 depicts a simplified block diagram of an apparatus, such as an electronic element of a 5GC network or an electronic element of non-integrated, non- 3GPP access network.
[0036] Figure 6 depicts a simplified block diagram of an apparatus, such as a UE. [0037] Specific embodiments of the present invention are disclosed below with reference to various figures and sketches. Both the description and the illustrations have been drafted with the intent to enhance understanding. For example, the network in Figure 1 and the block diagrams in Figures 3 and 4 are not representative of actual networks, devices or apparatuses, Instead, they are provided in order to explain features of the inventive methods and apparatuses.
[0038] Simplicity and clarity in both illustration and description are sought to effectively enable a person of skill in the art to make, use, and best practice the exemplary embodiments described herein in view of what is already known in the art. One skilled in the art will appreciate that various modifications and changes may be made to the specific embodiments described herein without departing from the spirit and scope of the present disclosure. Thus, the text and figures are to be regarded as illustrative and exemplary rather than restrictive or all-encompassing, and all such modifications to the specific embodiments described herein are intended to be included within the scope of the present disclosure.
DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
[0039] The detailed description that follows describes exemplary embodiments and is not intended to be limited to the expressly disclosed combination(s). Therefore, unless otherwise noted, features disclosed herein may be combined together to form additional combinations that were not otherwise shown for purposes of brevity.
[0040] As used herein and in the appended claims, the term "comprises," "comprising," or variations thereof are intended to refer to a non-exclusive inclusion, such that a process, method, article of manufacture, or apparatus that comprises a list of elements does not include only those elements in the list but may include other elements not expressly listed or inherent to such process, method, article of manufacture, or apparatus.
[0041] The terms “a” or “an”, as used herein, are defined as one, or more than one. The term “plurality”, as used herein, is defined as two, or more than two. The term “another”, as used herein, is defined as at least a second or more. [0042] Unless otherwise indicated herein, the use of relational terms, if any, such as “first” and “second”, and the like are used solely to distinguish one function, process, or set of executable instructions from another function, process, or set of executable instructions without necessarily requiring or implying any actual such relationship, order or importance between such functions, processes, or sets of executable instructions.
[0043] The terms “including” and/or “having”, as used herein, are defined as comprising (i.e., open language).
[0044] In the figures, similar reference characters denote similar features consistently throughout the attached drawings.
[0045] The term “or” is used herein in both the alternative and conjunctive sense, unless otherwise indicated.
[0046] The terms “illustrative” and “exemplary” are used to be examples with no indication of quality level.
[0047] As used herein, the term “data” and similar terms means information capable of being transmitted, received and/or stored in accordance with certain embodiments of the present disclosure.
[0048] As used herein the term “user equipment” or UE” refers to an apparatus that includes, among other things, electronic elements (e.g., a modem) that function as a radio frequency transceiver to wirelessly (i) transmit signals, messages and data to one or more elements (e.g., devices, apparatuses) of a mobile telecommunications network using an air interface and (ii) receive signals, messages and data from the one or more elements of the network using the air interface.
[0049] As used herein, where applicable use of the letters “a” and “n” in a phrase indicates the first and last elements or steps in a group of elements or steps, such as one or more UEs 2a to 2n for example.
[0050] As used herein, the term “telecommunication entity”, “entity” or the plural form “telecommunication entities”, “entities” refers to: (a) electronic hardware-only circuit implementations (e.g., implementations in analog circuitry and/or digital circuitry) capable of completing one or more functions, such as network functions (NF) or UE functions; and/or (b) combinations of electronic circuits and computer program product(s) comprising software and/or firmware instructions stored on one or more electronic memories that work together to cause an apparatus to perform one or more NFs, UE functions or process steps described herein; and/or (c) electronic circuits, such as, for example, an electronic microprocessor(s), a portion of a microprocessor(s), processor, portion of a processor, electronic integrated circuit or electronic applications processor (collectively referred to herein as “processor”) that executes stored instructions (e.g., software or firmware) retrieved from at least one electronic memory that, when executed by the processor cause an apparatus or the element itself to perform one or more features, NFs, UE functions or steps in a process or method. As used herein the words “telecommunication entity” and “entity” may be used interchangeably herein.
[0051] As used herein the designations “first’, “second”, “third” etc., and other relational terms, if any, are used solely to distinguish one network function (NF), entity, process or action from another NF, view, entity or action and/or to distinguish one UE function, entity, process or action from another UE function, view, entity, action or process without necessarily requiring or implying any actual such relationship, order or importance between such functions, views, entities, actions or processes.
[0052] As used herein, the phrase electronic “memory” (referred to as “memory” herein) means a non-transitory, electronic storage medium (e.g., volatile or nonvolatile memory device). Examples of non-transitory, electronic storage media include, but are not limited to: a random access memory (RAM); a programmable read only memory (PROM); an erasable programmable read only memory (EPROM); a FLASH- EPROM; a magnetic computer readable medium (e.g., a floppy disk, hard disk, magnetic tape, any other magnetic medium); an optical computer readable medium (e.g., a compact disc read only memory (CD-ROM); a digital versatile disc (DVD); a Blu-Ray disc (BD), the like, or combinations thereof), or any other non-transitory medium from which an electronic processor can retrieve stored instructions that when executed cause an apparatus to perform one or more functions or steps in a process.
[0053] As used herein the phrase “non-lntegrated” means a telecommunications network that is not seamlessly connected or interoperable with a 3GPP-defined cellular network while the phrase “non-3GPP” means a telecommunications network that does not follow 3GPP standards for mobile communication. One example of a "non-integrated, non-3GPP network" is a private wireless network or WLAN built using technologies such as Wi-Fi, LoRa (Low Power Wide Area Network), or other proprietary wireless solutions. Such networks may be used for specific applications, such as in industrial Internet of Things (loT) deployments.
[0054] Referring now to Figure 1 , there is depicted an exemplary mobile communications network 1 (e.g., 5GC wireless network). In an embodiment, the network 1 may comprise one or more UEs 2a to 2n configured to complete innovative functions and steps described herein and be in wireless communication with, and coupled to, one or more wireless access points (AP) 3a to 3n of an exemplary nonintegrated, non-3GPP access network 4 (e.g., a WLAN) via one or more telecommunication channels 5a to 5n. In an embodiment, each of the one or more wireless APs 3a to 3n may be configured to complete innovative functions and steps described herein. In addition, the non-integrated, non-3GPP access network 4 may be in further communication with a core wireless network 6, such as a 5GC wireless network.
[0055] In an embodiment, the core wireless network 6 may comprise a plurality of telecommunication network function (NF) entities, such as a non-seamless wireless offload (NSWOF) entity 8 (that may be referred to sometimes for simplicity as a “second NF entity”) configured to complete known non-seamless wireless offload network functions and steps (NSWOF), innovative functions and steps described herein (e.g., innovative NSWOF functions and steps), and to support NSWO authentication. Further, in an embodiment, NSWOF entity 8 may be wirelessly connected to one or more non-integrated, non-3GPP access networks, such as network 4, and to an authentication server function (AUSF) entity 9 (that may be referred to sometimes for simplicity as a “first NF entity”) that is also a part of core network 6 via wired or wireless connection 10. AUSF entity 9 may be referred to as an extensible authentication protocol (EAP) authenticator and may be further configured to complete known network functions and steps, innovative functions and steps described herein, and carry out authentication of the one or more UEs 2a to 2n, for example UE 2a, as well as store data for authentication of UEs 2a to 2n. [0056] Figure 1 also depicts the ALISF entity 9 connected to a unified data management (UDM) entity 10 (that may be referred to sometimes for simplicity as a “third NF entity”) via wired or wireless means. UDM entity 10 may be configured to complete known network functions and steps, innovative functions and steps described herein as well as store user subscription data, and decipher a subscription concealed identifier (SUCI), etc.
[0057] While Figure 1 depicts telecommunication entities 8 to 10 as three separate and distinct elements, it should be understood that this is merely exemplary. Alternatively, one or more of the entities 8 to 10 may be combined together, or still further, may be separated into additional elements.
[0058] As will be explained in more detail herein, embodiments of the disclosure innovatively alter and/or expand the features, functions and steps of entities 8 to 10 as well as UEs 2a to 2n and APs 3a to 3n of the non-integrated, non-3GPP access network 4 to permit UEs 2a to 2n to securely register and connect to the 5GC network 6 in order to access 5GC services when neither a TNGF nor N3IWF are available (i.e. , without using 5G Non-Access Stratum (NAS) registration procedures via a non-3GPP access network).
[0059] For the sake of simplicity of explanation, familiarity with the disclosure in Technical Specification TS 33.501 , Annex S for NSWO based authentication will be assumed. Further, the disclosure of Technical Specification TS 33.501 , Annex S for NSWO based authentication is incorporated herein. In addition, to illustrate the innovative features, functions and steps provided by the present disclosure, we will (for now) discuss a single UE 2a and a single non-integrated, non-3GPP access network 4 (e.g., a WLAN) but this is merely exemplary. It should be understood that our discussion applies to each UE 2a to 2n seeking to securely register and connect to the 5GC network 6 in order to access 5GC services when neither a TNGF nor N3IWF are available, and may apply to more than one non-integrated, non-3GPP access network as well. Still further, for the sake of simplicity we may refer to communications (e.g., messages, signaling) exchanged between the non-integrated, non-3GPP access network 4 and UE 2a and/or network 6, though it should be understood that such communications involve one or more of wireless APs 3a to 3n of network 4. [0060] In embodiments, the UE 2a may comprise an Internet-of-Things (loT) compatible device, such as a mobile phone, laptop computer, personal computer, electronic server, household-appliance, and industrial device to name just a few nonlimiting examples of UE 2a .
[0061] Referring now to Figures 2A and 2B there is depicted an exemplary flow of communications involving elements and entities of the mobile network 1 that provide UE 2a with secure registration and connectivity to 5GC services via the non-integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF are available (i.e., without using 5G NAS registration procedures via a non-3GPP access network).
[0062] In embodiments, our discussion will first describe the innovative features, functions and steps that may be completed by one or more of network entities 8 to 10 of 5GC network 6 in conjunction with non-integrated, non-3GPP access network 4, and then describe the innovative features, functions and steps that may be completed by UE 2a in conjunction with the non-integrated, non-3GPP access network 4 and core network 6.
[0063] In an embodiment, UE 2a may be pre-configured with the Fully Qualified Domain Name (“fqdn”) address of NSWOF entity 8 (i.e., complete primary authentication). Thereafter, steps 101 to 106 shown in Figure 2 (and as described in TS 33.501 , Annex S for NSWO based authentication) may be completed by a combination of element 2a, elements and corresponding entities of network 4 (e.g., a WLAN) and elements and corresponding entities 8, 9 and 10 of 5GC network 6.
[0064] Thereafter, during innovative step 107 the UDM entity 10 may be configured to innovatively generate and send a “flag” (e.g., an electronic value, referred to herein as a “first” indicator) to the AUSF entity 9 (e.g., EAP authentication server) that indicates that registration of UEs via a non-integrated, non-3GPP access network, such as network 4, is allowed provided subscription data allows a UE (e.g., UE 2a) to be registered via a non-integrated, non-3GPP network such as network 4. In an embodiment, such a flag may be configured and stored in a Unified Data Repository (UDR)(e.g., a database; not shown in Figure 1 ) that may be managed by the UDM entity 10. [0065] Innovatively and alternatively, the NSWOF entity 8 may be configured to provide an indicator (e.g., an electronic message) to the ALISF entity 9 and UDM entity 10 that non-integrated, non-3GPP network registration is supported by core network 6 via connections 11,12 in Figure 1 (hereafter referred to as a “second” indicator”) The indicator may be provided during step 105, for example.
[0066] Upon completion of innovative step 107, steps 108 to 115 shown in Figure 2A (and as set forth in TS 33.501 , Annex S for NSWO based authentication) may be completed.
[0067] Upon completion of step 115, in an embodiment innovative step 116 may be completed. In more detail, provided (i) the NSWOF entity 8 has sent the “second” indicator to the AUSF entity 9 and UDM entity 10 (i.e. , that non-integrated, non-3GPP network registration is supported by core network 6) or (ii) the UDM entity 10 has sent the first indicator in step 107 to the AUSF entity 9 (i.e., that non-integrated, non-3GPP network registration is allowed by core network 6), the AUSF entity 9 may be configured to generate a NSWOF key and a temporary UE Identifier. As described further herein, the same NSWOF key and temporary UE identifier shall be generated by the UE 2a as well (i.e., any UE 2a to 2n that wishes to register with the core 5G network 6 via the a non-integrated, non-3GPP access network 4). In an alternative embodiment, the AUSF 9 may send the so-generated NSWOF key and temporary UE identifier to UE 2a, or as described below, the UE 2a may generate these same key and identifier to form a secure communications channel (e.g., an IP sec tunnel).
[0068] Continuing, upon generating the NSWOF key and/or the temporary UE identifier the AUSF entity 9 may send the generated NSWOF key, UE temporary Identifier and a Subscription Permanent Identifier (SUPI) to the NSWO entity 8 via connection 11 , for example during step 116.
[0069] In more detail, we first turn to a discussion of exemplary embodiments for generating an NSWOF key by an element and corresponding entity of the 5GC network 6 (e.g., AUSF entity 9).
[0070] Referring now to Figure 3A, in an embodiment the AUSF entity 9 may comprise at least one processor 502 configured to generate the NSWOF key 16 by executing electronic instructions stored in, and accessed and retrieved from, at least one memory (e.g., see Figure 5, memory 503) to complete a first, cryptographic Key Derivation Function (KDF) process that generates the NSWOF key 16. For example, as shown in Figure 3A the processor 502 may receive a RAND value 13, a fixed constant (FC) value 15 and a Master Session Key (MSK) 14 value and then execute the first KDF process to generate the NSWOF key 16 during step 116 based on the received values 13, 14 and 15 and first KDF process. In an embodiment, FC values may be values determined by a telecommunications standard or adopted by a telecommunications vendor. In a further embodiment, the same FC value may be used by an ALISF entity 9 for each UE 2a to 2n to generate an NSWOF key 16. Regarding the MSK values, in an embodiment, MSK values may be generated by an ALISF entity 9 using known processes independently from a UE 2a to 2n.
[0071] Alternatively, the processor 502 may receive a CONSTANT value 13 instead of a RAND value, an FC value 15 and an MSK 14 value and then execute the first cryptographic KDF process to generate the NSWOF key 16 during step 116. In an embodiment, similar to FC values, CONSTANT values may be determined by a telecommunications standard or adopted by a telecommunications vendor, In a further embodiment, the same CONSTANT value may be used by a AUSF entity 9 for each UE 2a to 2n to generate an NSWOF key 16.
[0072] In yet another alternative embodiment, and with reference to Figure 3B, the processor 502 may receive a temporary UE identifier value 17 instead of a CONSTANT or RAND value, an FC value 19 and an MSK 18 value and then execute a “second” cryptographic KDF process to generate the NSWOF key 20 during step 116.
[0073] We now turn to a discussion of exemplary embodiments for generating a temporary UE identifier by an element and corresponding entity of the core 5G network 6 (e.g., AUSF entity 9).
[0074] Referring now to Figure 4, in an embodiment, upon receiving a CONSTANT value 21 (or a RAND value) an FC value 23 and an MSK value 22 the processor 502 (of AUSF 9 for example) may be configured to complete a third cryptographic KDF process in order to generate a temporary UE identifier 24 during step 116. [0075] As indicated previously, upon generating the NSWOF key, and/or the temporary UE identifier the ALISF entity 9 (or another entity of core 5G network 6) may send the generated NSWOF key, UE temporary Identifier and a SUPI to the NSWOF entity 8 via connection 11 , for example during step 116.
[0076] Next, during step 117a the NSWOF entity 8 may be configured to receive and store the NSWOF key, and/or temporary UE Identifier, and SUPI from the AUSF entity 9. Further, NSWOF entity 8 may be configured to send an indication to the nonintegrated, non-3GPP access network 4 that non-integrated, non-3GPP network registration is allowed (hereafter “third” indicator) via connection 7, for example. In addition, NSWOF entity 8 may be configured to complete additional steps set forth in TS 33.501 , Annex S for NSWO based authentication.
[0077] Upon receiving the third indicator, the non-integrated, non-3GPP access network 4 (e.g., one or more of the APs 3a to 3n) may be configured to send a similar indicator to the UE 2a that non-integrated, non-3GPP network registration is allowed (hereafter “fourth indicator”) during step 117b via connection 5, for example. Thereafter, the non-integrated, non-3GPP access network 4 (e.g., one or more of the APs 3a to 3n) may complete steps set forth in TS 33.501 , Annex S for NSWO based authentication).
[0078] We now turn our attention to the role of UE 2a, for example, in the innovative methods for completing secure registration and connectivity of the UE 2a to 5GC services via the non-integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF function are available (i.e., without using 5G Non-Access Stratum (NAS) registration procedures via a non-3GPP access network) described herein.
[0079] Initially, we will set forth innovative embodiments for generating an NWSOF key and temporary UE identifier by the UE 2a based on stored values (e.g., stored by the UE 2a). Thereafter we will set forth embodiments for generating an NWSOF key and temporary UE identifier by the UE 2a based, at least in part, on values received from an element and corresponding entity of the core 5G network 6.
[0080] Backtracking, based on receipt of the fourth indicator discussed above that indicates non-integrated, non-3GPP network registration is allowed the UE 2a may be configured to complete a registration process with the 5GC network 6 via the non- integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF are available (i.e., without using 5G NAS registration procedures).
[0081] Recall that the UE 2a may be pre-configured with the Fully Qualified Domain Name (“fqdn”) address of NSWOF entity 8. Accordingly, to form an IPSec tunnel between the UE 2a and the NWSOF entity 8 of core network 6 that ensures that the registration and communications between the UE 2a and core network 6 may be secure. In an embodiment, the UE 2a needs to derive the same NSWOF key and UE temporary identifier that was generated by an entity of the 5GC network 6 (e.g., AUSF entity 9).
[0082] Referring again to Figure 3A, a processor 604 of the UE 2a (see also Figure 6) may receive a CONSTANT value 13, FC value 15 and a MSK 14 value and then complete the first cryptographic, KDF process discussed previously by executing electronic instructions stored in, and accessed and retrieved from, at least one memory (e.g., see Figure 6, memory 605) during step 119 to generate the NSWOF key 16. As indicated previously, in an embodiment, the FC values may be determined by a telecommunications standard or adopted by a telecommunications vendor, In a further embodiment, the same FC value may be used by each UE 2a to 2n to generate an NSWOF key 16. Regarding the MSK values, in an embodiment, each UE 2a to 2n may generate an MSK value independently from an AUSF entity 9 using known processes.
[0083] Alternatively, the processor 604 may receive a RAND value 13 instead of a CONSTANT value, an FC value 15 and an MSK 14 value and then execute the first cryptographic KDF process to generate the NSWOF key 16 during step 119.
[0084] In yet another alternative embodiment, and with reference to Figure 3B, the processor 604 may receive a temporary UE identifier value 17 instead of a CONSTANT or RAND value, an FC value 19 and an MSK 18 value and then execute the second cryptographic KDF process discussed previously to generate the NSWOF key 20 during step 119.
[0085] We now turn to a discussion of exemplary embodiments for generating a temporary UE identifier by the UE 2a. [0086] Referring again to Figure 4, in an embodiment, upon receiving a CONSTANT value 21 (or a RAND value), an FC value 23 and an MSK value 22 the processor 604 may be configured to complete the third cryptographic KDF process discussed previously in order to generate a temporary UE identifier 24 during step 119
[0087] As indicated previously, the UE 2a may generate the NSWOF and temporary UE identifier values based on stored CONSTANT, RAND, FC and MSK values.
[0088] One or more of these values may be sent to the UE 2a from an element and corresponding entity of the 5GC network 6 (e.g., from the AUSF entity 9)
[0089] For example, the RAND values 13, 21 in Figures 3A and 4 may be sent from an element and corresponding entity in core network 6 (e.g., from the AUSF entity 9) to the UE 2a. Further, the temporary UE identifier 17 in Figure 3B may be sent to the UE 2a from an entity of the 5GC network 6 (e.g., from the AUSF entity 9). In contrast, the FC and CONSTANT values are not sent to the UE 2a from an element and corresponding entity of the 5GC network 6.
[0090] Upon generating the NSWOF key using the embodiments described herein, the UE 2a then generates and directly sends an Internet Key Exchange Security Association Initialization message (referred to as “first initialization message”, abbreviated “IKE_SA_INIT”) that includes the NSWOF key directly to the NSWOF entity 8 during step 119a.
[0091] Upon receiving the initialization message from the UE 2a, the NSWOF entity 8 may be further configured to form a secure communications channel (e.g., an IP sec tunnel) directly between the UE 2a and NSWO entity 8 of 5GC network 6. Accordingly, the non-integrated, non-3GPP access network 4 does not have access to the established secure communications channel.
[0092] As an alternative embodiment, the UE 2a may include a generated temporary UE identifier in an initialization message (referred to as “second initialization message”), and then send the second initialization message to the NSWO entity 8 during alternative step 119b. [0093] Upon receiving the second initialization message the NSWOF entity 8 is configured to compare the received temporary UE identifier to its stored, temporary UE identifier. If the comparison results in a match then the NSWOF entity 8 is further configured to form a secure communications channel (e.g., an IP sec tunnel) between the UE 2a and NSWO entity 8 of 5GC network 6 during step 119b
[0094] Having established a secure communications channel with the NSWOF entity 8, the UE 2a and NSWOF entity 8 may now begin an innovative process to register the UE 2a with the core network 6.
[0095] Referring to Figure 2B, in an embodiment, during step 120 the UE 2a may send a first registration message that may include a temporary UE identifier within the now established, secure communications channel to the NSWOF entity 8 (referred to as “first communication session”). Upon receiving the registration message that includes the temporary UE identifier the NSWOF entity 8 completes a comparison process to authenticate the first communication session before proceeding with the registration of the UE 2a with the 5GC network 6.
[0096] Thereafter during steps 121,122 the NSWOF entity 8 and UDM entity 10 exchange messages to register the UE 2a within core network 6.
[0097] In more detail, during step 121 the NSWOF entity 8 may send a second registration message that includes a NAS User Data Management (“Nudm”), UE Configuration Management (UECM) value, a previously generated Subscription Permanent Identifier (SUPI) value and the address of the NSWOF entity 8 (“NSWOF address”) to the UDM entity 10.
[0098] In an embodiment, the SUPI value may have been previously stored and available at the AUSF entity 9 and then sent to the NSWOF entity 8.
[0099] Upon receiving the second registration message, the UDM entity 10 generates and sends a confirmation message to the NSWO entity 8 during step 122.
[00100] Upon receiving the confirmation message from the UDM entity 10, the NSWOF entity 8 may be configured to send a third registration message (e.g., q NonSeam less Unified Data Management, Subscriber Data Management, “get” message, i.e. , “Nudm_SDM_get operation” message or simply “get message”). during step 123 to the UDM entity 10. In an embodiment, the third registration message may comprise a request that the UDM entity 10 forward NSWOF specific data to the NSWOF entity 8. In response, upon receiving the get message the UDM entity 10 may send the requested NSWOF data to the NSWOF entity 8 during step 124. In an embodiment, NSWOF specific data may identify those 5GC services (e.g., limited services) that the UE 2a may be allowed to access after completing the secure authentication and registration process described herein.
[00101] Thereafter, during step 125, upon receiving the NSWOF data the NSWOF entity 8 may send a limited service indication message to the UE 2a which allows the UE 2a (and its corresponding user) access to a limited range and number of 5GC services provided by the 5GC network 6. For example, an exemplary limited service may allow a data service but disallow call and/or short message services (SMS). Or, alternatively, an exemplary limited service may allow a call service but disallow datal and/or short message services (SMS). Yet further, another an exemplary limited service may allow an SMS service but disallow data and/or short call services, to name just a few of the types of limited services that can be allowed and/or disallowed.
[00102] Referring now to Figure 5 there is depicted a simplified block diagram of a network apparatus 500 comprising an entity of the 5GC network 6 (e.g., NSWO entity 8, AUSF entity 9 or UDM entity 10) or of the non-integrated, non-3GPP access network 4 (e.g., APs 3a to 3n of a WLAN) in accordance with an exemplary embodiment.
[00103] For clarity, as set forth herein the phrase “network apparatus” refers to an element and its corresponding NFs of 5GC network 6 or of the non-integrated, non- 3GPP access network 4 (e.g., a WLAN) while the phrase “UE apparatus” (or UE) refers to UE 2a to 2n and its corresponding UE functions.
[00104] In an embodiment, network apparatus 500 may be configured to provide one or more network-based operations and features and perform related steps within 5GC network 6 or non-integrated, non-3GPP access network 4. Moreover, network apparatus 500 may be configured to complete a plurality of core network functions (NFs). For example, apparatus 500 may be incorporated into one or more of the network entities 8, 9 and 10 described above and herein. [00105] In an embodiment, the network apparatus 500 may include means for completing one or more innovative NFs, features and steps. In embodiments, such means may comprise a combination of electronic elements, such as a network interface 501 , at least one electronic processor 502, and an electronic memory 503. The network interface 501 may include wired and/or wireless transceivers to enable access to other elements, nodes, and/or functions including base stations, elements 3a to 3n, 8, 9 and 10, the Internet, functions, and/or other elements. The memory 503 may comprise volatile and/or non-volatile memory including program code, which when executed by the at least one processor 502 provides, among other things, the processes disclosed herein including, but not limited to, NSWOF key generation and UE temporary ID generation.
[00106] Referring now to Figure 6 there is illustrated a simplified block diagram of a user apparatus 600 which may comprise user equipment 2a (or 2b to 2n). User apparatus 600, or portions therein, may be implemented in other network apparatuses or elements including base stations/WLAN APs 3a to 3n, as well as the other network elements.
[00107] In an embodiment, user apparatus 600 may comprise means for completing one or more innovative UE functions, features and steps. In embodiments, such means may comprise a combination of electronic elements, such as at least one antenna 601 in communication with an electronic transmitter 602 and an electronic receiver 603. Alternatively, apparatus 600 may comprise separate transmit and receive antennas (not shown for simplicity). User apparatus 600 may also include additional means, such as at least one electronic processor 604 configured to provide communication signals to, and receive communication electronic signals from, the transmitter and receiver, respectively, and to control the functioning of the apparatus. Processor 604 may be configured to control the functioning of the transmitter and receiver by effecting control signaling via electrical leads or wirelessly to the transmitter and receiver. Likewise, processor 604 may be configured to control other elements of user apparatus 600 by effecting control signaling via electrical leads or wirelessly connecting processor 604 to other components, such as a display (not shown for simplicity) or an electronic memory 605. [00108] Processors 502, 604 may, for example, be embodied in a variety of ways including electronic circuitry, at least one electronic processing core, one or more microprocessors with accompanying digital signal processor(s), one or more electronic processor(s) without an accompanying digital signal processor, one or more coprocessors, one or more multi-core processors, one or more electronic controllers, electronic processing circuitry, one or more computers, various other electronic processing elements including integrated circuits (for example, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and/or the like), or some combination thereof. Accordingly, although illustrated in Figures 5 and 6 as a single processor, in some example embodiments processors 502, 604 may comprise a plurality of electronic processors or processing cores.
[00109] Continuing, and again with respect to user apparatus 600, in an embodiment user apparatus 600 may be configured to operate using one or more air interface standards, communication protocols, modulation types, access types, and/or the like. Signals sent and received by the processor 604 may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to Wi-Fi, WLAN techniques, such as Institute of Electrical and Electronics Engineers (IEEE) 802.11 , 802.16, 802.3, ADSL, DOCSIS, and/or the like. In addition, these signals may include speech data, user generated data, user requested data, and/or the like. One or more memory elements 605 may be used to store information such as NSWOF keys, temporary UE identifiers, UE context information, and interact with processor 604 as known in the art.
[00110] For example, user apparatus 600 and/or a cellular modem therein may be capable of operating in accordance with various communication protocols, such as first generation (1 G) communication protocols, second generation (2G or 2.5G) communication protocols, third-generation (3G) communication protocols, fourthgeneration (4G) communication protocols, fifth-generation (5G) communication protocols, Internet Protocol Multimedia Subsystem (IMS) communication protocols (for example, session initiation protocol (SIP) and/or the like. For example, user apparatus 600 may be capable of operating in accordance with 2G wireless communication protocols IS-136, Time Division Multiple Access TDMA, Global System for Mobile communications, GSM, IS-95, Code Division Multiple Access, CDMA, and/or the like. In addition, for example, user apparatus 600 may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service (GPRS), Enhanced Data GSM Environment (EDGE), and/or the like. Still further, for example, apparatus 600 may be capable of operating in accordance with 3G wireless communication protocols, such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like.
[00111] User apparatus 600 may be additionally capable of operating in accordance with (i) 3.9G wireless communication protocols, such as Long Term Evolution (LTE), Evolved Universal Terrestrial Radio Access Network (E-UTRAN), and/or the like, and (ii) 4G wireless communication protocols, such as LTE Advanced, 5G, and/or the like as well as similar wireless communication protocols that may be subsequently developed.
[00112] It should be understood that processors 502, 604 may include additional means, for example, circuitry for implementing audio/video and logic functions of apparatuses 500, 600. By way of a non-limiting example, processor 604 may comprise a digital signal processor device, a microprocessor device, an analog-to-digital converter, a digital-to-analog converter, and/or the like. Control and signal processing functions of user apparatus 600 may be allocated between these devices according to their respective capabilities.
[00113] In general, processors 502,604 may retrieve and access software or firmware stored as electronic instructions to cause their respective apparatuses 500,600 to at least perform certain functions, features and/or steps.
[00114] For example, processors 502, 604 may comprise means for performing authentication and registration processes, such as NSWOF key generation, and temporary UE identifier generation via one or more cryptographic KDF processes, security handshakes, and the like.
[00115] Yet further, processor 604 may be configured to complete a connectivity process that allows user apparatus 600 to transmit and receive web content, such as location-based content, according to a protocol, such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like.
[00116] It is to be understood that each of the apparatuses 500, 600 shown in Figures 5 and 6, include means for completing one or more innovative functions, features and steps, including, but not limited to, the UE functions, features and steps or network side functions (e.g., NFs) features and steps set forth in the claims below. In embodiments, such means may comprise a combination of electronic elements, such as one or more electronic transmitters, receivers, electronic comparison circuitry, electronic input/output (I/O) circuitry, electronic conductors (e.g., electronic buses), at least one electronic processor 502,604, at least one electronic memory 503, 605 that comprises stored electronic instructions (i.e., computer program code) where the respective at least one processor 502,604, in conjunction with the respective at least one memory 503, 605 and respective computer program code, being executed and/or arranged to cause the respective apparatus 500, 600 to at least perform at least the functions, features and steps described herein, including, but not limited to the functions, features and steps illustrated in Figures 1 to 6.
[00117] Although the foregoing descriptions and the associated drawings describe certain example embodiments in the context of certain example combinations of elements, functions or steps, it should be appreciated that different combinations of elements, functions and/or steps can be provided by alternative embodiments without departing from the scope of the appended claims. In this regard, for example, different combinations of elements, functions and/or steps than those explicitly described above are also contemplated as can be set forth in some of the appended claims. Although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
[00118] The claim language that follows below is incorporated herein by reference in expanded form, that is, hierarchically from broadest to narrowest, with each possible combination indicated by the multiple dependent claim references described as a unique standalone embodiment.
[00119] Benefits, other advantages, and solutions to challenges have been described above with regard to specific embodiments of the present invention. However, the benefits, advantages, solutions to challenges, and any element(s), functions and/or steps that may cause or result in such benefits, advantages, or solutions, or cause such benefits, advantages, or solutions to become more pronounced are not to be construed as a critical, required, or essential feature or element of any or all the claims.

Claims

Claims
1 . A method for providing fifth generation, core network (5GC) services via a non- 3GPP access network comprising: generating, by user equipment (UE), a non-seamless wireless offload (NSWOF) key after completing primary authentication; and directly sending an initialization message that comprises the generated NSWOF key to a first network function (NF) entity of a 5GC network to form a secure communication channel directly between the UE and the first NF entity using the NSWOF key.
2. The method as in claim 1 wherein forming the secure communication channel further comprises generating, by the UE, a temporary UE Identifier or receiving the temporary UE identifier.
3. The method as in claim 1 wherein generating the NSWOF key comprises completing a first cryptographic process.
4. The method as in claim 3 wherein completing the first cryptographic process further comprises receiving a CONSTANT value or a RAND value, FC value and a MSK value.
5. The method as in claim 1 wherein generating the NSWOF key comprises completing a second cryptographic process.
6. The method as in claim 5 wherein completing the second cryptographic process further comprises receiving the temporary UE identifier, an FC value and an MSK value.
7. The method as in claim 2 wherein generating the temporary UE Identifier further comprises completing a third cryptographic process.
8. The method as in claim 7 wherein completing the third cryptographic process further comprises receiving a CONSTANT value or a RAND value, an FC value and an MSK value.
9. The method as in claim 1 further comprising: generating, by the UE, an additional initialization message that comprises a generated temporary UE identifier; and sending the additional initialization message to the first NF entity within the formed secure communications channel.
10. The method as in claim 1 wherein the formed secure communications channel comprises an IP sec tunnel.
11. The method as in claim 1 further comprising completing the primary authentication by pre-configuring the UE with a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
12. A method for providing fifth generation, core network (5GC) services via a nonintegrated, non-3GPP access network comprising: generating and sending, by a first network function (NF) entity of a 5GC network, an electronic indicator to a second NF entity of the 5GC network that indicates that registration of user equipment (UE) via a non-integrated, non-3GPP access is allowed; sending an indicator, by the first NF entity, to the UE that non-integrated, non- 3GPP network registration is allowed; receiving, by the first NF entity, an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises a non-seamless wireless offload (NSWOF) key directly from the UE; and forming a secure communications channel directly between the UE and the first NF entity.
13. The method as in claim 12 wherein the secure communications channel comprises an IP sec tunnel.
14. The method as in claim 12 further comprising: comparing, by the first NF entity, a received temporary UE identifier to a stored, temporary UE identifier; and forming the secure communications channel directly between the UE and the first NF entity when the comparison results in a match.
15. The method as in claim 12 further comprising completing, at the first NF entity, a comparison process to authenticate a first communication session before proceeding with registration of the UE with the 5GC network.
16. The method as in claim 12 further comprising sending, by the first NF entity, a registration message that includes a Non-Access Stratum, User Data Management, UE Configuration Management value, a previously generated Subscription Permanent Identifier (SUPI) value and a NSWOF address to a third NF entity of the 5GC network.
17. The method as in claim 12 further comprising sending, by the first NF entity, a registration message to the third NF entity, wherein the registration message comprises a request that the third NF entity forward NSWOF specific data to the first NF entity.
18. The method as in claim 17 wherein the requested NSWOF data comprises an identification of allowed 5GC services.
19. The method of claim 18 wherein the allowed 5GC services comprises a service selected from a data service, a call service or a short message service.
20. The method as in claim 12 further comprising sending, by the first NF entity, a limited service indication message to the UE which allows the UE access to a limited range and number of 5GC services provided by the 5GC network.
21 . A method for providing fifth generation, core network (5GC) services via a nonintegrated, non-3GPP access network comprising: generating, by a first network function (NF) entity of a 5GC network, a nonseamless wireless offload network function (NSWOF) key and a temporary UE Identifier; and sending, by the first NF entity, the generated NSWOF key, the temporary UE Identifier and a Subscription Permanent Identifier (SUPI) to a second NF entity of the 5GC network.
22. The method as in claim 21 wherein the generation of the NSWOF key comprises completing a first, cryptographic process.
23. The method as in claim 22 wherein completing the first cryptographic process comprises receiving a randomly generated (RAND) value or a CONSTANT value, a fixed constant (FC) value and a Master Session Key (MSK) value.
24. The method as in claim 21 wherein the generation of the NSWOF key comprises completing a second, cryptographic process.
25. The method as in claim 24 wherein completing the second cryptographic process comprises receiving the temporary UE identifier value, an FC value and an MSK value.
26. The method as in claim 21 wherein the generation of the temporary UE Identifier comprises completing a third cryptographic process.
27. The method as in claim 26 wherein completing the third cryptographic process comprises receiving a CONSTANT value or a RAND value, an FC value, and a MSK value.
28. An apparatus for providing core fifth generation (5GC) services via a nonintegrated, non-3GPP access network, the apparatus comprising: means for generating an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises a generated nonseamless wireless offload network function (NSWOF) key; and means for directly sending the initialization message to a first network function (NF) entity of a 5GC network to form a secure communication channel directly between the apparatus and the first NF entity.
29. The apparatus as in claim 28, wherein the apparatus comprises User Equipment.
30. The apparatus as in claim 28 wherein the formed secure communications channel comprises an IP sec tunnel.
31 . The apparatus as in claim 28 further comprising means for pre-configuring a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
32. An apparatus in a core fifth generation (5GC) network for providing 5GC services via a non-integrated, non-3GPP access network, the apparatus comprising: means for generating and sending a first indicator to a second network function (NF) entity of the 5GC network that indicates that registration of user equipment (UE) via the non-integrated, non-3GPP access network is allowed; means for sending a second indicator to the UE that non-integrated, non-3GPP network registration is allowed; means for receiving an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises a non-seamless wireless offload network function (NSWOF) key directly from the UE; and means for forming a secure communications channel directly between the UE and the apparatus.
33. The apparatus as in claim 32, wherein the apparatus comprises a NSWOF entity of the 5GC network,
34. The apparatus as in claim 32 wherein the secure communications channel comprises an IP sec tunnel.
35. An apparatus in a core fifth generation (5GC) network for providing 5GC services via a non-integrated, non-3GPP access network, the apparatus comprising: means for generating a non-seamless wireless offload network function (NSWOF) key and a temporary UE Identifier; and means for sending the generated NSWOF key, the temporary UE Identifier and a Subscription Permanent Identifier (SUPI) to a first network function (NF) entity of the 5GC network.
36. The apparatus as in claim 35, wherein the apparatus comprises an authentication server function (AUSF) entity of the 5GC network.
PCT/EP2024/078240 2023-10-31 2024-10-08 Methods and related apparatuses for providing 5gc service access via a non integrated non 3gpp network Pending WO2025093230A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202480032908.2A CN121128138A (en) 2023-10-31 2024-10-08 Method and related apparatus for providing 5GC service access through non-integrated non-3 GPP network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202311074177 2023-10-31
IN202311074177 2023-10-31

Publications (1)

Publication Number Publication Date
WO2025093230A1 true WO2025093230A1 (en) 2025-05-08

Family

ID=93061744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2024/078240 Pending WO2025093230A1 (en) 2023-10-31 2024-10-08 Methods and related apparatuses for providing 5gc service access via a non integrated non 3gpp network

Country Status (2)

Country Link
CN (1) CN121128138A (en)
WO (1) WO2025093230A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190215691A1 (en) * 2016-10-05 2019-07-11 Apostolis SALKINTZAZ Core network attachment through standalone non-3gpp access networks
WO2022146034A1 (en) * 2020-12-31 2022-07-07 Samsung Electronics Co., Ltd. Method and systems for authenticating ue for accessing non-3gpp service

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190215691A1 (en) * 2016-10-05 2019-07-11 Apostolis SALKINTZAZ Core network attachment through standalone non-3gpp access networks
WO2022146034A1 (en) * 2020-12-31 2022-07-07 Samsung Electronics Co., Ltd. Method and systems for authenticating ue for accessing non-3gpp service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security aspects of enhanced support of Non-Public Networks phase 2 (Release 18)", 25 January 2023 (2023-01-25), XP052233772, Retrieved from the Internet <URL:https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_109AdHoc-e/Docs/S3-230483.zip 33858-040.docx> [retrieved on 20230125] *

Also Published As

Publication number Publication date
CN121128138A (en) 2025-12-12

Similar Documents

Publication Publication Date Title
US12096328B2 (en) Method and apparatus for providing emergency codes to a mobile device
CN111670587B (en) Method and apparatus for multiple registrations
EP3679655B1 (en) Authenticating user equipments through relay user equipments
US11722891B2 (en) User authentication in first network using subscriber identity module for second legacy network
CA2995311C (en) Network access identifier including an identifier for a cellular access network node
US20250142331A1 (en) Method, apparatus, and computer program product for authentication using a user equipment identifier
US12052358B2 (en) Method and apparatus for multiple registrations
CN116195362A (en) Authentication in Communication Networks
JP7542676B2 (en) AKMA Certification Service Extension A-KID
WO2025093230A1 (en) Methods and related apparatuses for providing 5gc service access via a non integrated non 3gpp network
JP2021524167A (en) Methods and devices for multiple registrations
HK1254125A1 (en) Network access identifier including an identifier for a cellular access network node
HK1254125B (en) A network access identifier of cellular access network node based authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24787432

Country of ref document: EP

Kind code of ref document: A1