[go: up one dir, main page]

WO2025093230A1 - Procédés et appareils associés pour fournir un accès à un service 5gc par l'intermédiaire d'un réseau non 3gpp non intégré - Google Patents

Procédés et appareils associés pour fournir un accès à un service 5gc par l'intermédiaire d'un réseau non 3gpp non intégré Download PDF

Info

Publication number
WO2025093230A1
WO2025093230A1 PCT/EP2024/078240 EP2024078240W WO2025093230A1 WO 2025093230 A1 WO2025093230 A1 WO 2025093230A1 EP 2024078240 W EP2024078240 W EP 2024078240W WO 2025093230 A1 WO2025093230 A1 WO 2025093230A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
entity
nswof
value
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2024/078240
Other languages
English (en)
Inventor
German PEINADO GOMEZ
Saurabh Khare
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Technologies Oy
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to CN202480032908.2A priority Critical patent/CN121128138A/zh
Publication of WO2025093230A1 publication Critical patent/WO2025093230A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • This disclosure is related to the field of mobile communication networks, in particular the provisioning of fifth generation core network (5GC) services to users and their associated devices via a non-integrated, non-Third Generation Partnership Project (3GPP) network.
  • 5GC fifth generation core network
  • 3GPP Third Generation Partnership Project
  • 5GC cellular networks find it necessary to “offload” some traffic (e.g., data). To do so, both user equipment (UE) and cellular networks need to have the capability of completing such offloads via a non-integrated, non-3GPP access network (e.g., a wireless, local area network, abbreviated “WLAN”).
  • WLAN wireless, local area network
  • the present disclosure sets forth exemplary methods and related devices for providing 5GC service access via a non-integrated, non-3GPP network.
  • one such method for providing 5GC services via a nonintegrated, non-3GPP access network may comprise: generating, by user equipment (UE), a non-seamless wireless offload (NSWOF) key after completing primary authentication; and directly sending an initialization message that comprises the NSWOF key to a first network function (NF) entity of a 5GC network to form a secure communication channel (e.g., an IP sec tunnel) directly between the UE and the first NF entity using the NSWOF key.
  • UE user equipment
  • NSWF non-seamless wireless offload
  • Such an exemplary method may further comprise forming the secure communication channel further comprises generating, by the UE, a temporary UE Identifier or receiving the temporary UE identifier and generating, by the UE, the NSWOF key.
  • generating the NSWOF key may comprise completing a first cryptographic process, wherein completing the first cryptographic process may further comprise receiving a CONSTANT value or a RAND value, FC value and a MSK value.
  • generating the NSWOF key may comprise completing a second cryptographic process, wherein completing the second cryptographic process may further comprise receiving the temporary UE identifier, an FC value and an MSK value.
  • the generation of the temporary UE Identifier may further comprise completing a third cryptographic process, wherein completing the third cryptographic process may further comprise receiving a CONSTANT value or a RAND value, an FC value and an MSK value.
  • such a method may further comprise generating, by the UE, an additional initialization message that comprises a generated temporary UE identifier and sending the additional initialization message and temporary UE identifier to the first NF entity within the formed secure communications channel.
  • the exemplary method may comprise completing the primary authentication by pre-configuring the UE with a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
  • a second exemplary method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating and sending, by a NF entity of a 5GC network, an electronic indicator to a second NF entity of the 5GC network that indicates that registration of UE via a nonintegrated, non-3GPP access is allowed; sending an indicator, by the first NF entity, to the UE that non-integrated, non-3GPP network registration is allowed; receiving, by the first NF entity, an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises NSWOF key directly from the UE; and forming a secure communications channel (e.g., an IP sec tunnel) directly between the UE and the first NF entity.
  • an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises NSWOF key directly from the UE
  • a secure communications channel e.g., an IP sec tunnel
  • this second exemplary method may comprise: (i) completing, at the first NF entity, a comparison process to authenticate a first communication session before proceeding with registration of the UE with the 5GC network; and/or (ii) sending, by the first NF entity, a registration message that includes a Non-Access Stratum, User Data Management, UE Configuration Management value, a previously generated Subscription Permanent Identifier (SUPI) value and a NSWOF address to a third NF entity of the 5GC network; and/or (iii) sending, by the first NF entity, a registration message to the third NF entity, wherein the registration message comprises a request that the third NF entity forward NSWOF specific data to the first NF entity, where the requested NSWOF data may comprise an identification of allowed 5GC services and the allowed 5GC services may comprise a service selected from a data service, a call service or a short message service.
  • such a second exemplary method may comprise sending, by the first NF
  • Third exemplary method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating, by a first NF entity of a 5GC network, a NSWOF key and a temporary UE Identifier; and sending, by the first NF entity, the generated NSWOF key, the temporary UE Identifier and a SUPI to a second NF entity of the 5GC network.
  • the third exemplary method may further comprise completing a first, cryptographic process to generate the NSWOF key, wherein the first cryptographic process may comprise receiving a RAND value or a CONSTANT value, an FC value and a MSK value.
  • the generation of the NSWOF key may comprise completing a second, cryptographic process, where the second cryptographic process may comprise receiving the temporary UE identifier value, an FC value and an MSK value.
  • the generation of the temporary UE Identifier may comprise completing a third cryptographic process, wherein completing the third cryptographic process may comprise receiving a CONSTANT value or a RAND value, an FC value, and a MSK value.
  • a fourth method for providing fifth generation, core network (5GC) services via a non-integrated, non-3GPP access network may comprise: generating and sending, by a third NF entity of a 5GC network, an electronic indicator to a second NF entity of the core 5G network that indicates that registration of UE via the nonintegrated, non-3GPP access network is allowed; receiving a Non-Seamless Unified Data Management, Subscriber Data Management, “get” message (“get message”) from a first NF entity of the 5GC network, the get message comprising a request to send non-seamless wireless offload network function (NSWOF) specific data to the first NF entity; and sending the NSWOF data to the first NF entity.
  • NWOF non-seamless wireless offload network function
  • the present disclosure also provides related apparatuses for providing 5GC services via a non-integrated, non-3GPP access network.
  • a non-integrated, non-3GPP access network e.g., a UE
  • a secure communication channel e.g., an IP sec tunnel
  • such an apparatus may further comprise means for preconfiguring a Fully Qualified Domain Name address of the first NF entity of the 5GC network.
  • a second exemplary apparatus may comprise an apparatus in a 5GC network that provides 5GC services via a nonintegrated, non-3GPP access network.
  • Such an apparatus may comprise means for generating and sending a first indicator to a second NF entity of the 5GC network that indicates that registration of UE via the non-integrated, non-3GPP access network is allowed; means for sending a second indicator to the UE that non-integrated, non- 3GPP network registration is allowed; means for receiving an Internet Key Exchange Security Association Initialization message (“initialization message”) that comprises a NSWOF key directly from the UE; and means for forming a secure communications channel (e.g., an IP sec tunnel) directly between the UE and the apparatus.
  • initialization message an Internet Key Exchange Security Association Initialization message
  • Such an apparatus may provide 5GC services via a nonintegrated, non-3GPP access network, where the apparatus may comprise means for generating and sending an electronic indicator to a second NF entity of the 5GC network that indicates that registration of UE via the non-integrated, non-3GPP access network is allowed; means for receiving a Non-Seamless Unified Data Management, Subscriber Data Management, “get” message (“get message”) from a first NF entity of the 5GC network, the get message comprising a request to send non-seamless wireless offload network function (NSWOF) specific data to the first NF entity; and means for sending the NSWOF data to the first NF entity.
  • NSWF non-seamless wireless offload network function
  • the NSWOF specific data may identify the 5GC services that the UE may be allowed to access.
  • Figure 1 depicts an exemplary mobile communications network according to the present disclosure.
  • Figures 2A and 2B depict an exemplary message flow according to exemplary methods provided by the present disclosure.
  • Figures 3A and 3B depict exemplary block diagrams illustrating the generation of a non-seamless wireless offload network functions (NSWOF) key according to exemplary methods provided by the present disclosure.
  • NSWF non-seamless wireless offload network functions
  • Figure 4 depicts an exemplary block diagram illustrating the generation of a temporary UE ID according to exemplary methods provided by the present disclosure.
  • Figure 5 depicts a simplified block diagram of an apparatus, such as an electronic element of a 5GC network or an electronic element of non-integrated, non- 3GPP access network.
  • Figure 6 depicts a simplified block diagram of an apparatus, such as a UE.
  • Figure 6 depicts a simplified block diagram of an apparatus, such as a UE.
  • the term "comprises,” “comprising,” or variations thereof are intended to refer to a non-exclusive inclusion, such that a process, method, article of manufacture, or apparatus that comprises a list of elements does not include only those elements in the list but may include other elements not expressly listed or inherent to such process, method, article of manufacture, or apparatus.
  • data means information capable of being transmitted, received and/or stored in accordance with certain embodiments of the present disclosure.
  • telecommunication entity refers to: (a) electronic hardware-only circuit implementations (e.g., implementations in analog circuitry and/or digital circuitry) capable of completing one or more functions, such as network functions (NF) or UE functions; and/or (b) combinations of electronic circuits and computer program product(s) comprising software and/or firmware instructions stored on one or more electronic memories that work together to cause an apparatus to perform one or more NFs, UE functions or process steps described herein; and/or (c) electronic circuits, such as, for example, an electronic microprocessor(s), a portion of a microprocessor(s), processor, portion of a processor, electronic integrated circuit or electronic applications processor (collectively referred to herein as “processor”) that executes stored instructions (e.g., software or firmware) retrieved from at least one electronic memory that, when executed by the processor cause an apparatus or the element itself to perform one or more features,
  • stored instructions e.g., software or firmware
  • the phrase electronic “memory” means a non-transitory, electronic storage medium (e.g., volatile or nonvolatile memory device).
  • non-transitory, electronic storage media include, but are not limited to: a random access memory (RAM); a programmable read only memory (PROM); an erasable programmable read only memory (EPROM); a FLASH- EPROM; a magnetic computer readable medium (e.g., a floppy disk, hard disk, magnetic tape, any other magnetic medium); an optical computer readable medium (e.g., a compact disc read only memory (CD-ROM); a digital versatile disc (DVD); a Blu-Ray disc (BD), the like, or combinations thereof), or any other non-transitory medium from which an electronic processor can retrieve stored instructions that when executed cause an apparatus to perform one or more functions or steps in a process.
  • RAM random access memory
  • PROM programmable read only memory
  • EPROM erasable programmable read only memory
  • FLASH- EPROM e.
  • non-lntegrated means a telecommunications network that is not seamlessly connected or interoperable with a 3GPP-defined cellular network while the phrase “non-3GPP” means a telecommunications network that does not follow 3GPP standards for mobile communication.
  • Non-integrated, non-3GPP network is a private wireless network or WLAN built using technologies such as Wi-Fi, LoRa (Low Power Wide Area Network), or other proprietary wireless solutions. Such networks may be used for specific applications, such as in industrial Internet of Things (loT) deployments.
  • LoT industrial Internet of Things
  • the network 1 may comprise one or more UEs 2a to 2n configured to complete innovative functions and steps described herein and be in wireless communication with, and coupled to, one or more wireless access points (AP) 3a to 3n of an exemplary nonintegrated, non-3GPP access network 4 (e.g., a WLAN) via one or more telecommunication channels 5a to 5n.
  • AP wireless access points
  • each of the one or more wireless APs 3a to 3n may be configured to complete innovative functions and steps described herein.
  • the non-integrated, non-3GPP access network 4 may be in further communication with a core wireless network 6, such as a 5GC wireless network.
  • the core wireless network 6 may comprise a plurality of telecommunication network function (NF) entities, such as a non-seamless wireless offload (NSWOF) entity 8 (that may be referred to sometimes for simplicity as a “second NF entity”) configured to complete known non-seamless wireless offload network functions and steps (NSWOF), innovative functions and steps described herein (e.g., innovative NSWOF functions and steps), and to support NSWO authentication.
  • NF telecommunication network function
  • NSWOF entity 8 may be wirelessly connected to one or more non-integrated, non-3GPP access networks, such as network 4, and to an authentication server function (AUSF) entity 9 (that may be referred to sometimes for simplicity as a “first NF entity”) that is also a part of core network 6 via wired or wireless connection 10.
  • AUSF entity 9 may be referred to as an extensible authentication protocol (EAP) authenticator and may be further configured to complete known network functions and steps, innovative functions and steps described herein, and carry out authentication of the one or more UEs 2a to 2n, for example UE 2a, as well as store data for authentication of UEs 2a to 2n.
  • EAP extensible authentication protocol
  • FIG. 1 also depicts the ALISF entity 9 connected to a unified data management (UDM) entity 10 (that may be referred to sometimes for simplicity as a “third NF entity”) via wired or wireless means.
  • UDM entity 10 may be configured to complete known network functions and steps, innovative functions and steps described herein as well as store user subscription data, and decipher a subscription concealed identifier (SUCI), etc.
  • SUCI subscription concealed identifier
  • Figure 1 depicts telecommunication entities 8 to 10 as three separate and distinct elements, it should be understood that this is merely exemplary. Alternatively, one or more of the entities 8 to 10 may be combined together, or still further, may be separated into additional elements.
  • embodiments of the disclosure innovatively alter and/or expand the features, functions and steps of entities 8 to 10 as well as UEs 2a to 2n and APs 3a to 3n of the non-integrated, non-3GPP access network 4 to permit UEs 2a to 2n to securely register and connect to the 5GC network 6 in order to access 5GC services when neither a TNGF nor N3IWF are available (i.e. , without using 5G Non-Access Stratum (NAS) registration procedures via a non-3GPP access network).
  • NAS Non-Access Stratum
  • the UE 2a may comprise an Internet-of-Things (loT) compatible device, such as a mobile phone, laptop computer, personal computer, electronic server, household-appliance, and industrial device to name just a few nonlimiting examples of UE 2a .
  • LoT Internet-of-Things
  • FIG. 2A and 2B there is depicted an exemplary flow of communications involving elements and entities of the mobile network 1 that provide UE 2a with secure registration and connectivity to 5GC services via the non-integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF are available (i.e., without using 5G NAS registration procedures via a non-3GPP access network).
  • UE 2a may be pre-configured with the Fully Qualified Domain Name (“fqdn”) address of NSWOF entity 8 (i.e., complete primary authentication). Thereafter, steps 101 to 106 shown in Figure 2 (and as described in TS 33.501 , Annex S for NSWO based authentication) may be completed by a combination of element 2a, elements and corresponding entities of network 4 (e.g., a WLAN) and elements and corresponding entities 8, 9 and 10 of 5GC network 6.
  • fqdn Fully Qualified Domain Name
  • the UDM entity 10 may be configured to innovatively generate and send a “flag” (e.g., an electronic value, referred to herein as a “first” indicator) to the AUSF entity 9 (e.g., EAP authentication server) that indicates that registration of UEs via a non-integrated, non-3GPP access network, such as network 4, is allowed provided subscription data allows a UE (e.g., UE 2a) to be registered via a non-integrated, non-3GPP network such as network 4.
  • a “flag” e.g., an electronic value, referred to herein as a “first” indicator
  • such a flag may be configured and stored in a Unified Data Repository (UDR)(e.g., a database; not shown in Figure 1 ) that may be managed by the UDM entity 10.
  • UDR Unified Data Repository
  • the NSWOF entity 8 may be configured to provide an indicator (e.g., an electronic message) to the ALISF entity 9 and UDM entity 10 that non-integrated, non-3GPP network registration is supported by core network 6 via connections 11,12 in Figure 1 (hereafter referred to as a “second” indicator”)
  • the indicator may be provided during step 105, for example.
  • steps 108 to 115 shown in Figure 2A may be completed.
  • step 116 may be completed.
  • the NSWOF entity 8 has sent the “second” indicator to the AUSF entity 9 and UDM entity 10 (i.e. , that non-integrated, non-3GPP network registration is supported by core network 6) or (ii) the UDM entity 10 has sent the first indicator in step 107 to the AUSF entity 9 (i.e., that non-integrated, non-3GPP network registration is allowed by core network 6)
  • the AUSF entity 9 may be configured to generate a NSWOF key and a temporary UE Identifier.
  • the same NSWOF key and temporary UE identifier shall be generated by the UE 2a as well (i.e., any UE 2a to 2n that wishes to register with the core 5G network 6 via the a non-integrated, non-3GPP access network 4).
  • the AUSF 9 may send the so-generated NSWOF key and temporary UE identifier to UE 2a, or as described below, the UE 2a may generate these same key and identifier to form a secure communications channel (e.g., an IP sec tunnel).
  • the AUSF entity 9 may send the generated NSWOF key, UE temporary Identifier and a Subscription Permanent Identifier (SUPI) to the NSWO entity 8 via connection 11 , for example during step 116.
  • SUPI Subscription Permanent Identifier
  • the AUSF entity 9 may comprise at least one processor 502 configured to generate the NSWOF key 16 by executing electronic instructions stored in, and accessed and retrieved from, at least one memory (e.g., see Figure 5, memory 503) to complete a first, cryptographic Key Derivation Function (KDF) process that generates the NSWOF key 16.
  • KDF cryptographic Key Derivation Function
  • the processor 502 may receive a RAND value 13, a fixed constant (FC) value 15 and a Master Session Key (MSK) 14 value and then execute the first KDF process to generate the NSWOF key 16 during step 116 based on the received values 13, 14 and 15 and first KDF process.
  • FC values may be values determined by a telecommunications standard or adopted by a telecommunications vendor. In a further embodiment, the same FC value may be used by an ALISF entity 9 for each UE 2a to 2n to generate an NSWOF key 16. Regarding the MSK values, in an embodiment, MSK values may be generated by an ALISF entity 9 using known processes independently from a UE 2a to 2n.
  • the processor 502 may receive a CONSTANT value 13 instead of a RAND value, an FC value 15 and an MSK 14 value and then execute the first cryptographic KDF process to generate the NSWOF key 16 during step 116.
  • CONSTANT values may be determined by a telecommunications standard or adopted by a telecommunications vendor, In a further embodiment, the same CONSTANT value may be used by a AUSF entity 9 for each UE 2a to 2n to generate an NSWOF key 16.
  • the processor 502 may receive a temporary UE identifier value 17 instead of a CONSTANT or RAND value, an FC value 19 and an MSK 18 value and then execute a “second” cryptographic KDF process to generate the NSWOF key 20 during step 116.
  • the processor 502 upon receiving a CONSTANT value 21 (or a RAND value) an FC value 23 and an MSK value 22 the processor 502 (of AUSF 9 for example) may be configured to complete a third cryptographic KDF process in order to generate a temporary UE identifier 24 during step 116.
  • the ALISF entity 9 may send the generated NSWOF key, UE temporary Identifier and a SUPI to the NSWOF entity 8 via connection 11 , for example during step 116.
  • the non-integrated, non-3GPP access network 4 Upon receiving the third indicator, the non-integrated, non-3GPP access network 4 (e.g., one or more of the APs 3a to 3n) may be configured to send a similar indicator to the UE 2a that non-integrated, non-3GPP network registration is allowed (hereafter “fourth indicator”) during step 117b via connection 5, for example. Thereafter, the non-integrated, non-3GPP access network 4 (e.g., one or more of the APs 3a to 3n) may complete steps set forth in TS 33.501 , Annex S for NSWO based authentication).
  • the UE 2a may be configured to complete a registration process with the 5GC network 6 via the non- integrated, non-3GPP access network 4 when neither a TNGF nor N3IWF are available (i.e., without using 5G NAS registration procedures).
  • the UE 2a may be pre-configured with the Fully Qualified Domain Name (“fqdn”) address of NSWOF entity 8. Accordingly, to form an IPSec tunnel between the UE 2a and the NWSOF entity 8 of core network 6 that ensures that the registration and communications between the UE 2a and core network 6 may be secure.
  • the UE 2a needs to derive the same NSWOF key and UE temporary identifier that was generated by an entity of the 5GC network 6 (e.g., AUSF entity 9).
  • a processor 604 of the UE 2a may receive a CONSTANT value 13, FC value 15 and a MSK 14 value and then complete the first cryptographic, KDF process discussed previously by executing electronic instructions stored in, and accessed and retrieved from, at least one memory (e.g., see Figure 6, memory 605) during step 119 to generate the NSWOF key 16.
  • the FC values may be determined by a telecommunications standard or adopted by a telecommunications vendor, In a further embodiment, the same FC value may be used by each UE 2a to 2n to generate an NSWOF key 16.
  • each UE 2a to 2n may generate an MSK value independently from an AUSF entity 9 using known processes.
  • the processor 604 may receive a RAND value 13 instead of a CONSTANT value, an FC value 15 and an MSK 14 value and then execute the first cryptographic KDF process to generate the NSWOF key 16 during step 119.
  • the processor 604 may receive a temporary UE identifier value 17 instead of a CONSTANT or RAND value, an FC value 19 and an MSK 18 value and then execute the second cryptographic KDF process discussed previously to generate the NSWOF key 20 during step 119.
  • the UE 2a may generate the NSWOF and temporary UE identifier values based on stored CONSTANT, RAND, FC and MSK values.
  • One or more of these values may be sent to the UE 2a from an element and corresponding entity of the 5GC network 6 (e.g., from the AUSF entity 9)
  • the RAND values 13, 21 in Figures 3A and 4 may be sent from an element and corresponding entity in core network 6 (e.g., from the AUSF entity 9) to the UE 2a.
  • the temporary UE identifier 17 in Figure 3B may be sent to the UE 2a from an entity of the 5GC network 6 (e.g., from the AUSF entity 9).
  • the FC and CONSTANT values are not sent to the UE 2a from an element and corresponding entity of the 5GC network 6.
  • the UE 2a Upon generating the NSWOF key using the embodiments described herein, the UE 2a then generates and directly sends an Internet Key Exchange Security Association Initialization message (referred to as “first initialization message”, abbreviated “IKE_SA_INIT”) that includes the NSWOF key directly to the NSWOF entity 8 during step 119a.
  • first initialization message abbreviated “IKE_SA_INIT”
  • the NSWOF entity 8 may be further configured to form a secure communications channel (e.g., an IP sec tunnel) directly between the UE 2a and NSWO entity 8 of 5GC network 6. Accordingly, the non-integrated, non-3GPP access network 4 does not have access to the established secure communications channel.
  • a secure communications channel e.g., an IP sec tunnel
  • the UE 2a may include a generated temporary UE identifier in an initialization message (referred to as “second initialization message”), and then send the second initialization message to the NSWO entity 8 during alternative step 119b.
  • second initialization message an initialization message
  • the NSWOF entity 8 Upon receiving the second initialization message the NSWOF entity 8 is configured to compare the received temporary UE identifier to its stored, temporary UE identifier. If the comparison results in a match then the NSWOF entity 8 is further configured to form a secure communications channel (e.g., an IP sec tunnel) between the UE 2a and NSWO entity 8 of 5GC network 6 during step 119b
  • a secure communications channel e.g., an IP sec tunnel
  • the UE 2a and NSWOF entity 8 may now begin an innovative process to register the UE 2a with the core network 6.
  • the UE 2a may send a first registration message that may include a temporary UE identifier within the now established, secure communications channel to the NSWOF entity 8 (referred to as “first communication session”).
  • first communication session a temporary UE identifier within the now established, secure communications channel
  • the NSWOF entity 8 Upon receiving the registration message that includes the temporary UE identifier the NSWOF entity 8 completes a comparison process to authenticate the first communication session before proceeding with the registration of the UE 2a with the 5GC network 6.
  • the NSWOF entity 8 may send a second registration message that includes a NAS User Data Management (“Nudm”), UE Configuration Management (UECM) value, a previously generated Subscription Permanent Identifier (SUPI) value and the address of the NSWOF entity 8 (“NSWOF address”) to the UDM entity 10.
  • Nudm NAS User Data Management
  • UECM UE Configuration Management
  • SUPI Subscription Permanent Identifier
  • the SUPI value may have been previously stored and available at the AUSF entity 9 and then sent to the NSWOF entity 8.
  • the UDM entity 10 Upon receiving the second registration message, the UDM entity 10 generates and sends a confirmation message to the NSWO entity 8 during step 122.
  • the NSWOF entity 8 may be configured to send a third registration message (e.g., q NonSeam less Unified Data Management, Subscriber Data Management, “get” message, i.e. , “Nudm_SDM_get operation” message or simply “get message”). during step 123 to the UDM entity 10.
  • the third registration message may comprise a request that the UDM entity 10 forward NSWOF specific data to the NSWOF entity 8.
  • the UDM entity 10 may send the requested NSWOF data to the NSWOF entity 8 during step 124.
  • NSWOF specific data may identify those 5GC services (e.g., limited services) that the UE 2a may be allowed to access after completing the secure authentication and registration process described herein.
  • the NSWOF entity 8 may send a limited service indication message to the UE 2a which allows the UE 2a (and its corresponding user) access to a limited range and number of 5GC services provided by the 5GC network 6.
  • a limited service may allow a data service but disallow call and/or short message services (SMS).
  • SMS short message services
  • an exemplary limited service may allow a call service but disallow datal and/or short message services (SMS).
  • SMS short message services
  • another an exemplary limited service may allow an SMS service but disallow data and/or short call services, to name just a few of the types of limited services that can be allowed and/or disallowed.
  • FIG. 5 there is depicted a simplified block diagram of a network apparatus 500 comprising an entity of the 5GC network 6 (e.g., NSWO entity 8, AUSF entity 9 or UDM entity 10) or of the non-integrated, non-3GPP access network 4 (e.g., APs 3a to 3n of a WLAN) in accordance with an exemplary embodiment.
  • entity of the 5GC network 6 e.g., NSWO entity 8, AUSF entity 9 or UDM entity
  • the non-integrated, non-3GPP access network 4 e.g., APs 3a to 3n of a WLAN
  • network apparatus refers to an element and its corresponding NFs of 5GC network 6 or of the non-integrated, non- 3GPP access network 4 (e.g., a WLAN) while the phrase “UE apparatus” (or UE) refers to UE 2a to 2n and its corresponding UE functions.
  • network apparatus 500 may be configured to provide one or more network-based operations and features and perform related steps within 5GC network 6 or non-integrated, non-3GPP access network 4. Moreover, network apparatus 500 may be configured to complete a plurality of core network functions (NFs). For example, apparatus 500 may be incorporated into one or more of the network entities 8, 9 and 10 described above and herein. [00105] In an embodiment, the network apparatus 500 may include means for completing one or more innovative NFs, features and steps. In embodiments, such means may comprise a combination of electronic elements, such as a network interface 501 , at least one electronic processor 502, and an electronic memory 503.
  • FIG. 6 there is illustrated a simplified block diagram of a user apparatus 600 which may comprise user equipment 2a (or 2b to 2n).
  • User apparatus 600, or portions therein, may be implemented in other network apparatuses or elements including base stations/WLAN APs 3a to 3n, as well as the other network elements.
  • user apparatus 600 may comprise means for completing one or more innovative UE functions, features and steps.
  • such means may comprise a combination of electronic elements, such as at least one antenna 601 in communication with an electronic transmitter 602 and an electronic receiver 603.
  • apparatus 600 may comprise separate transmit and receive antennas (not shown for simplicity).
  • User apparatus 600 may also include additional means, such as at least one electronic processor 604 configured to provide communication signals to, and receive communication electronic signals from, the transmitter and receiver, respectively, and to control the functioning of the apparatus.
  • Processor 604 may be configured to control the functioning of the transmitter and receiver by effecting control signaling via electrical leads or wirelessly to the transmitter and receiver.
  • processor 604 may be configured to control other elements of user apparatus 600 by effecting control signaling via electrical leads or wirelessly connecting processor 604 to other components, such as a display (not shown for simplicity) or an electronic memory 605.
  • Processors 502, 604 may, for example, be embodied in a variety of ways including electronic circuitry, at least one electronic processing core, one or more microprocessors with accompanying digital signal processor(s), one or more electronic processor(s) without an accompanying digital signal processor, one or more coprocessors, one or more multi-core processors, one or more electronic controllers, electronic processing circuitry, one or more computers, various other electronic processing elements including integrated circuits (for example, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and/or the like), or some combination thereof. Accordingly, although illustrated in Figures 5 and 6 as a single processor, in some example embodiments processors 502, 604 may comprise a plurality of electronic processors or processing cores.
  • user apparatus 600 may be configured to operate using one or more air interface standards, communication protocols, modulation types, access types, and/or the like.
  • Signals sent and received by the processor 604 may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to Wi-Fi, WLAN techniques, such as Institute of Electrical and Electronics Engineers (IEEE) 802.11 , 802.16, 802.3, ADSL, DOCSIS, and/or the like.
  • IEEE Institute of Electrical and Electronics Engineers
  • these signals may include speech data, user generated data, user requested data, and/or the like.
  • One or more memory elements 605 may be used to store information such as NSWOF keys, temporary UE identifiers, UE context information, and interact with processor 604 as known in the art.
  • user apparatus 600 and/or a cellular modem therein may be capable of operating in accordance with various communication protocols, such as first generation (1 G) communication protocols, second generation (2G or 2.5G) communication protocols, third-generation (3G) communication protocols, fourthgeneration (4G) communication protocols, fifth-generation (5G) communication protocols, Internet Protocol Multimedia Subsystem (IMS) communication protocols (for example, session initiation protocol (SIP) and/or the like.
  • communication protocols such as first generation (1 G) communication protocols, second generation (2G or 2.5G) communication protocols, third-generation (3G) communication protocols, fourthgeneration (4G) communication protocols, fifth-generation (5G) communication protocols, Internet Protocol Multimedia Subsystem (IMS) communication protocols (for example, session initiation protocol (SIP) and/or the like.
  • IMS Internet Protocol Multimedia Subsystem
  • user apparatus 600 may be capable of operating in accordance with 2G wireless communication protocols IS-136, Time Division Multiple Access TDMA, Global System for Mobile communications, GSM, IS-95, Code Division Multiple Access, CDMA, and/or the like.
  • user apparatus 600 may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service (GPRS), Enhanced Data GSM Environment (EDGE), and/or the like. Still further, for example, apparatus 600 may be capable of operating in accordance with 3G wireless communication protocols, such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like.
  • GPRS General Packet Radio Service
  • EDGE Enhanced Data GSM Environment
  • 3G wireless communication protocols such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like.
  • User apparatus 600 may be additionally capable of operating in accordance with (i) 3.9G wireless communication protocols, such as Long Term Evolution (LTE), Evolved Universal Terrestrial Radio Access Network (E-UTRAN), and/or the like, and (ii) 4G wireless communication protocols, such as LTE Advanced, 5G, and/or the like as well as similar wireless communication protocols that may be subsequently developed.
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • 4G wireless communication protocols such as LTE Advanced, 5G, and/or the like as well as similar wireless communication protocols that may be subsequently developed.
  • processors 502, 604 may include additional means, for example, circuitry for implementing audio/video and logic functions of apparatuses 500, 600.
  • processor 604 may comprise a digital signal processor device, a microprocessor device, an analog-to-digital converter, a digital-to-analog converter, and/or the like. Control and signal processing functions of user apparatus 600 may be allocated between these devices according to their respective capabilities.
  • processors 502,604 may retrieve and access software or firmware stored as electronic instructions to cause their respective apparatuses 500,600 to at least perform certain functions, features and/or steps.
  • processors 502, 604 may comprise means for performing authentication and registration processes, such as NSWOF key generation, and temporary UE identifier generation via one or more cryptographic KDF processes, security handshakes, and the like.
  • processor 604 may be configured to complete a connectivity process that allows user apparatus 600 to transmit and receive web content, such as location-based content, according to a protocol, such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like.
  • a protocol such as wireless application protocol, WAP, hypertext transfer protocol, HTTP, and/or the like.
  • each of the apparatuses 500, 600 shown in Figures 5 and 6, include means for completing one or more innovative functions, features and steps, including, but not limited to, the UE functions, features and steps or network side functions (e.g., NFs) features and steps set forth in the claims below.
  • such means may comprise a combination of electronic elements, such as one or more electronic transmitters, receivers, electronic comparison circuitry, electronic input/output (I/O) circuitry, electronic conductors (e.g., electronic buses), at least one electronic processor 502,604, at least one electronic memory 503, 605 that comprises stored electronic instructions (i.e., computer program code) where the respective at least one processor 502,604, in conjunction with the respective at least one memory 503, 605 and respective computer program code, being executed and/or arranged to cause the respective apparatus 500, 600 to at least perform at least the functions, features and steps described herein, including, but not limited to the functions, features and steps illustrated in Figures 1 to 6.
  • electronic elements such as one or more electronic transmitters, receivers, electronic comparison circuitry, electronic input/output (I/O) circuitry, electronic conductors (e.g., electronic buses), at least one electronic processor 502,604, at least one electronic memory 503, 605 that comprises stored electronic instructions (i.e., computer program code) where the respective at least one processor

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'enregistrement et la connectivité sécurisés d'un équipement utilisateur à une plage limitée de services offerts par des réseaux centraux de cinquième génération sont fournis lorsque l'accès aux services se fait par l'intermédiaire d'un réseau d'accès non 3GPP non intégré.
PCT/EP2024/078240 2023-10-31 2024-10-08 Procédés et appareils associés pour fournir un accès à un service 5gc par l'intermédiaire d'un réseau non 3gpp non intégré Pending WO2025093230A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202480032908.2A CN121128138A (zh) 2023-10-31 2024-10-08 通过非集成非3gpp网络提供5gc服务接入的方法和相关装置

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202311074177 2023-10-31
IN202311074177 2023-10-31

Publications (1)

Publication Number Publication Date
WO2025093230A1 true WO2025093230A1 (fr) 2025-05-08

Family

ID=93061744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2024/078240 Pending WO2025093230A1 (fr) 2023-10-31 2024-10-08 Procédés et appareils associés pour fournir un accès à un service 5gc par l'intermédiaire d'un réseau non 3gpp non intégré

Country Status (2)

Country Link
CN (1) CN121128138A (fr)
WO (1) WO2025093230A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190215691A1 (en) * 2016-10-05 2019-07-11 Apostolis SALKINTZAZ Core network attachment through standalone non-3gpp access networks
WO2022146034A1 (fr) * 2020-12-31 2022-07-07 Samsung Electronics Co., Ltd. Procédé et systèmes d'authentification d'ue pour accéder à un service non 3gpp

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190215691A1 (en) * 2016-10-05 2019-07-11 Apostolis SALKINTZAZ Core network attachment through standalone non-3gpp access networks
WO2022146034A1 (fr) * 2020-12-31 2022-07-07 Samsung Electronics Co., Ltd. Procédé et systèmes d'authentification d'ue pour accéder à un service non 3gpp

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security aspects of enhanced support of Non-Public Networks phase 2 (Release 18)", 25 January 2023 (2023-01-25), XP052233772, Retrieved from the Internet <URL:https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_109AdHoc-e/Docs/S3-230483.zip 33858-040.docx> [retrieved on 20230125] *

Also Published As

Publication number Publication date
CN121128138A (zh) 2025-12-12

Similar Documents

Publication Publication Date Title
US12096328B2 (en) Method and apparatus for providing emergency codes to a mobile device
CN111670587B (zh) 用于多个注册的方法和设备
EP3679655B1 (fr) Authentification d&#39;équipements utilisateurs par l&#39;intermédiaire d&#39;équipements utilisateurs relais
US11722891B2 (en) User authentication in first network using subscriber identity module for second legacy network
CA2995311C (fr) Identifiant d&#39;acces au reseau comprenant un identifiant pour un noeud de reseau d&#39;acces cellulaire
US20250142331A1 (en) Method, apparatus, and computer program product for authentication using a user equipment identifier
US12052358B2 (en) Method and apparatus for multiple registrations
CN116195362A (zh) 通信网络中的认证
JP7542676B2 (ja) Akma認証サービスの拡張a-kid
WO2025093230A1 (fr) Procédés et appareils associés pour fournir un accès à un service 5gc par l&#39;intermédiaire d&#39;un réseau non 3gpp non intégré
JP2021524167A (ja) 複数の登録のための方法および装置
HK1254125A1 (en) Network access identifier including an identifier for a cellular access network node
HK1254125B (zh) 一种基於蜂窝接入网络节点的网络接入标识符的认证方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24787432

Country of ref document: EP

Kind code of ref document: A1