WO2025168272A1 - User authentication behind a user device - Google Patents

Abstract

Embodiments of the present disclosure relate to methods, devices, apparatuses and computer readable storage medium for a procedure for user authentication behind a user device. The method comprises: obtaining a key material from a network exposure function (NEF) associated with an operator network; generating security information associated with a user profile based on the key material, an Authentication and Key Management for Application (AKMA) key and a subscription permanent identifier (SUPI) associated with the apparatus; and providing, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

Description

USER AUTHENTICATION BEHIND A USER DEVICE

FIELDS

[0001] Various example embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable storage medium for a procedure for user authentication behind a user device.

BACKGROUND

[0002] As security and privacy of user information in mobile communication networks have drawn increasing attention, the development of 5G system has demanded new protocols to realize authentication and key management service. For this purpose, Authentication and Key Management for Application (AKMA) service aims at establishing authenticated communication between users and application functions.

SUMMARY

[0003] In a first aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain at least one security information associated with a user profile from a user request for accessing a service of an application via the apparatus; transmit, to an AKMA application function (AF), associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the apparatus; and accept or reject the user request based on a response received from the AKMA-AF for the application session establishment request.

[0004] In a second aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: receive, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained i by the user device from a user request for accessing a service of an application via the user device; authenticate the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; transmit, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.

[0005] In a third aspect of the present disclosure, there is provided a method. The method comprises: obtaining, at a user device, at least one security information associated with a user profile from a user request for accessing a service of an application via the user device; transmitting, to an AKMA-AF associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the user device; and accepting or rejecting the user request based on a response received from the AKMA-AF for the application session establishment request.

[0006] In a fourth aspect of the present disclosure, there is provided a method. The method comprises: receiving, at an AKMA-AF from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device; authenticating the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; transmitting, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.

[0007] In a fifth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises means for obtaining, at a user device, at least one security information associated with a user profile from a user request for accessing a service of an application via the apparatus; means for transmitting, to an AKMA-AF, associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the apparatus; and means for accepting or rejecting the user request based on a response received from the AKMA- AF for the application session establishment request.

[0008] In a sixth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises means for receiving, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device; means for authenticating the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; means for transmitting, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.

[0009] In a seventh aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the third aspect.

[0010] In an eighth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the fourth aspect.

[0011] In a ninth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain, from an operator network function, a key material associated with operator network; generate an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and public land mobile network (PLMN) information of the apparatus.

[0012] In a tenth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: receive an AKMA key user identity from an AKMA Anchor Function (AAnF) or an Authentication Server Function (AUSF); transmit, to a user device, a key material associated with operator network; in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determine a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.

[0013] In an eleventh aspect of the present disclosure, there is provided a method. The method comprises: obtaining, at a user device from an operator network function, a key material associated with operator network; and generating an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and PLMN information of the user device.

[0014] In a twelfth aspect of the present disclosure, there is provided a method. The method comprises: receiving, at an operator network function (NF) an AKMA key user identity from an AAnF or an AUSF; transmitting, to a user device, a key material associated with operator network; and in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determine a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.

[0015] In a thirteenth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises means for obtaining, from an operator network function, a key material associated with operator network; and means for generating an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and PLMN information of the apparatus.

[0016] In a fourteenth aspect of the present disclosure, there is provided an apparatus. The second apparatus comprises means for receiving an AKMA key user identity from an AAnF or an AUSF; means for transmitting, to a user device, a key material associated with operator network; means for in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determining a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.

[0017] In a fifteenth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the thirteenth aspect.

[0018] In a sixteenth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the fourteenth aspect.

[0019] In a seventeenth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain a key material from a network exposure function (NEF) associated with an operator network; generate security information associated with a user profile based on the key material, an AKMA key and a subscription permanent identifier (SUPI) associated with the apparatus; and provide, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

[0020] In an eighteenth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: receive, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; transmit, to an AKMA Anchor Function (AAnF) associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and transmit, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

[0021] In a nineteenth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain a key material from a UE via NEF associated with an operator network; generate security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; receive, from an AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and transmit, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

[0022] In a twentieth aspect of the present disclosure, there is provided a method. The method comprises: obtaining, at a user device, a key material from a network exposure function, NEF associated with an operator network; generating security information associated with a user profile based on the key material, an AKMA key and a SUPI associated with the user device; and providing, to an application server, the AKMA key identity of the user device and the generated security information associated with the user profile via an application session establishment request.

[0023] In a twenty first aspect of the present disclosure, there is provided a method. The method comprises: receiving, at an AS from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; transmitting, to an AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

[0024] In a twenty second aspect of the present disclosure, there is provided a method. The method comprises: obtaining, at an AAnF, a key material from a UE via NEF associated with an operator network; generating security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; receiving, from an AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

[0025] In a twenty third aspect of the present disclosure, there is provided an apparatus. The apparatus comprises means for obtaining a key material from a NEF associated with an operator network; means for generating security information associated with a user profile based on the key material, an AKMA key and a SUPI associated with the apparatus; and means for providing, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

[0026] In a twenty -fourth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises means for receiving, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; means for transmitting, to an AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and means for transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF. [0027] In a twenty -fifth aspect of the present disclosure, there is provided an apparatus. The apparatus comprises means for obtaining a key material from a UE via NEF associated with an operator network; means for generating security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; means for receiving, from AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and means for transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

[0028] In a twenty-sixth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the twentieth aspect.

[0029] In a twenty-seventh aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the twenty first aspect.

[0030] In a twenty-eighth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the twenty second aspect.

[0031] It is to be understood that the Summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.

BRIEF DESCRIPTION OF THE DRAWINGS

[0032] Some example embodiments will now be described with reference to the accompanying drawings, where:

[0033] FIG. 1 illustrates an example AKMA architecture according to some example embodiments of the present disclosure;

[0034] FIG. 2 illustrates an example communication environment in which example embodiments of the present disclosure can be implemented;

[0035] FIG. 3 illustrates a signaling chart for communication according to some example embodiments of the present disclosure;

[0036] FIG. 4 illustrates a signaling chart for communication according to some example embodiments of the present disclosure;

[0037] FIG. 5 illustrates a signaling chart for communication according to some example embodiments of the present disclosure;

[0038] FIG. 6 illustrates a signaling chart for communication according to some example embodiments of the present disclosure;

[0039] FIG. 7 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0040] FIG. 8 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0041] FIG. 9 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0042] FIG. 10 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0043] FIG. 11 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0044] FIG. 12 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0045] FIG. 13 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure;

[0046] FIG. 14 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure; and

[0047] FIG. 15 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.

[0048] Throughout the drawings, the same or similar reference numerals represent the same or similar element.

DETAILED DESCRIPTION

[0049] Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. Embodiments described herein can be implemented in various manners other than the ones described below.

[0050] In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.

[0051] References in the present disclosure to “one embodiment,” “an embodiment,” “an example embodiment,” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

[0052] It shall be understood that although the terms “first,” “second,”..., etc. in front of noun(s) and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another and they do not limit the order of the noun(s). For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.

[0053] As used herein, “at least one of the following: <a list of two or more elements>” and “at least one of <a list of two or more elements>” and similar wording, where the list of two or more elements are joined by “and” or “or”, mean at least any one of the elements, or at least any two or more of the elements, or at least all the elements.

[0054] As used herein, unless stated explicitly, performing a step “in response to A” does not indicate that the step is performed immediately after “A” occurs and one or more intervening steps may be included. [0055] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising”, “has”, “having”, “includes” and/or “including”, when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/ or combinations thereof.

[0056] As used in this application, the term “circuitry” may refer to one or more or all of the following:

(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and

(b) combinations of hardware circuits and software, such as (as applicable):

(i) a combination of analog and/or digital hardware circuit(s) with software/firmware and

(ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and

(c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation. [0057] This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

[0058] As used herein, the term “communication network” refers to a network following any suitable communication standards, such as New Radio (NR), Long Term Evolution (LTE), LTE-Advanced (LTE-A), Wideband Code Division Multiple Access (WCDMA), High-Speed Packet Access (HSPA), Narrow Band Internet of Things (NB-IoT) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, the fifth generation (5G), the sixth generation (6G) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.

[0059] As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP), for example, a node B (NodeB or NB), an evolved NodeB (eNodeB or eNB), an NR NB (also referred to as a gNB), a Remote Radio Unit (RRU), a radio header (RH), a remote radio head (RRH), a relay, an Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, a non-terrestrial network (NTN) or non-ground network device such as a satellite network device, a low earth orbit (LEO) satellite and a geosynchronous earth orbit (GEO) satellite, an aircraft network device, and so forth, depending on the applied terminology and technology. In some example embodiments, radio access network (RAN) split architecture comprises a Centralized Unit (CU) and a Distributed Unit (DU) at an IAB donor node. An IAB node comprises a Mobile Terminal (IAB-MT) part that behaves like a UE toward the parent node, and a DU part of an IAB node behaves like a base station toward the next-hop IAB node.

[0060] The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE), a Subscriber Station (SS), a Portable Subscriber Station, a Mobile Station (MS), or an Access Terminal (AT). The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA), portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), USB dongles, smart devices, wireless customer-premises equipment (CPE), an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD), a vehicle, a drone, a medical device and applications (e.g., remote surgery), an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts), a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. The terminal device may also correspond to a Mobile Termination (MT) part of an IAB node (e.g., a relay node). In the following description, the terms “terminal device”, “communication device”, “terminal”, “user equipment” and “UE” may be used interchangeably.

[0061] As used herein, the term “resource,” “transmission resource,” “resource block,” “physical resource block” (PRB), “uplink resource,” or “downlink resource” may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, or any other combination of the time, frequency, space and/or code domain resource enabling a communication, and the like. In the following, unless explicitly stated, a resource in both frequency domain and time domain will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.

[0062] 5G AKMA is a novel cellular-network -based delegated authentication service, which enables applications to leverage the authentication of the UE performed by the bootstrap and the necessary application security keys to the UE.

[0063] FIG. 1 shows an example AKMA structure 100 according to some example embodiments of the present disclosure. As shown, the 5G AKMA service may include a user device 110, a home network (HN) 120 and an Application Function (AF) 130.

[0064] The HN 120 may represent the mobile network provider, which plays the role of authenticating users and helps application providers to reach an agreement with the users on session keys in the AKMA service. There are several functions located within the HN 120, such a Unified Data Management (UDM) 121, an AKMA Anchor Function (AAnF) 122, an Authentication Server Function (AUSF) 123 and a Network Exposure Function (NEF) 124. The UDM 121 stores information about all sub scribers of the HN 120. The AAnF 122 manages temporary information about subscribers and generates temporary session keys KAF for the application functions. The AUSF 123 establishes a connection between UDM 121 and AAnF 122 and obtains the 5G authentication vector from UDM 121 and generates relative AKMA materials. The NEF 124 establishes connection between AAnF 122 and AF 130 when the target AF is located outside the HN 120.

[0065] The AF 130 may be considered as an application provider or a service provider, which represents the online services that the user may wish to use. The goal of AKMA is to help to establish a secure channel (exchange a secret key) between AF 130 and user device 110, with authentication of UE delegated to its corresponding HN 120.

[0066] The application in the UE would get access to AKMA Application Key (KAF) pertaining to its AF Identifier (AF ID). The Key (KAF) in the UE may be derived and leveraged from Primary Authentication which UE performs with Network. The process involved here is AS authenticating a UE with A-KID (derived from A-TID (KAUSF) and Home Network Identifier) and KAF (derived from KAKMA(KAUSF) and AF ID).

[0067] A study of identifying the potential security requirements to support mobile metaverse has been initiated. The main objectives of this study may comprise how to authenticate the user behind the UE when multiple users access the same device or when a single user owns multiple devices and how to expose the user authentication results to the 5G Core Network (5GC).

[0068] There is no way where a user behind a UE is being authenticated by the application relying on the AKMA procedure. For example, in metaverse study, it is requested to authenticate a user behind a UE. When a random user starts using a device that is allowed to be shared with other user, AKMA is a very prominent procedure to authenticate a UE (i.e., the public user device here) via 5GC. However, AKMA does not support authenticate the user behind UE. As another example, an internet of Things (loT) (e.g., an electric-meter, V2X device, robots etc.) device may authenticate itself to an application server (AS)/AF using AKMA procedure. Additionally, for some use-cases where user intervention is needed, it is necessary for application server (AS) to know that loT device are being operated by valid users. Here AS needs to authenticate loT based on user inputs (i.e., some secret which network knows that only the valid user could provide) as well.

[0069] Furthermore, no user involvement here for cases wherever user intervention is needed for existing AKMA Authentication procedure. If handset is available to any other user, still UE will be able to connect to AS with AKMA. All the banking site or all- important authentication framework starts supporting user intervention during the authentication to ensure user is actual user even if UE used by user is authentic. However, this mechanism is missing in AKMA. For example, a user (e.g., a doctor) need to intervene while a robotic-arm (a UE) start operating and perform a surgery on a patient. Without doctor intervention (by providing secret-credentials), the robotic-arm will not be authenticated even when UE alone authenticates with AS and when another authentic user (e.g., a Nurse) tries to control the robotic-arm.

[0070] Therefore, the present disclosure proposes a mechanism for authenticate the user behind UE via 5GC. In this solution, a public user device obtains at least one security information associated with a user profile from a user request for accessing a service of an application via the public user device. The public user device transmits, to an AKMA- AF, associated with the application via an application session establishment request, the at least one security information obtained from the user request and the identifier of the public user device. Based on the response for the application session establishment request received from the AKMA-AF, the public user device accept or reject the user request.

[0071] Example embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. [0072] FIG. 1 illustrates an example communication environment 200 in which example embodiments of the present disclosure can be implemented. The communication environment 200 involves a first user device 210 and a first operator network function (NF) 220-1, which may communicate with each other. The first operator NF 220-1 may also be referred to as a first operator AF.

[0073] The communication environment 200 further involves a second user device 230 and a second operator NF 220-2, which may communicate with each other. The second operator NF 220-2 may also be referred to as a second operator AF.

[0074] In some scenarios, he second user device 230 may be considered as a user device, that is allowed to be shared with other users, e.g., a metaverse gaming machine installed in the mall.

[0075] The first operator NF 220-1 may provide/manage one or more network services to the first user device 210 by interacting with one or more network functions such as NEF, AUSF, AAnF and UDM. The second operator NF 220-2 may provide/manage one or more network services to the second user device 230 by interacting with one or more network functions such as NEF, AUSF, AAnF and UDM.

[0076] In some other embodiments, the first operator NF 220-1 may also comprise or integrate with one or more network functions such as NEF, AUSF, AAnF and UDM. In some embodiments, the second operator NF 220-2 may also comprise or integrate with one or more network functions such as NEF, AUSF, AAnF and UDM.

[0077] In some example embodiments, the first operator NF 220-1 and the second operator NF 220-2 may be the same and referred to as operator NF 220 collectively. That is, both the first user device 210 and the second user device 230 may access a same network associated with the operator NF 220.

[0078] Furthermore, the communication environment 200 further involves an AKMA AF 240, which may communicate with the first operator NF 220-1 and the second operator NF 220-2 to provide authentication and key management for applications.

[0079] It is to be understood that the number of network functions or user devices shown in FIG. 1 is given for the purpose of illustration without suggesting any limitations. The communication environment 200 may include any suitable number of units or devices mentioned above. [0080] Communications in the communication environment 200 may be implemented according to any proper communication protocol(s), comprising, but not limited to, cellular communication protocols of the first generation (1G), the second generation (2G), the third generation (3G), the fourth generation (4G), the fifth generation (5G), the sixth generation (6G), and the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future. Moreover, the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA), Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Frequency Division Duplex (FDD), Time Division Duplex (TDD), Multiple-Input Multiple-Output (MIMO), Orthogonal Frequency Division Multiple (OFDM), Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.

[0081] As described, AKMA provide a mechanism where only UE can be authenticated. One of solutions in the present disclosure aims to authenticate the user behind a UE by the application relying on the AKMA procedure which may refer to an agreement of userdetails between network and user and an interaction of AKMA AF with network functions like NEF, AAnF and UDM, etc. and an authentication of the UE and user behind it. More details will be described with reference to FIG. 3.

[0082] Now reference is made to FIG. 3, which illustrates a signaling chart 300 illustrating an example of process according to some example embodiments of the present disclosure. The signaling chart 300 involves the first user device 210, the second user device 230, the first operator NF 220-1, the second operator NF 220-2 and the AKMA AF 240. For the purpose of discussion, reference is made to FIG. 2 to describe the signaling chart 300.

[0083] In some scenarios associated with the signaling chart 300, the first user device 210 may be considered as a user device owned by a user. The second user device 230 may be considered as a user device that is allowed to be shared with other users, e.g., a metaverse gaming machine installed in the mall. The first operator NF 220-1 and the second operator NF 220-2 may be the same operator NF or different operator NFs.

[0084] In the process shown in FIG. 3, the first operator NF 220-1 and the second operator NF may interact with one or more network functions such as NEF, AUSF, AAnF and UDM, which are now shown in FIG. 3.

[0085] As shown in FIG. 3, during the primary authentication, the first user device 210 owned by a user may determine an AKMA key identifier (e.g., A-KIDA) of the first user device 210 by a signaling exchange (305) with the first operator NF 220-1 (which may also be considered as AF associated with a trusted application). The application may be hosted by a home network operator of user, which may provide application service to the first user device 210 owned by the user. The first operator NF 220-1 may belong to the home network operator.

[0086] The first user device 210 may determine at least one security information associated with the user profile by a further signaling exchange (310) from the first operator NF 220-1. For example, the at least one security information associated with the user profile may comprise an AKMA key user identity (e.g., A-KID-USERA) and/or a user secret token.

[0087] By using the signaling exchanges (305) and (310), the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) may be agreed independently between the first operator NF 220-1 and the first user device 210. How to determine the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) between the UE and network will be further described later, which is not described with the signaling chart 300.

[0088] Similarly, the second user device 230 may also determine an AKMA key identifier of the second user device 230 (e.g., A-KIDB) by a signaling exchange (315) with the second operator NF 220-2 (which may also be considered as AF associated with a trusted application).

[0089] It is to be understood that the first operator NF 220-1 and the second operator NF 220-2 in FIG. 3 may belong to the same operator or different operators.

[0090] If the user owning the first user device 110 intends to access a service of the application via the second user device 230, for example, the second user device 230 receives (320) a user request for accessing the service of the application via the second user device 230, the second user device 230 may obtain, from the user request, the at least one security information associated with the user profile of the user. [0091] The second user device 230 then transmits (325) to AKMA AF 240, an application session establishment request including the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) and the AKMA key identifier of the second user device 230 (e.g., A-KIDB).

[0092] For authenticating the user who request to access the service of the application via the second user device 230, the AKMA AF 240 may request an authentication of the at least one security information associated with the user profile of the user.

[0093] The AKMA AF 240 may transmit (330), to the first operator NF 220-1, a request of authenticating the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) whereas the first operator NF 220-1 is identified by the operator identifier associated with an AKMA key user identity. The first operator NF 220-1 may response (335) the AKMA AF 240 with an indication whether the at least one security information is valid and authenticated.

[0094] The second user device 230 may be authenticated by the AKMA AF 240 by transmitting, (340) to the second operator NF 220-2, a request of authenticating the AKMA key identifier of the second user device 230 (e.g., A-KIDB). The second operator NF 220-2 may response (345) the AKMA AF 240 with an indication whether the AKMA key identifier of the second user device 230 (e.g., A-KIDB) is valid and authenticated.

[0095] If the AKMA AF 240 determines, based on the responses from the first operator NF 220-1 and the second operator NF 220-2, that the at least one security information associated with the user profile and the AKMA key identifier of the second user device 230 are both valid and authenticated, the AKMA AF 240 may transmit (350), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is allowed. Then the second user device 230 may allow the user to access the service of the application via the second user device 230, for example, by displaying (355) a response for the user request with a display device.

[0096] By the contrast, if the AKMA AF 240 determines, based on the responses from the first operator NF 220-1 and the second operator NF 220-2, that the at least one security information associated with the user profile and/or the AKMA key identifier of the second user device 230 are/is not valid and authenticated, the AKMA AF 240 may transmit (350), to the second user device 230, an response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is not allowed. Then the second user device 230 may reject the user to access the service of the application via the second user device 230, for example, by displaying (355) a response for the user request with a display device.

[0097] Now reference is made to FIG. 4, which illustrates a signaling chart 400 illustrating an example of process according to some example embodiments of the present disclosure. The signaling chart 400 involves the first user device 210, the second user device 230, the one or more first NFs 401, the first NEF or first operator app 402, the one or more first NFs 403 and the AKMA AF 240. For the purpose of discussion, reference is made to FIG. 2 to describe the signaling chart 400.

[0098] The one or more first NFs may comprise AAnF, AUSF and/or UDM. The one or more second NFs may comprise AAnF, AUSF and/or UDM.

[0099] The pre-requisite of the process shown in signaling chart 400 is the user details need to be provisioned in the network and same should be available to the user for successful authentication.

[0100] As shown in FIG. 4, the first user device 210 owned by a user may determine an AKMA key identifier (e.g., A-KIDA) by a signaling exchange (405) with the first NEF or first operator app 402. The application may be hosted by a home network operator of user, which may provide application service to the first user device 210 owned by the user. The first NEF or first operator app 402 may belong to the home network operator.

[0101] The at least one of security information, e.g., the AKMA key user identity and the user secret token to be share with a further user device (e.g., the second user device 230) may agree between the network and the user via signaling exchange (415). The derivations or generation of the at least one of security information may be performed independently between the network and the user, which will be described with FIG. 4 and FIG. 5. Other actions 425-450 may be similar with the actions 320-355 and therefore the description of actions 320-355 is omitted.

[0102] FIG. 5 illustrates a signaling chart 500 for communication according to some example embodiments of the present disclosure. The signaling chart 500 involves the first user device 210, the AUSF 501, the AAnF 502, the UDM 503, the first NEF or first operator app 402 and the application server (AS) 504. For the purpose of discussion, reference is made to FIG. 2 to describe the signaling chart 500.

[0103] After the primary authentication (505) of the first user device 210, the AKMA key KAKMA may be derived from the key KAUSF. Correspondingly, an AKMA Key ID (i.e., A-KID) may also be generated at the first user device 210 and AUSF 501. The A-KID is also used as a temporary identifier for AKMA.

[0104] As shown in FIG. 5, the first user device 210 may obtain key KAUSF from UDM 503. The first user device 210 may determine the key KAKMA and the AKMA Key ID (i.e., A-KID).

[0105] The AUSF 501 may also obtain (510) key KAUSF from UDM 503. Deriving from the key KAUSF, the AUSF 501 may determine the key KAKMA and the AKMA Key ID (i.e., A-KID). Then the AUSF 501 may perform (515) an AKMA register to AAnF 502 with the AKMA Key ID (i.e., A-KID), subscription permanent identifier (SUPI) and the AKMA key KAKMA.

[0106] The first user device 210 may provide (520) the AKMA Key ID (i.e., A-KID) to the first NEF or first operator app 402. Then the first NEF or first operator app 402 may transmit (525), a AKMA application key get message to the AAnF 502 with the AKMA Key ID (i.e., A-KID) and key material. The AAnF 502 may determine security information associated with a user profile (e.g., user secret token) based on the key material, e.g., the validity, key KAKMA and SUPI.

[0107] The AAnF 502 may transmit (530), an AKMA application key response message to the first NEF or first operator app 402 with SUPI/GUPI and security information associated with a user profile (e.g., user secret token) generated by the AAnF 502.

[0108] Then the first NEF or first operator app 402 may provide (535) the key material to the first user device 210. The key material may comprise a validity and/or a random value. Based on the key material, e.g., the validity, key KAKMA and SUPI, the first user device 210 may generate (540) security information associated with a user profile (e.g., user secret token).

[0109] During the application session establishment, the first user device 210 may transmit (545), to the AS 504 associated with the application, A-KID along with the security information associated with a user profile (e.g., user secret token).

[0110] The AS 504 transmits (550), to the AAnF 502, A-KID, AF-ID and the security information associated with a user profile received from the first user device 210. The AAnF 502 may compare (555) the security information received from the first user device 210 and the security information generated by the AAnF 502 itself.

[0111] If the AAnF 502 determines that the security information received from the first user device 210 matches the security information generated by the AAnF 502, the AAnF 502 may transmit (560), to the AS 504, an AKMA application key response message indicating the security information received from the first user device 210 is authenticated and including SUPI/GPSI and KAF and an expiry of KAF.

[0112] After that, the AS 504 transmit (565), to the first user device 210, the response for the application session establishment request indicating an application session establishment is accepted.

[0113] It is also possible that network-operator and user agrees on a shared secret token (e.g., user secret token). This agreement of secret could be like this -the token generated by a network that reads out to the user via IVRS or SMS and provision the same in UDM. Alternatively, the trusted client application in the user’s personnel device could display the PIN/token to the user, optionally, the one-time PIN/token could be provisioned in the network by the user when user subscribes to the service from the network-operator. Mainly, the token agreement is needed between user and the network. The network may ensure sufficient security and privacy while storing the data in the network.

[0114] FIG. 6 illustrates a signaling chart 600 for communication according to some example embodiments of the present disclosure. The signaling chart 600 involves the first user device 210, the second user device 230, the one or more first NFs 401, the first NEF or first operator app 402, the one or more first NFs 403 and the AKMA AF 240. For the purpose of discussion, reference is made to FIG. 2 to describe the signaling chart 600.

[0115] The one or more first NFs may comprise AAnF and/or AUSF. The one or more second NFs may comprise AAnF and/or AUSF.

[0116] As shown in FIG. 6, the first user device 210 owned by a user may determine an AKMA key identifier (e.g., A-KID A) by a signaling exchange (605) with the first NEF or first operator app 402. The first user device 210 then provide the AKMA key identifier (e.g., A-KIDA) via an access ready message to the first NEF or first operator app 402.

[0117] Then the first NEF or first operator app 402 may transmit (615), a AKMA application key get message to the one or more first NFs 401 with the AKMA Key ID (i.e., A-KID) and key material. The one or more first NFs 401 may determine an AKMA key user identity (e.g., A-KID-USER) based on the key material, e.g., the validity or a random value, key KAKMA and SUPI.

[0118] The one or more first NFs 401 may transmit (620), an AKMA application key response message to the first NEF or first operator app 402 with SUPI/GUPI and the AKMA key user identity (e.g., A-KID-USER) generated by the one or more first NFs 401.

[0119] Then the first NEF or first operator app 402 may provide (625) the key material to the first user device 210. The key material may comprise a validity and/or a random value and/or a routing identifier (RI-A). Based on the key material, the first user device 210 may generate (630) the AKMA key user identity (e.g., A-KID-USER).

[0120] For example, a format of A-KID-USER may be represented as <Temporary- derived-ID>+<AAnF-routing-id>@realm <HPLMN ID>. For example, the first user device 210 may generate the AKMA temporary user identity (A-TID-USER) as temporary-derived-ID> based on the SUPI, the key material, e.g., a validity and/or a random value, and KAUSF or KAKMA. Then the first user device 210 may generate the AKMA key user identity (e.g., A-KID-USER) based on the AKMA temporary user identity (A-TID-USER), the routing identifier (RI-A) and the public land mobile network (PLMN) information of the first user device 210.

[0121] As another example, the temporary identifier can be any unique identifier assigned by operator, i.e., A-KID-User can be generated without KAUSF as well.

[0122] When the first user device 210 requests to access a service of an application via the second user device 230, a user request for accessing the service of the application via the second user device 230 including the AKMA key user identity (e.g., A-KID-USER) generated by the first user device 210 may be provided (640) to the second user device 230.

[0123] The second user device 230 then transmits (645) to AKMA AF 240, an application session establishment request including the AKMA key user identity (e.g., A- KID-USER) received from the user request. [0124] For authenticating the user who request to access the service of the application via the second user device 230, the AKMA AF 240 may request an authentication of the AKMA key user identity received from the second user device 230 and provided by the user.

[0125] The AKMA AF 240 may transmit (650), to the first NEF or first operator app 402, a request of authenticating the AKMA key user identity received from the second user device 230. The first NEF or first operator app 402 may determine whether the AKMA key user identity is valid and authenticated.

[0126] For example, the first NEF or first operator app 402 may compare the AKMA key user identity received from the AKMA AF 240 and the AKMA key user identity (e.g., A-KID-USER) generated by the one or more first NFs 401.

[0127] If the AKMA key user identity received from the AKMA AF 240 matches the AKMA key user identity (e.g., A-KID-USER) generated by the one or more first NFs 401, the first NEF or first operator app 402 may response (655) the AKMA AF 240 with an indication that the AKMA key user identity received from the second user device 230 is valid and authenticated. Then the AKMA AF 240 may transmit (660), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is allowed.

[0128] Then the second user device 230 may allow the user to access the service of the application via the second user device 230, for example, by displaying (665) a response for the user request with a display device.

[0129] Otherwise, the first NEF or first operator app 402 may response (655) the AKMA AF 240 with an indication that the AKMA key user identity received from the second user device 230 is invalid and not authenticated. Then the AKMA AF 240 may transmit (660), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is not allowed.

[0130] Then the second user device 230 may reject the user to access the service of the application via the second user device 230, for example, by displaying (665) a response for the user request with a display device. [0131] Furthermore, the user or network (operators) may also refresh the user secret token and AKMA key user identity (e.g., A-KID-USER) on timely basis or on demand basis.

[0132] In this way, user behind the UE may be authenticated by mean of the AKMA structure and the user may be involved in an AKMA Authentication procedure.

[0133] FIG. 7 shows a flowchart of an example method 700 implemented at an apparatus in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 500 will be described from the perspective of the second user device 230 in FIG. 2.

[0134] At block 710, the second user device 230 obtains at least one security information associated with a user profile from a user request for accessing a service of an application via the second user device 230.

[0135] At block 720, the second user device 230 transmits, to an authentication and key management for application, AKMA, application function, AF, associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the second user device 230.

[0136] At block 730, the second user device 230 accepts or rejects the user request based on a response received from the AKMA-AF for the application session establishment request.

[0137] In some example embodiments, the at least one security information associated with the user profile comprises at least one of the following: an AKMA key user identity, and/or a user secret token.

[0138] In some example embodiments, the method 700 further comprise receiving, from the AKMA-AF, the response for the application session establishment request indicating whether an access of the service by a user identified by the AKMA key user identity via the apparatus is allowed; in accordance with a determination that the response indicates the access is allowed, accepting the user request; or in accordance with a determination that the response indicates the access is allowed, accept the user request; or in accordance with a determination that the response indicates the access is not allowed, rejecting the user request. [0139] FIG. 8 shows a flowchart of an example method 800 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 800 will be described from the perspective of the AKMA-AF 240.

[0140] At block 810, the AKMA-AF 240 receives, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device.

[0141] At block 820, the AKMA-AF 240 authenticates the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile.

[0142] At block 830, the AKMA-AF 240 transmits, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.

[0143] In some example embodiments, the method 800 further comprise transmitting, to an operator network function, a request of authenticating the at least one security information associated with the user profile whereas the operator network function is identified by the operator identifier associated with an AKMA key user identity; transmitting, to a further operator network function by which the user device is authenticated for the application, a request of authenticating the identifier of the user device; and in accordance with a determination that the at least one security information associated with the user profile and the identifier of the user device are valid and authenticated, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is allowed.

[0144] In some example embodiments, the method 800 further comprise in accordance with a determination that the at least one security information associated with the user profile and/or the identifier of the user device are invalid, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is not allowed.

[0145] In some example embodiments, the operator network function and the further operator network function are belonged to the same operator.

[0146] In some example embodiments, the operator network function and the further operator network function are belonged to the different operator.

[0147] In some example embodiments, the at least one security information associated with the user profile comprises at least one of the following: an AKMA key user identity, and/or a user secret token.

[0148] FIG. 9 shows a flowchart of an example method 900 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 900 will be described from the perspective of the first user device 210 in FIG. 4 and FIG. 6.

[0149] At block 910, the first user device 210 obtains, from an operator network function, a key material associated with operator network.

[0150] At block 920, the first user device 210 generates an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and public land mobile network, PLMN, information of the first user device.

[0151] In some example embodiments, the key material comprises at least one of a validity, a random value, or a routing identifier.

[0152] In some example embodiments, the method 900 further comprises: obtaining the validity or random value from the key material; and generating the AKMA temporary user identity based on a subscription permanent identifier, SUPI, the validity or random value and a key associated with an authentication server function or a key associated with the AKMA.

[0153] In some example embodiments, the AKMA key user identity is allowed to be used for a user request for accessing a service of an application via a further user device.

[0154] FIG. 10 shows a flowchart of an example method 1000 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 1000 will be described from the perspective of the first NEF or first operator app 402 in FIG. 4 and FIG. 6.

[0155] At block 1010, the first NEF or first operator app 402 receives an AKMA key user identity from an AKMA Anchor Function, AAnF, or an Authentication Server Function, AUSF.

[0156] At block 1020, the first NEF or first operator app 402 transmits, to a user device, a key material associated with operator network.

[0157] At block 1030, in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, at block 1040, the first NEF or first operator app 402 determines a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.

[0158] In some example embodiments, the method 1000 further comprises: transmitting, to the AAnF, or the AUSF, the AKMA key identity along with the key material via an AKMA application key request; and receiving the AKMA key user identity from the AAnF or the AUSF via an AKMA application key response.

[0159] In some example embodiments, the method 1000 further comprises: determining whether the further AKMA key user identity matches the AKMA key user identity provided by the AAnF or the AUSF; and in accordance with a determination that the further AKMA key user identity matches the AKMA key user identity, determining the further AKMA key user identity from the user request is valid and authenticate; and transmitting, to the AKMA-AF, an indication indicating that the further AKMA key user identity is valid and authenticate.

[0160] FIG. 11 shows a flowchart of an example method 1100 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 1100 will be described from the perspective of the first user device 210 in FIG. 5.

[0161] At block 1110, the first user device 210 obtains a key material from a NEF associated with an operator network.

[0162] At block 1120, the first user device 210 generates security information associated with a user profile based on the key material, an AKMA key and a SUPI associated with the apparatus.

[0163] At block 1130, the first user device 210 provides, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

[0164] In some example embodiments, the key material at least indicating a validity or a random value.

[0165] In some example embodiments, the method 1100 further comprises: receiving, from the application server, a response for the application session establishment request for indicating whether an application session establishment is accepted.

[0166] FIG. 12 shows a flowchart of an example method 1200 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 1200 will be described from the perspective of the AS 504 in FIG. 5.

[0167] At block 1210, the AS 504 receives, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request.

[0168] At block 1220, the AS 504 transmits, to an AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information.

[0169] At block 1230, the AS 504 transmits, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

[0170] In some example embodiments, the method 1200 further comprises: in accordance with a determination that the AKMA application key response indicates the security information is authenticated, transmitting, to the user device, the response for the application session establishment request indicating an application session establishment is accepted.

[0171] FIG. 13 shows a flowchart of an example method 1300 implemented at a third device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 1300 will be described from the perspective of the AAnF 502 in FIG. 5.

[0172] At block 1310, the AAnF 502 obtains a key material from a UE via NEF associated with an operator network. [0173] At block 1320, the AAnF 502 generates security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device.

[0174] At block 1330, the AAnF 502 receives, from AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information.

[0175] At block 1340, the AAnF 502 transmits, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

[0176] In some example embodiments, the method 1300 further comprises: comparing the further security information with the generated security information; and in accordance with a determination that the further security information matches the generated security information, transmitting, to the AS, the AKMA application key response indicating the further security information is authenticated.

[0177] In some example embodiments, an apparatus capable of performing any of the method 700 (for example, the second user device 230 in FIG. 2) may comprise means for performing the respective operations of the method 700. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The first apparatus may be implemented as or included in the second user device 230 in FIG. 2.

[0178] In some example embodiments, the apparatus comprises means for obtaining, at a user device, at least one security information associated with a user profile from a user request for accessing a service of an application via the apparatus; means for transmitting, to an AKMA-AF, associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the apparatus; and means for accepting or rejecting the user request based on a response received from the AKMA-AF for the application session establishment request.

[0179] In some example embodiments, the at least one security information associated with the user profile comprises at least one of the following: an AKMA key user identity, and/or a user secret token.

[0180] In some example embodiments, the apparatus further comprise means for receiving, from the AKMA-AF, the response for the application session establishment request indicating whether an access of the service by a user identified by the AKMA key user identity via the apparatus is allowed; means for in accordance with a determination that the response indicates the access is allowed, accepting the user request; or in accordance with a determination that the response indicates the access is allowed, accept the user request; or means for in accordance with a determination that the response indicates the access is not allowed, rejecting the user request.

[0181] In some example embodiments, the apparatus further comprises means for performing other operations in some example embodiments of the method 700 or the second user device 230 as shown in FIG. 2. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the apparatus.

[0182] In some example embodiments, a second apparatus capable of performing any of the method 800 (for example, the AKMA-AF 240 in FIG. 2) may comprise means for performing the respective operations of the method 800. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The second apparatus may be implemented as or included in the AKMA-AF 240 in FIG. 2

[0183] In some example embodiments, the apparatus comprises means for receiving, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device; means for authenticating the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; transmitting, means for to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.

[0184] In some example embodiments, the apparatus further comprises: means for transmitting, to an operator network function, a request of authenticating the at least one security information associated with the user profile whereas the operator network function is identified by the operator identifier associated with an AKMA key user identity; means for transmitting, to a further operator network function by which the user device is authenticated for the application, a request of authenticating the identifier of the user device; and means for in accordance with a determination that the at least one security information associated with the user profile and the identifier of the user device are valid and authenticated, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is allowed.

[0185] In some example embodiments, the apparatus further comprises: means for in accordance with a determination that the at least one security information associated with the user profile and/or the identifier of the user device are invalid, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is not allowed.

[0186] In some example embodiments, the operator network function and the further operator network function are belonged to the same operator.

[0187] In some example embodiments, the operator network function and the further operator network function are belonged to the different operator.

[0188] In some example embodiments, the at least one security information associated with the user profile comprises at least one of the following: an AKMA key user identity, and/or a user secret token.

[0189] In some example embodiments, the apparatus further comprises means for performing other operations in some example embodiments of the method 800 or the AKMA-AF 240 as shown in FIG. 2. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the apparatus.

[0190] In some example embodiments, an apparatus capable of performing any of the method 900 (for example, the first user device 210 in FIG. 4 and FIG. 6) may comprise means for performing the respective operations of the method 900. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The first apparatus may be implemented as or included in the first user device 210 in FIG. 4 and FIG. 6.

[0191] In some example embodiments, the apparatus comprises means for obtaining, from an operator network function, a key material associated with operator network; means for generating an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and public land mobile network, PLMN, information of the apparatus.

[0192] In some example embodiments, the key material comprises at least one of: a validity, a random value, or a routing identifier.

[0193] In some example embodiments, the apparatus further comprises: means for obtaining the validity or random value from the key material; and means for generating the AKMA temporary user identity based on a subscription permanent identifier, SUPI, the validity or random value and a key associated with an authentication server function or a key associated with the AKMA.

[0194] In some example embodiments, the AKMA key user identity is allowed to be used for a user request for accessing a service of an application via a further user device.

[0195] In some example embodiments, the apparatus further comprises means for performing other operations in some example embodiments of the method 900 or the first user device 210 in FIG. 4 and FIG. 6. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the first apparatus.

[0196] In some example embodiments, an apparatus capable of performing any of the method 1000 (for example, the first NEF or first operator app 402 in FIG. 4 and FIG. 6) may comprise means for performing the respective operations of the method 1000. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The second apparatus may be implemented as or included in the first NEF or first operator app 402 in FIG. 4 and FIG. 6.

[0197] In some example embodiments, the apparatus comprises means for receiving an AKMA key user identity from an AKMA Anchor Function, AAnF, or an Authentication Server Function, AUSF; means for transmitting, to a user device, a key material associated with operator network; means for in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determining a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.

[0198] In some example embodiments, the apparatus further comprises: means for transmitting, to the AAnF, or the AUSF, the AKMA key identity along with the key material via an AKMA application key request; and means for receiving the AKMA key user identity from the AAnF or the AUSF via an AKMA application key response.

[0199] In some example embodiments, the apparatus further comprises: means for determining whether the further AKMA key user identity matches the AKMA key user identity provided by the AAnF or the AUSF; and means for in accordance with a determination that the further AKMA key user identity matches the AKMA key user identity, determining the further AKMA key user identity from the user request is valid and authenticate; and means for transmitting, to the AKMA-AF, an indication indicating that the further AKMA key user identity is valid and authenticate.

[0200] In some example embodiments, the apparatus comprises operator network function.

[0201] In some example embodiments, the second apparatus further comprises means for performing other operations in some example embodiments of the method 1000 or the first NEF or first operator app 402 in FIG. 4 and FIG. 6. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.

[0202] In some example embodiments, an apparatus capable of performing any of the method 1100 (for example, the first user device 210 in FIG. 5) may comprise means for performing the respective operations of the method 1100. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The apparatus may be implemented as or included in the first user device 210 in FIG. 5],

[0203] In some example embodiments, the apparatus comprises means for obtaining a key material from a NEF associated with an operator network; means for generating security information associated with a user profile based on the key material, an AKMA key and a SUPI associated with the apparatus; and means for providing, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

[0204] In some example embodiments, the key material at least indicating a validity or a random value.

[0205] In some example embodiments, the first apparatus further comprises: means for receiving, from the application server, a response for the application session establishment request for indicating whether an application session establishment is accepted.

[0206] In some example embodiments, the apparatus further comprises means for performing other operations in some example embodiments of the method 1100 or the first user device 210 in FIG. 5. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the first apparatus.

[0207] In some example embodiments, an apparatus capable of performing any of the method 1200 (for example, the AS 504 in FIG. 5) may comprise means for performing the respective operations of the method 1200. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The second apparatus may be implemented as or included in the AS 504 in FIG. 5.

[0208] In some example embodiments, the apparatus comprises means for receiving, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; means for transmitting, to an AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and means for transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

[0209] In some example embodiments, the apparatus further comprises: means for in accordance with a determination that the AKMA application key response indicates the security information is authenticated, transmitting, to the user device, the response for the application session establishment request indicating an application session establishment is accepted.

[0210] In some example embodiments, the apparatus further comprises means for performing other operations in some example embodiments of the method 1200 or the AS 504 in FIG. 5. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.

[0211] In some example embodiments, an apparatus capable of performing any of the method 1300 (for example, the AAnF 502 in FIG. 5) may comprise means for performing the respective operations of the method 1300. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The apparatus may be implemented as or included in the AAnF 502 in FIG. 5.

[0212] In some example embodiments, the apparatus comprises means for obtaining a key material from a UE via NEF associated with an operator network; means for generating security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; means for receiving, from AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and means for transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

[0213] In some example embodiments, the apparatus further comprises: means for comparing the further security information with the generated security information; and means for in accordance with a determination that the further security information matches the generated security information, transmitting, to the AS, the AKMA application key response indicating the further security information is authenticated.

[0214] In some example embodiments, the apparatus further comprises means for performing other operations in some example embodiments of the method 1300 or the AAnF 502 in FIG. 5. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the third apparatus.

[0215] FIG. 14 is a simplified block diagram of a device 1400 that is suitable for implementing example embodiments of the present disclosure. The device 1400 may be provided to implement a communication device, for example, the second user device 130 and the AKMA-AF 240 as shown in FIG. 2. As shown, the device 1400 includes one or more processors 1410, one or more memories 1420 coupled to the processor 1410, and one or more communication modules 1440 coupled to the processor 1410. [0216] The communication module 1440 is for bidirectional communications. The communication module 1440 has one or more communication interfaces to facilitate communication with one or more other modules or devices. The communication interfaces may represent any interface that is necessary for communication with other network elements. In some example embodiments, the communication module 1440 may include at least one antenna.

[0217] The processor 1410 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 1400 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.

[0218] The memory 1420 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 1424, an electrically programmable read only memory (EPROM), a flash memory, a hard disk, a compact disc (CD), a digital video disk (DVD), an optical disk, a laser disk, and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 1422 and other volatile memories that will not last in the power-down duration.

[0219] A computer program 1430 includes computer executable instructions that are executed by the associated processor 1410. The instructions of the program 1430 may include instructions for performing operations/acts of some example embodiments of the present disclosure. The program 1430 may be stored in the memory, e.g., the ROM 1424. The processor 1410 may perform any suitable actions and processing by loading the program 1430 into the RAM 1422.

[0220] The example embodiments of the present disclosure may be implemented by means of the program 1430 so that the device 1400 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 13. The example embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.

[0221] In some example embodiments, the program 1430 may be tangibly contained in a computer readable medium which may be included in the device 1400 (such as in the memory 1420) or other storage devices that are accessible by the device 1400. The device 1400 may load the program 1430 from the computer readable medium to the RAM 1422 for execution. In some example embodiments, the computer readable medium may include any types of non-transitory storage medium, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. The term “non-transitory,” as used herein, is a limitation of the medium itself (i.e., tangible, not a signal) as opposed to a limitation on data storage persistency (e.g., RAM vs. ROM).

[0222] FIG. 15 shows an example of the computer readable medium 1500 which may be in form of CD, DVD or other optical storage disk. The computer readable medium 1500 has the program 1430 stored thereon.

[0223] Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, and other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. Although various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

[0224] Some example embodiments of the present disclosure also provide at least one computer program product tangibly stored on a computer readable medium, such as a non- transitory computer readable medium. The computer program product includes computerexecutable instructions, such as those included in program modules, being executed in a device on a target physical or virtual processor, to carry out any of the methods as described above. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media. [0225] Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. The program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

[0226] In the context of the present disclosure, the computer program code or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.

[0227] The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

[0228] Further, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, although several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Unless explicitly stated, certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, unless explicitly stated, various features that are described in the context of a single embodiment may also be implemented in a plurality of embodiments separately or in any suitable sub-combination.

[0229] Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims

WHAT IS CLAIMED IS:

1. An apparatus comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain a key material from a network exposure function, NEF associated with an operator network; generate security information associated with a user profile based on the key material, an AKMA key and a subscription permanent identifier, SUPI associated with the apparatus; and provide, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

2. The apparatus of claim 1, wherein the key material at least indicating a validity or a random value.

3. The apparatus of claim 1, wherein the first apparatus is caused to: receive, from the application server, a response for the application session establishment request for indicating whether an application session establishment is accepted.

4. The apparatus of claim any of claims 1-3, wherein the apparatus comprises a user device.

5. An apparatus comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: receive, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; transmit, to an AKMA Anchor Function, AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and transmit, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

6. The apparatus of claim 5, wherein the apparatus is caused to: in accordance with a determination that the AKMA application key response indicates the security information is authenticated, transmit, to the user device, the response for the application session establishment request indicating an application session establishment is accepted.

7. The apparatus of claim 5 or 6, wherein the apparatus comprises an application server.

8. An apparatus comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain a key material from a UE via network exposure function, NEF associated with an operator network; generate security information associated with a user profile based on a key material, an AKMA key and a subscription permanent identifier, SUPI associated with a user device; receive, from application server, AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and transmit, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

9. The apparatus of claim 8, wherein the apparatus is caused to: compare the further security information with the generated security information; and in accordance with a determination that the further security information matches the generated security information, transmit, to the AS, the AKMA application key response indicating the further security information is authenticated.

10. The apparatus of claim 8 or 9, wherein the apparatus comprises an AKMA Anchor Function, AAnF.

11. A method comprising: obtaining, at a user device, a key material from a network exposure function, NEF associated with an operator network; generating security information associated with a user profile based on the key material, an AKMA key and a subscription permanent identifier, SUPI associated with the apparatus; and providing, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

12. A method comprising: receiving, at an application server from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; transmitting, to an AKMA Anchor Function, AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

13. A method comprising: obtaining, at an AAnF, a key material from a UE via network exposure function, NEF associated with an operator network; generating security information associated with a user profile based on a key material, an AKMA key and a subscription permanent identifier, SUPI associated with a user device; receiving, from application server, AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

14. An apparatus comprising: means for obtaining a key material from a network exposure function, NEF associated with an operator network; means for generating security information associated with a user profile based on the key material, an AKMA key and a subscription permanent identifier, SUPI associated with the apparatus; and means for providing, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.

15. An apparatus comprising: means for receiving, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; means for transmitting, to an AKMA Anchor Function, AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and means for transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.

16. An apparatus comprising: means for obtaining a key material from a UE via network exposure function, NEF associated with an operator network; means for generating security information associated with a user profile based on a key material, an AKMA key and a subscription permanent identifier, SUPI associated with a user device; means for receiving, from application server, AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and means for transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.

17. A computer readable medium comprising instructions stored thereon for causing an apparatus at least to perform the method of claim 11 or the method of claim 12 or the method of claim 13.