[go: up one dir, main page]

WO2025168272A1 - Authentification d'utilisateur derrière un dispositif utilisateur - Google Patents

Authentification d'utilisateur derrière un dispositif utilisateur

Info

Publication number
WO2025168272A1
WO2025168272A1 PCT/EP2024/087786 EP2024087786W WO2025168272A1 WO 2025168272 A1 WO2025168272 A1 WO 2025168272A1 EP 2024087786 W EP2024087786 W EP 2024087786W WO 2025168272 A1 WO2025168272 A1 WO 2025168272A1
Authority
WO
WIPO (PCT)
Prior art keywords
akma
key
user
security information
user device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2024/087786
Other languages
English (en)
Inventor
Harish MURALIDHARA
Saurabh Khare
Krishnamurthy MAHADEVAIAH
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Technologies Oy
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Publication of WO2025168272A1 publication Critical patent/WO2025168272A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels

Definitions

  • Various example embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable storage medium for a procedure for user authentication behind a user device.
  • AKMA Authentication and Key Management for Application
  • an apparatus comprising at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain at least one security information associated with a user profile from a user request for accessing a service of an application via the apparatus; transmit, to an AKMA application function (AF), associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the apparatus; and accept or reject the user request based on a response received from the AKMA-AF for the application session establishment request.
  • AF application function
  • an apparatus comprising at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: receive, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained i by the user device from a user request for accessing a service of an application via the user device; authenticate the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; transmit, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.
  • a method comprises: obtaining, at a user device, at least one security information associated with a user profile from a user request for accessing a service of an application via the user device; transmitting, to an AKMA-AF associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the user device; and accepting or rejecting the user request based on a response received from the AKMA-AF for the application session establishment request.
  • a method comprises: receiving, at an AKMA-AF from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device; authenticating the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; transmitting, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.
  • an apparatus comprises means for obtaining, at a user device, at least one security information associated with a user profile from a user request for accessing a service of an application via the apparatus; means for transmitting, to an AKMA-AF, associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the apparatus; and means for accepting or rejecting the user request based on a response received from the AKMA- AF for the application session establishment request.
  • an apparatus comprises means for receiving, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device; means for authenticating the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; means for transmitting, to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the third aspect.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the fourth aspect.
  • an apparatus comprising at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain, from an operator network function, a key material associated with operator network; generate an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and public land mobile network (PLMN) information of the apparatus.
  • PLMN public land mobile network
  • an apparatus comprising at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: receive an AKMA key user identity from an AKMA Anchor Function (AAnF) or an Authentication Server Function (AUSF); transmit, to a user device, a key material associated with operator network; in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determine a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.
  • AAA AKMA Anchor Function
  • AUSF Authentication Server Function
  • a method comprises: obtaining, at a user device from an operator network function, a key material associated with operator network; and generating an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and PLMN information of the user device.
  • a method comprises: receiving, at an operator network function (NF) an AKMA key user identity from an AAnF or an AUSF; transmitting, to a user device, a key material associated with operator network; and in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determine a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.
  • NF operator network function
  • an apparatus comprises means for obtaining, from an operator network function, a key material associated with operator network; and means for generating an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and PLMN information of the apparatus.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the thirteenth aspect.
  • an apparatus comprising at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain a key material from a network exposure function (NEF) associated with an operator network; generate security information associated with a user profile based on the key material, an AKMA key and a subscription permanent identifier (SUPI) associated with the apparatus; and provide, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.
  • NEF network exposure function
  • SUPI subscription permanent identifier
  • a method comprises: receiving, at an AS from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; transmitting, to an AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.
  • a method comprises: obtaining, at an AAnF, a key material from a UE via NEF associated with an operator network; generating security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; receiving, from an AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.
  • an apparatus comprises means for obtaining a key material from a NEF associated with an operator network; means for generating security information associated with a user profile based on the key material, an AKMA key and a SUPI associated with the apparatus; and means for providing, to an application server, the AKMA key identity of the apparatus and the generated security information associated with the user profile via an application session establishment request.
  • an apparatus comprises means for receiving, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request; means for transmitting, to an AAnF, associated with an operator network, a request for obtaining an AKMA application key including the AKMA key identity and the security information; and means for transmitting, to the user device, a response for the application session establishment request based on an AKMA application key response received from the AAnF.
  • the apparatus comprises means for obtaining a key material from a UE via NEF associated with an operator network; means for generating security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; means for receiving, from AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and means for transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the twentieth aspect.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the twenty first aspect.
  • FIG. 1 illustrates an example AKMA architecture according to some example embodiments of the present disclosure
  • FIG. 2 illustrates an example communication environment in which example embodiments of the present disclosure can be implemented
  • FIG. 3 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 4 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 5 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 6 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 7 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure
  • FIG. 8 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure
  • FIG. 10 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure
  • FIG. 11 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure
  • FIG. 12 illustrates a flowchart of a method implemented at apparatus according to some example embodiments of the present disclosure
  • FIG. 14 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
  • FIG. 15 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment,” “an embodiment,” “an example embodiment,” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • circuitry may refer to one or more or all of the following:
  • the term “communication network” refers to a network following any suitable communication standards, such as New Radio (NR), Long Term Evolution (LTE), LTE-Advanced (LTE-A), Wideband Code Division Multiple Access (WCDMA), High-Speed Packet Access (HSPA), Narrow Band Internet of Things (NB-IoT) and so on.
  • NR New Radio
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, the fifth generation (5G), the sixth generation (6G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, the fifth generation (5G), the sixth generation (6G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP), for example, a node B (NodeB or NB), an evolved NodeB (eNodeB or eNB), an NR NB (also referred to as a gNB), a Remote Radio Unit (RRU), a radio header (RH), a remote radio head (RRH), a relay, an Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, a non-terrestrial network (NTN) or non-ground network device such as a satellite network device, a low earth orbit (LEO) satellite and a geosynchronous earth orbit (GEO) satellite, an aircraft network device, and so forth, depending on the applied terminology and technology.
  • BS base station
  • AP access point
  • radio access network (RAN) split architecture comprises a Centralized Unit (CU) and a Distributed Unit (DU) at an IAB donor node.
  • An IAB node comprises a Mobile Terminal (IAB-MT) part that behaves like a UE toward the parent node, and a DU part of an IAB node behaves like a base station toward the next-hop IAB node.
  • IAB-MT Mobile Terminal
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE), a Subscriber Station (SS), a Portable Subscriber Station, a Mobile Station (MS), or an Access Terminal (AT).
  • UE user equipment
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA), portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), USB dongles, smart devices, wireless customer-premises equipment (CPE), an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD), a vehicle, a drone, a medical device and applications (e.g., remote surgery), an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts), a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like.
  • VoIP voice over
  • the terminal device may also correspond to a Mobile Termination (MT) part of an IAB node (e.g., a relay node).
  • MT Mobile Termination
  • IAB node e.g., a relay node
  • the terms “terminal device”, “communication device”, “terminal”, “user equipment” and “UE” may be used interchangeably.
  • the term “resource,” “transmission resource,” “resource block,” “physical resource block” (PRB), “uplink resource,” or “downlink resource” may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, or any other combination of the time, frequency, space and/or code domain resource enabling a communication, and the like.
  • a resource in both frequency domain and time domain will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.
  • the AUSF 123 establishes a connection between UDM 121 and AAnF 122 and obtains the 5G authentication vector from UDM 121 and generates relative AKMA materials.
  • the NEF 124 establishes connection between AAnF 122 and AF 130 when the target AF is located outside the HN 120.
  • the AF 130 may be considered as an application provider or a service provider, which represents the online services that the user may wish to use.
  • the goal of AKMA is to help to establish a secure channel (exchange a secret key) between AF 130 and user device 110, with authentication of UE delegated to its corresponding HN 120.
  • the application in the UE would get access to AKMA Application Key (KAF) pertaining to its AF Identifier (AF ID).
  • KAF Application Key
  • the Key (KAF) in the UE may be derived and leveraged from Primary Authentication which UE performs with Network.
  • the process involved here is AS authenticating a UE with A-KID (derived from A-TID (KAUSF) and Home Network Identifier) and KAF (derived from KAKMA(KAUSF) and AF ID).
  • the main objectives of this study may comprise how to authenticate the user behind the UE when multiple users access the same device or when a single user owns multiple devices and how to expose the user authentication results to the 5G Core Network (5GC).
  • 5GC 5G Core Network
  • AKMA is a very prominent procedure to authenticate a UE (i.e., the public user device here) via 5GC.
  • AKMA does not support authenticate the user behind UE.
  • an internet of Things (loT) e.g., an electric-meter, V2X device, robots etc.
  • AS application server
  • AS application server
  • FIG. 1 illustrates an example communication environment 200 in which example embodiments of the present disclosure can be implemented.
  • the communication environment 200 involves a first user device 210 and a first operator network function (NF) 220-1, which may communicate with each other.
  • the first operator NF 220-1 may also be referred to as a first operator AF.
  • the communication environment 200 further involves a second user device 230 and a second operator NF 220-2, which may communicate with each other.
  • the second operator NF 220-2 may also be referred to as a second operator AF.
  • he second user device 230 may be considered as a user device, that is allowed to be shared with other users, e.g., a metaverse gaming machine installed in the mall.
  • the first operator NF 220-1 may provide/manage one or more network services to the first user device 210 by interacting with one or more network functions such as NEF, AUSF, AAnF and UDM.
  • the second operator NF 220-2 may provide/manage one or more network services to the second user device 230 by interacting with one or more network functions such as NEF, AUSF, AAnF and UDM.
  • the first operator NF 220-1 may also comprise or integrate with one or more network functions such as NEF, AUSF, AAnF and UDM.
  • the second operator NF 220-2 may also comprise or integrate with one or more network functions such as NEF, AUSF, AAnF and UDM.
  • the first operator NF 220-1 and the second operator NF 220-2 may be the same and referred to as operator NF 220 collectively. That is, both the first user device 210 and the second user device 230 may access a same network associated with the operator NF 220.
  • the communication environment 200 further involves an AKMA AF 240, which may communicate with the first operator NF 220-1 and the second operator NF 220-2 to provide authentication and key management for applications.
  • AKMA AF 240 may communicate with the first operator NF 220-1 and the second operator NF 220-2 to provide authentication and key management for applications.
  • the communication environment 200 may include any suitable number of units or devices mentioned above.
  • Communications in the communication environment 200 may be implemented according to any proper communication protocol(s), comprising, but not limited to, cellular communication protocols of the first generation (1G), the second generation (2G), the third generation (3G), the fourth generation (4G), the fifth generation (5G), the sixth generation (6G), and the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • IEEE Institute for Electrical and Electronics Engineers
  • the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA), Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Frequency Division Duplex (FDD), Time Division Duplex (TDD), Multiple-Input Multiple-Output (MIMO), Orthogonal Frequency Division Multiple (OFDM), Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • MIMO Multiple-Input Multiple-Output
  • OFDM Orthogonal Frequency Division Multiple
  • DFT-s-OFDM Discrete Fourier Transform spread OFDM
  • AKMA provide a mechanism where only UE can be authenticated.
  • One of solutions in the present disclosure aims to authenticate the user behind a UE by the application relying on the AKMA procedure which may refer to an agreement of userdetails between network and user and an interaction of AKMA AF with network functions like NEF, AAnF and UDM, etc. and an authentication of the UE and user behind it. More details will be described with reference to FIG. 3.
  • FIG. 3 illustrates a signaling chart 300 illustrating an example of process according to some example embodiments of the present disclosure.
  • the signaling chart 300 involves the first user device 210, the second user device 230, the first operator NF 220-1, the second operator NF 220-2 and the AKMA AF 240.
  • FIG. 2 illustrates the signaling chart 300.
  • the first user device 210 may be considered as a user device owned by a user.
  • the second user device 230 may be considered as a user device that is allowed to be shared with other users, e.g., a metaverse gaming machine installed in the mall.
  • the first operator NF 220-1 and the second operator NF 220-2 may be the same operator NF or different operator NFs.
  • the first operator NF 220-1 and the second operator NF may interact with one or more network functions such as NEF, AUSF, AAnF and UDM, which are now shown in FIG. 3.
  • the first user device 210 owned by a user may determine an AKMA key identifier (e.g., A-KIDA) of the first user device 210 by a signaling exchange (305) with the first operator NF 220-1 (which may also be considered as AF associated with a trusted application).
  • the application may be hosted by a home network operator of user, which may provide application service to the first user device 210 owned by the user.
  • the first operator NF 220-1 may belong to the home network operator.
  • the first user device 210 may determine at least one security information associated with the user profile by a further signaling exchange (310) from the first operator NF 220-1.
  • the at least one security information associated with the user profile may comprise an AKMA key user identity (e.g., A-KID-USERA) and/or a user secret token.
  • the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) may be agreed independently between the first operator NF 220-1 and the first user device 210. How to determine the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) between the UE and network will be further described later, which is not described with the signaling chart 300.
  • the second user device 230 may also determine an AKMA key identifier of the second user device 230 (e.g., A-KIDB) by a signaling exchange (315) with the second operator NF 220-2 (which may also be considered as AF associated with a trusted application).
  • an AKMA key identifier of the second user device 230 e.g., A-KIDB
  • the second operator NF 220-2 which may also be considered as AF associated with a trusted application.
  • first operator NF 220-1 and the second operator NF 220-2 in FIG. 3 may belong to the same operator or different operators.
  • the second user device 230 may obtain, from the user request, the at least one security information associated with the user profile of the user.
  • the second user device 230 transmits (325) to AKMA AF 240, an application session establishment request including the at least one security information associated with the user profile (e.g., A-KID-USERA and/or a user secret token) and the AKMA key identifier of the second user device 230 (e.g., A-KIDB).
  • the AKMA AF 240 may request an authentication of the at least one security information associated with the user profile of the user.
  • the second user device 230 may be authenticated by the AKMA AF 240 by transmitting, (340) to the second operator NF 220-2, a request of authenticating the AKMA key identifier of the second user device 230 (e.g., A-KIDB).
  • the second operator NF 220-2 may response (345) the AKMA AF 240 with an indication whether the AKMA key identifier of the second user device 230 (e.g., A-KIDB) is valid and authenticated.
  • the AKMA AF 240 may transmit (350), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is allowed. Then the second user device 230 may allow the user to access the service of the application via the second user device 230, for example, by displaying (355) a response for the user request with a display device.
  • the AKMA AF 240 may transmit (350), to the second user device 230, an response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is not allowed. Then the second user device 230 may reject the user to access the service of the application via the second user device 230, for example, by displaying (355) a response for the user request with a display device.
  • FIG. 4 illustrates a signaling chart 400 illustrating an example of process according to some example embodiments of the present disclosure.
  • the signaling chart 400 involves the first user device 210, the second user device 230, the one or more first NFs 401, the first NEF or first operator app 402, the one or more first NFs 403 and the AKMA AF 240.
  • FIG. 2 illustrates the signaling chart 400.
  • the one or more first NFs may comprise AAnF, AUSF and/or UDM.
  • the one or more second NFs may comprise AAnF, AUSF and/or UDM.
  • the first user device 210 owned by a user may determine an AKMA key identifier (e.g., A-KIDA) by a signaling exchange (405) with the first NEF or first operator app 402.
  • the application may be hosted by a home network operator of user, which may provide application service to the first user device 210 owned by the user.
  • the first NEF or first operator app 402 may belong to the home network operator.
  • FIG. 5 illustrates a signaling chart 500 for communication according to some example embodiments of the present disclosure.
  • the signaling chart 500 involves the first user device 210, the AUSF 501, the AAnF 502, the UDM 503, the first NEF or first operator app 402 and the application server (AS) 504.
  • AS application server
  • the AKMA key KAKMA may be derived from the key KAUSF.
  • an AKMA Key ID i.e., A-KID
  • A-KID is also used as a temporary identifier for AKMA.
  • the first user device 210 may obtain key KAUSF from UDM 503.
  • the first user device 210 may determine the key KAKMA and the AKMA Key ID (i.e., A-KID).
  • the AUSF 501 may also obtain (510) key KAUSF from UDM 503. Deriving from the key KAUSF, the AUSF 501 may determine the key KAKMA and the AKMA Key ID (i.e., A-KID). Then the AUSF 501 may perform (515) an AKMA register to AAnF 502 with the AKMA Key ID (i.e., A-KID), subscription permanent identifier (SUPI) and the AKMA key KAKMA.
  • A-KID the AKMA Key ID
  • SUPI subscription permanent identifier
  • the first user device 210 may provide (520) the AKMA Key ID (i.e., A-KID) to the first NEF or first operator app 402. Then the first NEF or first operator app 402 may transmit (525), a AKMA application key get message to the AAnF 502 with the AKMA Key ID (i.e., A-KID) and key material.
  • the AAnF 502 may determine security information associated with a user profile (e.g., user secret token) based on the key material, e.g., the validity, key KAKMA and SUPI.
  • the AAnF 502 may transmit (530), an AKMA application key response message to the first NEF or first operator app 402 with SUPI/GUPI and security information associated with a user profile (e.g., user secret token) generated by the AAnF 502.
  • a user profile e.g., user secret token
  • the first NEF or first operator app 402 may provide (535) the key material to the first user device 210.
  • the key material may comprise a validity and/or a random value.
  • the first user device 210 may generate (540) security information associated with a user profile (e.g., user secret token).
  • the first user device 210 may transmit (545), to the AS 504 associated with the application, A-KID along with the security information associated with a user profile (e.g., user secret token).
  • A-KID e.g., user secret token
  • the AS 504 transmits (550), to the AAnF 502, A-KID, AF-ID and the security information associated with a user profile received from the first user device 210.
  • the AAnF 502 may compare (555) the security information received from the first user device 210 and the security information generated by the AAnF 502 itself.
  • the AAnF 502 may transmit (560), to the AS 504, an AKMA application key response message indicating the security information received from the first user device 210 is authenticated and including SUPI/GPSI and KAF and an expiry of KAF.
  • the AS 504 transmit (565), to the first user device 210, the response for the application session establishment request indicating an application session establishment is accepted.
  • FIG. 6 illustrates a signaling chart 600 for communication according to some example embodiments of the present disclosure.
  • the signaling chart 600 involves the first user device 210, the second user device 230, the one or more first NFs 401, the first NEF or first operator app 402, the one or more first NFs 403 and the AKMA AF 240.
  • FIG. 2 For the purpose of discussion, reference is made to FIG. 2 to describe the signaling chart 600.
  • the one or more first NFs may comprise AAnF and/or AUSF.
  • the one or more second NFs may comprise AAnF and/or AUSF.
  • the first NEF or first operator app 402 may transmit (615), a AKMA application key get message to the one or more first NFs 401 with the AKMA Key ID (i.e., A-KID) and key material.
  • the one or more first NFs 401 may determine an AKMA key user identity (e.g., A-KID-USER) based on the key material, e.g., the validity or a random value, key KAKMA and SUPI.
  • the one or more first NFs 401 may transmit (620), an AKMA application key response message to the first NEF or first operator app 402 with SUPI/GUPI and the AKMA key user identity (e.g., A-KID-USER) generated by the one or more first NFs 401.
  • AKMA key user identity e.g., A-KID-USER
  • the first NEF or first operator app 402 may provide (625) the key material to the first user device 210.
  • the key material may comprise a validity and/or a random value and/or a routing identifier (RI-A).
  • RI-A routing identifier
  • the first user device 210 may generate (630) the AKMA key user identity (e.g., A-KID-USER).
  • a format of A-KID-USER may be represented as ⁇ Temporary- derived-ID>+ ⁇ AAnF-routing-id>@realm ⁇ HPLMN ID>.
  • the first user device 210 may generate the AKMA temporary user identity (A-TID-USER) as temporary-derived-ID> based on the SUPI, the key material, e.g., a validity and/or a random value, and KAUSF or KAKMA.
  • the temporary identifier can be any unique identifier assigned by operator, i.e., A-KID-User can be generated without KAUSF as well.
  • a user request for accessing the service of the application via the second user device 230 including the AKMA key user identity (e.g., A-KID-USER) generated by the first user device 210 may be provided (640) to the second user device 230.
  • the AKMA key user identity e.g., A-KID-USER
  • the second user device 230 transmits (645) to AKMA AF 240, an application session establishment request including the AKMA key user identity (e.g., A- KID-USER) received from the user request.
  • the AKMA AF 240 may request an authentication of the AKMA key user identity received from the second user device 230 and provided by the user.
  • the AKMA AF 240 may transmit (650), to the first NEF or first operator app 402, a request of authenticating the AKMA key user identity received from the second user device 230.
  • the first NEF or first operator app 402 may determine whether the AKMA key user identity is valid and authenticated.
  • the first NEF or first operator app 402 may compare the AKMA key user identity received from the AKMA AF 240 and the AKMA key user identity (e.g., A-KID-USER) generated by the one or more first NFs 401.
  • the AKMA key user identity e.g., A-KID-USER
  • the first NEF or first operator app 402 may response (655) the AKMA AF 240 with an indication that the AKMA key user identity received from the second user device 230 is valid and authenticated. Then the AKMA AF 240 may transmit (660), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is allowed.
  • the AKMA AF 240 may transmit (660), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is allowed.
  • the second user device 230 may allow the user to access the service of the application via the second user device 230, for example, by displaying (665) a response for the user request with a display device.
  • the first NEF or first operator app 402 may response (655) the AKMA AF 240 with an indication that the AKMA key user identity received from the second user device 230 is invalid and not authenticated. Then the AKMA AF 240 may transmit (660), to the second user device 230, a response for the application session establishment request indicating an access of the service of the application via the second user device 230, requested by the user who does not own the second user device 230, is not allowed.
  • the second user device 230 may reject the user to access the service of the application via the second user device 230, for example, by displaying (665) a response for the user request with a display device.
  • the user or network (operators) may also refresh the user secret token and AKMA key user identity (e.g., A-KID-USER) on timely basis or on demand basis.
  • user behind the UE may be authenticated by mean of the AKMA structure and the user may be involved in an AKMA Authentication procedure.
  • the second user device 230 obtains at least one security information associated with a user profile from a user request for accessing a service of an application via the second user device 230.
  • the second user device 230 transmits, to an authentication and key management for application, AKMA, application function, AF, associated with the application via an application session establishment request, the at least one security information associated with the user profile and an identifier of the second user device 230.
  • the second user device 230 accepts or rejects the user request based on a response received from the AKMA-AF for the application session establishment request.
  • the method 700 further comprise receiving, from the AKMA-AF, the response for the application session establishment request indicating whether an access of the service by a user identified by the AKMA key user identity via the apparatus is allowed; in accordance with a determination that the response indicates the access is allowed, accepting the user request; or in accordance with a determination that the response indicates the access is allowed, accept the user request; or in accordance with a determination that the response indicates the access is not allowed, rejecting the user request.
  • FIG. 8 shows a flowchart of an example method 800 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 800 will be described from the perspective of the AKMA-AF 240.
  • the AKMA-AF 240 receives, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device.
  • the AKMA-AF 240 authenticates the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile.
  • the method 800 further comprise in accordance with a determination that the at least one security information associated with the user profile and/or the identifier of the user device are invalid, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is not allowed.
  • the operator network function and the further operator network function are belonged to the same operator.
  • the operator network function and the further operator network function are belonged to the different operator.
  • the at least one security information associated with the user profile comprises at least one of the following: an AKMA key user identity, and/or a user secret token.
  • FIG. 9 shows a flowchart of an example method 900 implemented at a first device in accordance with some example embodiments of the present disclosure.
  • the method 900 will be described from the perspective of the first user device 210 in FIG. 4 and FIG. 6.
  • the first user device 210 obtains, from an operator network function, a key material associated with operator network.
  • the first user device 210 generates an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and public land mobile network, PLMN, information of the first user device.
  • PLMN public land mobile network
  • the key material comprises at least one of a validity, a random value, or a routing identifier.
  • the method 900 further comprises: obtaining the validity or random value from the key material; and generating the AKMA temporary user identity based on a subscription permanent identifier, SUPI, the validity or random value and a key associated with an authentication server function or a key associated with the AKMA.
  • the AKMA key user identity is allowed to be used for a user request for accessing a service of an application via a further user device.
  • FIG. 10 shows a flowchart of an example method 1000 implemented at a second device in accordance with some example embodiments of the present disclosure.
  • the method 1000 will be described from the perspective of the first NEF or first operator app 402 in FIG. 4 and FIG. 6.
  • the first NEF or first operator app 402 receives an AKMA key user identity from an AKMA Anchor Function, AAnF, or an Authentication Server Function, AUSF.
  • the first NEF or first operator app 402 transmits, to a user device, a key material associated with operator network.
  • the first NEF or first operator app 402 determines a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.
  • the method 1000 further comprises: transmitting, to the AAnF, or the AUSF, the AKMA key identity along with the key material via an AKMA application key request; and receiving the AKMA key user identity from the AAnF or the AUSF via an AKMA application key response.
  • the method 1000 further comprises: determining whether the further AKMA key user identity matches the AKMA key user identity provided by the AAnF or the AUSF; and in accordance with a determination that the further AKMA key user identity matches the AKMA key user identity, determining the further AKMA key user identity from the user request is valid and authenticate; and transmitting, to the AKMA-AF, an indication indicating that the further AKMA key user identity is valid and authenticate.
  • the first user device 210 generates security information associated with a user profile based on the key material, an AKMA key and a SUPI associated with the apparatus.
  • FIG. 12 shows a flowchart of an example method 1200 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 1200 will be described from the perspective of the AS 504 in FIG. 5.
  • the AS 504 receives, from a user device, an AKMA key identity of a user device and security information associated with the user profile via an application session establishment request.
  • the AAnF 502 obtains a key material from a UE via NEF associated with an operator network. [0173] At block 1320, the AAnF 502 generates security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device.
  • the apparatus further comprises means for performing other operations in some example embodiments of the method 700 or the second user device 230 as shown in FIG. 2.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the apparatus.
  • the apparatus comprises means for receiving, from a user device via an application session establishment request, an identifier of the user device and at least one security information associated with a user profile obtained by the user device from a user request for accessing a service of an application via the user device; means for authenticating the user device by the identifier of the user device and authenticate the user by the at least one security information associated with the user profile; transmitting, means for to the user device, a response for the application session establishment request based on a result of the authentication for the user and the user device.
  • the apparatus further comprises: means for transmitting, to an operator network function, a request of authenticating the at least one security information associated with the user profile whereas the operator network function is identified by the operator identifier associated with an AKMA key user identity; means for transmitting, to a further operator network function by which the user device is authenticated for the application, a request of authenticating the identifier of the user device; and means for in accordance with a determination that the at least one security information associated with the user profile and the identifier of the user device are valid and authenticated, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is allowed.
  • the apparatus further comprises: means for in accordance with a determination that the at least one security information associated with the user profile and/or the identifier of the user device are invalid, transmitting, to the user device, the response for the application session establishment request indicating an access of the service of the application via the user device is not allowed.
  • the operator network function and the further operator network function are belonged to the different operator.
  • the at least one security information associated with the user profile comprises at least one of the following: an AKMA key user identity, and/or a user secret token.
  • the apparatus further comprises means for performing other operations in some example embodiments of the method 800 or the AKMA-AF 240 as shown in FIG. 2.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the apparatus.
  • the apparatus comprises means for obtaining, from an operator network function, a key material associated with operator network; means for generating an AKMA key user identity for accessing a service of the application based on the key material, an AKMA temporary user identity, and public land mobile network, PLMN, information of the apparatus.
  • the key material comprises at least one of: a validity, a random value, or a routing identifier.
  • the apparatus further comprises: means for obtaining the validity or random value from the key material; and means for generating the AKMA temporary user identity based on a subscription permanent identifier, SUPI, the validity or random value and a key associated with an authentication server function or a key associated with the AKMA.
  • the AKMA key user identity is allowed to be used for a user request for accessing a service of an application via a further user device.
  • the apparatus further comprises means for performing other operations in some example embodiments of the method 900 or the first user device 210 in FIG. 4 and FIG. 6.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the first apparatus.
  • an apparatus capable of performing any of the method 1000 may comprise means for performing the respective operations of the method 1000.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the second apparatus may be implemented as or included in the first NEF or first operator app 402 in FIG. 4 and FIG. 6.
  • the apparatus comprises means for receiving an AKMA key user identity from an AKMA Anchor Function, AAnF, or an Authentication Server Function, AUSF; means for transmitting, to a user device, a key material associated with operator network; means for in accordance with a determination that a request is received from an AKMA-AF associated with an application for authenticating a further AKMA key user identity provided by a user request for accessing a service of the application via a further user device, determining a validity of the further AKMA key user identity based on the AKMA key user identity obtained from the AAnF or the AUSF.
  • the apparatus further comprises: means for determining whether the further AKMA key user identity matches the AKMA key user identity provided by the AAnF or the AUSF; and means for in accordance with a determination that the further AKMA key user identity matches the AKMA key user identity, determining the further AKMA key user identity from the user request is valid and authenticate; and means for transmitting, to the AKMA-AF, an indication indicating that the further AKMA key user identity is valid and authenticate.
  • the apparatus comprises operator network function.
  • the second apparatus further comprises means for performing other operations in some example embodiments of the method 1000 or the first NEF or first operator app 402 in FIG. 4 and FIG. 6.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.
  • an apparatus capable of performing any of the method 1100 may comprise means for performing the respective operations of the method 1100.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus may be implemented as or included in the first user device 210 in FIG. 5],
  • the key material at least indicating a validity or a random value.
  • the first apparatus further comprises: means for receiving, from the application server, a response for the application session establishment request for indicating whether an application session establishment is accepted.
  • the apparatus further comprises means for performing other operations in some example embodiments of the method 1100 or the first user device 210 in FIG. 5.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the first apparatus.
  • an apparatus capable of performing any of the method 1200 may comprise means for performing the respective operations of the method 1200.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the second apparatus may be implemented as or included in the AS 504 in FIG. 5.
  • the apparatus further comprises means for performing other operations in some example embodiments of the method 1200 or the AS 504 in FIG. 5.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.
  • an apparatus capable of performing any of the method 1300 may comprise means for performing the respective operations of the method 1300.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus may be implemented as or included in the AAnF 502 in FIG. 5.
  • the apparatus comprises means for obtaining a key material from a UE via NEF associated with an operator network; means for generating security information associated with a user profile based on a key material, an AKMA key and a SUPI associated with a user device; means for receiving, from AS, a request for obtaining an AKMA application key including the AKMA key identity and a further security information; and means for transmitting, to the AS, an AKMA application key response based on a comparison of the generated security information and the further security information.
  • the apparatus further comprises: means for comparing the further security information with the generated security information; and means for in accordance with a determination that the further security information matches the generated security information, transmitting, to the AS, the AKMA application key response indicating the further security information is authenticated.
  • the apparatus further comprises means for performing other operations in some example embodiments of the method 1300 or the AAnF 502 in FIG. 5.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the third apparatus.
  • FIG. 14 is a simplified block diagram of a device 1400 that is suitable for implementing example embodiments of the present disclosure.
  • the device 1400 may be provided to implement a communication device, for example, the second user device 130 and the AKMA-AF 240 as shown in FIG. 2.
  • the device 1400 includes one or more processors 1410, one or more memories 1420 coupled to the processor 1410, and one or more communication modules 1440 coupled to the processor 1410.
  • the communication module 1440 is for bidirectional communications.
  • the communication module 1440 has one or more communication interfaces to facilitate communication with one or more other modules or devices.
  • the communication interfaces may represent any interface that is necessary for communication with other network elements.
  • the communication module 1440 may include at least one antenna.
  • the processor 1410 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 1400 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 1420 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 1424, an electrically programmable read only memory (EPROM), a flash memory, a hard disk, a compact disc (CD), a digital video disk (DVD), an optical disk, a laser disk, and other magnetic storage and/or optical storage.
  • ROM Read Only Memory
  • EPROM electrically programmable read only memory
  • flash memory a hard disk
  • CD compact disc
  • DVD digital video disk
  • optical disk a laser disk
  • RAM random access memory
  • a computer program 1430 includes computer executable instructions that are executed by the associated processor 1410.
  • the instructions of the program 1430 may include instructions for performing operations/acts of some example embodiments of the present disclosure.
  • the program 1430 may be stored in the memory, e.g., the ROM 1424.
  • the processor 1410 may perform any suitable actions and processing by loading the program 1430 into the RAM 1422.
  • the example embodiments of the present disclosure may be implemented by means of the program 1430 so that the device 1400 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 13.
  • the example embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • FIG. 15 shows an example of the computer readable medium 1500 which may be in form of CD, DVD or other optical storage disk.
  • the computer readable medium 1500 has the program 1430 stored thereon.
  • Some example embodiments of the present disclosure also provide at least one computer program product tangibly stored on a computer readable medium, such as a non- transitory computer readable medium.
  • the computer program product includes computerexecutable instructions, such as those included in program modules, being executed in a device on a target physical or virtual processor, to carry out any of the methods as described above.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages.
  • the program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program code or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des modes de réalisation de la présente divulgation concernent des procédés, des dispositifs, des appareils et un support de stockage lisible par ordinateur pour une procédure d'authentification d'utilisateur derrière un dispositif utilisateur. Le procédé consiste à : obtenir un matériau clé à partir d'une fonction d'exposition de réseau (NEF) associée à un réseau d'opérateur ; générer des informations de sécurité associées à un profil d'utilisateur sur la base du matériau clé, une clé d'authentification et de gestion de clés pour applications (AKMA) et un identifiant permanent d'abonnement (SUPI) associé à l'appareil ; et fournir, à un serveur d'application, l'identité de clé AKMA de l'appareil et les informations de sécurité générées associées au profil d'utilisateur par l'intermédiaire d'une demande d'établissement de session d'application.
PCT/EP2024/087786 2024-02-08 2024-12-20 Authentification d'utilisateur derrière un dispositif utilisateur Pending WO2025168272A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202441008721 2024-02-08
IN202441008721 2024-02-08

Publications (1)

Publication Number Publication Date
WO2025168272A1 true WO2025168272A1 (fr) 2025-08-14

Family

ID=94210315

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2024/087786 Pending WO2025168272A1 (fr) 2024-02-08 2024-12-20 Authentification d'utilisateur derrière un dispositif utilisateur

Country Status (1)

Country Link
WO (1) WO2025168272A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230068196A1 (en) * 2020-02-19 2023-03-02 Samsung Electronics Co., Ltd. Apparatus and method of generating application specific keys using key derived from network access authentication

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230068196A1 (en) * 2020-02-19 2023-03-02 Samsung Electronics Co., Ltd. Apparatus and method of generating application specific keys using key derived from network access authentication

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Authentication and Key Management for Applications (AKMA) phase 2 (Release 18)", no. V18.0.0, 22 June 2023 (2023-06-22), pages 1 - 50, XP052409065, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/33_series/33.737/33737-i00.zip 33737-i00.docx> [retrieved on 20230622] *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on User Identities and Authentication Architecture (Release 19)", no. V0.1.0, 1 February 2024 (2024-02-01), pages 1 - 11, XP052577073, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/23_series/23.700-32/23700-32-010.zip 23700_32_010_rm.docx> [retrieved on 20240201] *
"5G; Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS) (3GPP TS 33.535 version 17.9.0 Release 17)", vol. 3GPP SA, no. V17.9.0, 6 October 2023 (2023-10-06), pages 1 - 27, XP014470281, Retrieved from the Internet <URL:http://www.etsi.org/deliver/etsi_ts/133500_133599/133535/17.09.00_60/ts_133535v170900p.pdf> [retrieved on 20231006] *

Similar Documents

Publication Publication Date Title
US12401690B2 (en) Mechanism for dynamic authorization
US12231900B2 (en) Communication method and apparatus
WO2021219385A1 (fr) Identification sécurisée d&#39;une fonction de réseau
EP4478761A1 (fr) Procédé de gestion d&#39;authentification pour un accès non 3gpp d&#39;un dispositif d&#39;ue à un réseau 5g
US12477337B2 (en) Access token revocation in security management
EP3763143B1 (fr) Procédés, dispositifs et support lisible par ordinateur pour une authentification lors d&#39;une communication
US12439246B2 (en) Security communication in prose U2N relay
US12495095B2 (en) Network function validation
WO2024092844A1 (fr) Utilisation d&#39;un indicateur de routage
WO2021160386A1 (fr) Service d&#39;autorisation pour fournir un contrôle d&#39;accès
EP4270870A1 (fr) Procédé, dispositif et support lisible par ordinateur pour des communications
WO2025168272A1 (fr) Authentification d&#39;utilisateur derrière un dispositif utilisateur
WO2025168285A1 (fr) Authentification d&#39;utilisateur derrière un dispositif utilisateur
WO2025168278A1 (fr) Authentification d&#39;utilisateur derrière un dispositif d&#39;utilisateur
WO2025175539A1 (fr) Authentification akma avec des informations de dispositif
US20250274358A1 (en) Network repository function policy control for different public land mobile networks
US20240340772A1 (en) Steering of roaming enhancement during registration reject
EP4325772B1 (fr) Utilisation d&#39;un jeton d&#39;accès dans une architecture basée sur un service
WO2025231876A1 (fr) Protection de réseau mobile terrestre public
WO2024033785A1 (fr) Authentification pour dispositif avec accès non cellulaire
WO2024086990A1 (fr) Solution d&#39;aide à la charge
WO2025231777A1 (fr) Délestage de calcul dynamique d&#39;équipement utilisateur
WO2024234176A1 (fr) Amélioration de services de gestion de réseau
WO2024239213A1 (fr) Découverte de relais de protection pour scénario piloté par réseau de desserte
WO2024098177A1 (fr) Procédure d&#39;authentification pour tranche de réseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24834013

Country of ref document: EP

Kind code of ref document: A1