Search

CN-116601986-B - Method, system and computer readable medium for message authentication in a fifth generation (5G) communication network

CN116601986BCN 116601986 BCN116601986 BCN 116601986BCN-116601986-B

Abstract

Methods, systems, and computer readable media for message authentication in a fifth generation (5G) communication network are disclosed. A method occurring at a first network node of a first network includes obtaining authentication information identifying a user equipment in communication via a second network from at least one Authentication and Key Agreement (AKA) procedure related message associated with the user equipment, storing the authentication information in a data store for verifying a subsequent message, receiving a request message associated with the user equipment, determining that the request message is invalid using the authentication information, and performing an invalidation message action in response to determining that the request message is invalid.

Inventors

  • J. Rajputt
  • S. B. Mahalank
  • K. DAS

Assignees

  • 甲骨文国际公司

Dates

Publication Date
20260508
Application Date
20211028
Priority Date
20201215

Claims (15)

  1. 1.A method for message authentication in a fifth generation (5G) communication network, the method comprising: at a Secure Edge Protection Proxy (SEPP) of the first network: Obtaining authentication information identifying a user equipment in at least one Authentication and Key Agreement (AKA) procedure related message associated with the user equipment communicating via a second network by checking the at least one AKA procedure related message when the at least one AKA procedure related message is passing through the SEPP to reach a destination different from the SEPP; Storing the authentication information in a data store for verifying subsequent messages; Receiving a request message associated with the user equipment; Determining that the request message is invalid using the authentication information, wherein determining that the request message is invalid using the authentication information includes retrieving the authentication information from the data store using a user equipment identifier in the request message and determining that the authentication information fails to confirm that the user equipment is roaming in a network from which the request message originated, and And in response to determining that the request message is invalid, performing an invalidation message action.
  2. 2. The method of claim 1, wherein the request message comprises a 5G core request message.
  3. 3. The method of claim 1, wherein the at least one AKA procedure related message comprises one or more data types, the one or more data types comprising the authentication information.
  4. 4. The method of claim 1, wherein the authentication information comprises an authentication status, a network identifier, a network node identifier, a subscription permanent identifier (SUPI), a serving network name, or a Public Land Mobile Network (PLMN) identifier.
  5. 5. The method of claim 1, wherein the at least one AKA procedure related message is sent via a second network node of the second network, wherein the second network node comprises a consumer Network Function (NF), a Policy Control Function (PCF), an access and mobility management function (AMF), a Session Management Function (SMF), a Network Repository Function (NRF), a Network Slice Selection Function (NSSF), or a 5G core network function.
  6. 6. The method of claim 1, wherein the invalidation message action comprises discarding the request message or informing a network operator or management system.
  7. 7. The method of claim 1, wherein the first network is a home Public Land Mobile Network (PLMN) and the second network is a visited PLMN.
  8. 8. A system for message authentication in a fifth generation (5G) communication network, the system comprising: A Secure Edge Protection Proxy (SEPP) for a first network, the SEPP comprising: At least one processor, and The memory device is used for storing the data, Wherein the SEPP is configured to: Obtaining authentication information identifying a user equipment in at least one Authentication and Key Agreement (AKA) procedure related message associated with the user equipment communicating via a second network by checking the at least one AKA procedure related message when the at least one AKA procedure related message is passing through the SEPP to reach a destination different from the SEPP; Storing the authentication information in a data store for verifying subsequent messages; Receiving a request message associated with the user equipment; Determining that the request message is invalid using the authentication information, wherein determining that the request message is invalid using the authentication information includes retrieving the authentication information from the data store using a user equipment identifier in the request message and determining that the authentication information fails to confirm that the user equipment is roaming in a network from which the request message originated, and And in response to determining that the request message is invalid, performing an invalidation message action.
  9. 9. The system of claim 8, wherein the request message comprises a 5G core request message.
  10. 10. The system of claim 8, wherein the at least one AKA procedure related message includes one or more data types, the one or more data types including the authentication information.
  11. 11. The system of claim 8, wherein the authentication information includes an authentication status, a network identifier, a network node identifier, a subscription permanent identifier (SUPI), a service network name, or a Public Land Mobile Network (PLMN) identifier.
  12. 12. The system of claim 8, wherein said at least one AKA procedure related message is sent via a second network node of said second network, wherein said second network node comprises a consumer Network Function (NF), a Policy Control Function (PCF), an access and mobility management function (AMF), a Session Management Function (SMF), a Network Repository Function (NRF), a Network Slice Selection Function (NSSF) or a 5G core network function.
  13. 13. The system of claim 8, wherein the invalidation message action comprises dropping the request message or notifying a network operator or management system.
  14. 14. The system of claim 8, wherein the first network is a home Public Land Mobile Network (PLMN) and the second network is a visited PLMN.
  15. 15. A non-transitory computer-readable medium having stored thereon executable instructions that, when executed by at least one processor of a computer, cause the computer to perform steps comprising: at a Secure Edge Protection Proxy (SEPP) of the first network: Obtaining authentication information identifying a user equipment in at least one Authentication and Key Agreement (AKA) procedure related message associated with the user equipment communicating via a second network by checking the at least one AKA procedure related message when the at least one AKA procedure related message is passing through the SEPP to reach a destination different from the SEPP; Storing the authentication information in a data store for verifying subsequent messages; Receiving a request message associated with the user equipment; Determining that the request message is invalid using the authentication information, wherein determining that the request message is invalid using the authentication information includes retrieving the authentication information from the data store using a user equipment identifier in the request message and determining that the authentication information fails to confirm that the user equipment is roaming in a network from which the request message originated, and And in response to determining that the request message is invalid, performing an invalidation message action.

Description

Method, system and computer readable medium for message authentication in a fifth generation (5G) communication network Priority statement The present application claims priority from U.S. patent application Ser. No. 17/123,038, filed on 12/15 2020, the disclosure of which is incorporated herein by reference in its entirety. Technical Field The subject matter described herein relates to enhancing security in fifth generation (5G) communication networks. More particularly, the subject matter described herein relates to methods, systems, and computer readable media for message authentication in 5G communication networks. Background In the fifth generation (5G) communication networks, the network nodes providing the services are called producer Network Functions (NF). The network node that consumes the service is called consumer NF. The network function may be either a producer NF or a consumer NF, depending on whether it is consuming or providing a service. A given producer NF may have many service endpoints, where a service endpoint is a point of contact for one or more NF instances hosted by the producer NF. The service endpoint is identified by a combination of an Internet Protocol (IP) address and port number or a fully qualified domain name that resolves to an IP address and port number on a network node hosting the producer NF. NF instances are instances of the producer NF that provides the service. A given producer NF may include more than one NF instance. It should also be noted that multiple NF instances may share the same service endpoint. The producer NF registers with a network function repository function (NRF). The NRF maintains a service profile of the available NF instances, which identifies the services supported by each NF instance. The consumer NF may subscribe to receive information about the producer NF instances that have registered with the NRF. In addition to consumer NF, another type of network node that may subscribe to receive information about NF service instances is a service communication agent (SCP). The SCP subscribes to the NRF and obtains reachability and service profile information about the producer NF service instances. The consumer NF connects to the service communication agent and the service communication agent load balances traffic between producer NF service instances that provide the desired service or routes traffic directly to the destination producer NF instance. In addition to SCPs, other examples of intermediate proxy nodes or groups of network nodes that route traffic between producer NF and consumer NF include Security Edge Protection Proxy (SEPP), service gateway, and nodes in 5G service grids. SEPP is a network node for protecting control plane traffic exchanged between different 5G Public Land Mobile Networks (PLMNs). Thus, SEPP performs message filtering, policing, and topology hiding on all Application Programming Interface (API) messages. However, there is a need for improved security measures at one or more NFs. Disclosure of Invention Methods, systems, and computer readable media for message authentication in a fifth generation (5G) communication network are disclosed. An example method for message authentication in a 5G communication network includes obtaining, at a first network node of a first network, authentication information identifying a user equipment in association with the user equipment communicating via a second network from at least one Authentication and Key Agreement (AKA) procedure related message, storing the authentication information in a data store for use in authenticating a subsequent message, receiving a request message in association with the user equipment, determining that the request message is invalid using the authentication information, and performing an invalidation message action in response to determining that the request message is invalid. An example system for message authentication in a 5G communication network includes a first network node of a first network, the first network node including at least one processor and memory. The first node is configured to obtain authentication information identifying a user equipment in association with the user equipment communicating via a second network from at least one AKA procedure related message, store the authentication information in a data store for verifying a subsequent message, receive a request message in association with the user equipment, use the authentication information to decide that the request message is invalid, and perform an invalidation message action in response to deciding that the request message is invalid. An example non-transitory computer-readable medium includes computer-executable instructions embodied in the non-transitory computer-readable medium that, when executed by at least one processor of at least one computer, cause the at least one computer to perform steps comprising, at a first network node of a first network, obtaining authentica