Search

EP-4740535-A1 - SYSTEM AND METHOD FOR MULTI-WAY AUTHORIZATION OR AUTHENTICATION OF NETWORK FUNCTION SERVICES IN COMMUNICATION NETWORKS

EP4740535A1EP 4740535 A1EP4740535 A1EP 4740535A1EP-4740535-A1

Abstract

Systems and methods for mutual authentication and authorization for NF services are provided, in which network function (NF) service consumers and NF service producers are authenticated to one another. NF service consumers may provide permission for NF service producers to provide them with NF services, while NF service producers may provide permission for NF service consumer to access their NF services. Anonymity between NF service producers and NF service consumers may be facilitated for example by use of temporary identifiers.

Inventors

  • YING, Bidi
  • ZHANG, HANG

Assignees

  • Huawei Technologies Co., Ltd.

Dates

Publication Date
20260513
Application Date
20230725

Claims (20)

  1. A method for network function (NF) service authorization in a network, the method comprising, by a NF service producer and a gateway (GW) of the network: by the GW: receiving, from a NF service consumer, a service request for at least one NF service; generating a temporary ID of the NF service consumer, a temporary ID of the NF service producer, and a first proof for use by the NF service producer to authenticate the NF service consumer; and sending an access request to the NF service producer, the access request including at least one of: the first proof, the temporary ID of the NF service consumer, and the temporary ID of the NF service producer; by the NF service producer: receiving the access request, validating the first proof; and sending a response to the access request to the GW, the response confirming results of said validating.
  2. The method of claim 1, wherein the access request further includes at least one of: one or more first proof parameters, NF service requirements, and a certificate of the GW.
  3. The method of claim 2, wherein said validating the first proof is based, at least in part, on the first proof parameters, or a permanent ID of the NF service producer, or a procedure, negotiated between the GW and the NF service producer, or a combination thereof.
  4. The method of claim 3 further comprising, by the NF service producer: prior said sending the response to the access request: authorizing the at least one NF service to be provided to the NF service consumer; and generating a second proof for the NF service consumer to authenticate the NF service producer and to access the NF service producer.
  5. The method of claims 4, wherein the second proof includes a second proof authentication code, an indication of an algorithm to generate the second proof authentication code, processed service authorization attributes, and an expiry time of the second proof.
  6. The method of claim 2 or claim 3, further comprising: by the GW: determining the NF service producer providing the at least one NF service before generating the first proof and the first proof parameters.
  7. The method of claim 6, wherein said determining the NF service producer providing the at least one NF service comprises discovering the NF service producer providing the at least one NF service through a discovery operation, and wherein the first proof and the first proof parameters are generated by the GW following a successful outcome of the discovery operation.
  8. The method of any one of claims 2 to 7, wherein the first proof includes a first proof authentication code or an indication of an algorithm to generate the first proof authentication code or both.
  9. The method of any one of claims 3, 6, and 7, wherein the first proof parameters, or the permanent ID of the NF service producer, or a NF service access window time, or a combination thereof is input to the algorithm to generate the first proof authentication code.
  10. The method of any one of claims 2 to 9, wherein the first proof comprises a function or executable code which, when executed, produces a value usable to authenticate the NF service consumer.
  11. The method of claim 5, wherein the second proof authentication code is generated based on inputs to the algorithm, wherein the inputs are a temporary ID of the NF service consumer, a temporary ID of the NF service producer, the first proof, and the processed service authorization attributes.
  12. The method of claim 5 or claim 11, wherein the processed service authorization attributes are provided by a hash function based on service authorization attributes, the service authorization attributes indicative of a permission for the NF service consumer to access the at least one NF service.
  13. The method of any one of claims 5, 11, and 12, wherein the response to the access request includes the second proof, the processed service authorization attributes, and a certificate of the NF service producer, and wherein the processed service authorization attributes are based at least in part on NF service requirements.
  14. The method of any one of claims 2 to 13, wherein the first proof is for producing a value to authenticate the NF service producer.
  15. The method 7, wherein said determining the NF service producer providing the at least one NF service is initiated in response to the service request for the at least one NF service.
  16. The method of claim 15, wherein, after receipt of the service request from the NF service consumer and prior to said determining the NF service producer providing the at least one NF service, the GW validates the NF service consumer.
  17. The method of claims 15 or 16, wherein the service request includes the NF service requirements, or a permanent ID of the NF service consumer, or a certificate of the NF service consumer, or a combination thereof.
  18. The method of claim 5, wherein following receipt of the response to the access request, the GW authorizes the at least one NF service to be provided to the NF service consumer, and the GW generates a third proof usable to authenticate the NF service producer by the NF service consumer.
  19. The method of claim 18, wherein the third proof includes a third proof authentication code, an indication of an algorithm to generate the third proof authentication code, the processed service authorization attributes, and an expiry time of the third proof; and wherein the first proof parameters, or the first proof, or the processed service authorization attributes, or a combination thereof is input to and used by the algorithm to generate the third proof authentication code.
  20. The method of claim 18 or claim 19, wherein, subsequently to generating the third proof the GW sends to the NF service consumer a response to the service request.

Description

SYSTEM AND METHOD FOR MULTI-WAY AUTHORIZATION OR AUTHENTICATION OF NETWORK FUNCTION SERVICES IN COMMUNICATION NETWORKS TECHNICAL FIELD The present disclosure generally pertains to authorization or authentication in communication networks and, in particular, to a system and a method for (e.g. multi-way) authorization or authentication of network function services. BACKGROUND As a next-generation mobile communications system, the sixth-generation (6G) is expected to go far beyond providing communication pipelines or connectivity to intelligence. 6G may support computing and processing capabilities of different network function (NF) services in a distributed and collaborated manner. These NF services may include one or multiple data communication, data processing, or data computing functionalities, or various vertical applications (e.g., vehicle-to-everything (V2X) , internet of things (IoT) ) . These NF services may be network-native services, provided by a network provider, or plug-in service provided by third parties. These providers may be denoted as NF service producers. In some current implementations, for example as in the previous fifth-generation (5G) network, a special NF service providing connectivity is provided. To support these NF services, 6G may schedule or coordinate network-based computing and processing capabilities. These capabilities may be provided by entities or infrastructures (e.g., modules to provide computing resources and management of computing procedures) . The third generation partnership project (3GPP) establishes an access control security system. The access control security system provides an authorization process that may grant a NF service consumer access to NF service producers. However, authorization for a NF service consumer may not be efficient because of the extension of 6G to multiple NF services (e.g. network-native or plug-in services provided by third-parties) . Besides, the access control security system supports both server-side and client-side certificates. Transport layer security (TLS) client and server certificates are required by 3GPP to be compliant with the Service Based Architecture (SBA) certificate profile for authentication, for example, all NF service  consumers and network repository functions (NRF) are required to support mutually authenticated TLS and Hypertext Transfer Protocol Secure (HTTPS) . The identities in the end entity certificates according to 3GPP are used for authentication and policy checks. The NF service consumers and the NRF in 3GPP support both server-side and client-side certificates. The NRF ensures that the NF Service Consumer is authorized to discover the NF Service Producer service (s) . If the NF Service Consumer is authorized to receive the service requested, the NF Service Producer shall grant the NF Service Consumer access to the service API. However, the current authorization for a NF service lacks mutual validation between NF service consumer and NF service producer in 6G. That is, while a NF service customer is validated, the NF service producer is not, and this may become a security issue in future network scenarios. In 6G, a NF service consumer and a NF service producer may be deployed by different providers, and they may not necessarily trust each other. Mutual authentication may thus be required among them before a permission to access a NF service producer is granted. In some cases, NF service producers may require validation before providing NF services to the NF service consumer. The current authorization for a NF service also lacks ID privacy protection and authorization information protection. NF service consumers and a NRF require the use of both server-side and client-side certificates. These certificates may leak real ID of NF service consumer, compromising ID privacy. This may be undesirable for example if a NF service producer does not want to disclose the NF service producer identity to a NF service consumer, or if a NF service consumer wants to avoid disclosing the NF service consumer identity to a NF service producer. The NF service consumer’s location and the NF service producer’s location may also be a part of sensitive information which may not be sufficiently protected under present schemes. Current implementations of a static authorization, based on a local authorization policy at the NRF and the NF Service in service based interface (SBI) architecture, lack mutual validation between the NF service consumer and the NF service producer, and privacy protection. Therefore, improvements in authorization of network function services in communication networks are desirable. This background information is provided to reveal information believed by the applicant to be of possible relevance to the present invention. No admission is necessarily  intended, nor should be construed, that any of the preceding information constitutes prior art against the present invention. SUMMARY Embodiments of