Search

US-20260129043-A1 - METHOD AND APPARATUS FOR ESTABLISHING CONNECTION

US20260129043A1US 20260129043 A1US20260129043 A1US 20260129043A1US-20260129043-A1

Abstract

A method for establishing a connection, performed by a home edge configuration server (H-ECS), includes: determining authorization information of a visited edge configuration server (V-ECS), and a target V-ECS; performing mutual identity authentication with the target V-ECS; in response to success of the mutual identity authentication, determining whether the target V-ECS is allowed to establish a connection with the H-ECS based on identity information authenticated and the authorization information of the V-ECS; and in response to the target V-ECS being allowed to establish the connection with the H-ECS, establishing a connection with the target V-ECS.

Inventors

  • Haoran LIANG
  • Wei Lu

Assignees

  • BEIJING XIAOMI MOBILE SOFTWARE CO., LTD.

Dates

Publication Date
20260507
Application Date
20220930

Claims (20)

  1. 1 . A method for establishing a connection, performed by a home edge configuration server (H-ECS), comprising: determining authorization information of a visited edge configuration server (V-ECS), and a target V-ECS; performing mutual identity authentication with the target V-ECS; in response to success of the mutual identity authentication, determining whether the target V-ECS is allowed to establish a connection with the H-ECS based on identity information authenticated and the authorization information of the V-ECS; and in response to the target V-ECS being allowed to establish the connection with the H-ECS, establishing a connection with the target V-ECS.
  2. 2 . The method of claim 1 , wherein a process of determining the authorization information of the V-ECS comprises: receiving a first request sent by an edge enabler client (EEC) in a terminal, wherein the first request comprises the authorization information of the V-ECS.
  3. 3 . The method of claim 1 , wherein a process of determining the authorization information of the V-ECS comprises: receiving a second request sent by a source edge enabler server (S-EES), wherein the second request comprises an identifier of a terminal; sending an obtaining request of the authorization information of the V-ECS to the terminal corresponding to the identifier of the terminal; and receiving the authorization information of the V-ECS returned by the terminal.
  4. 4 . The method of claim 1 , wherein a process of determining the authorization information of the V-ECS comprises: obtaining the authorization information of the V-ECS from a preset storage area.
  5. 5 . The method of claim 1 , wherein a process of determining the target V-ECS comprises: determining the target V-ECS based on location information of a terminal, wherein the terminal is a terminal that sends the authorization information of the V-ECS to the H-ECS, or the terminal is a terminal that sends a V-ECS query request to the H-ECS.
  6. 6 . The method of claim 1 , wherein performing the mutual identity authentication with the target V-ECS comprises: sending a first certificate to the target V-ECS, wherein the first certificate is used for the target V-ECS to perform identity authentication on the H-ECS.
  7. 7 . The method of claim 6 , before sending the first certificate to the target V-ECS, further comprising: determining that identity information of the target V-ECS or a corresponding second certificate is comprised in a first list in the authorization information.
  8. 8 . The method of claim 1 , wherein performing the mutual identity authentication with the target V-ECS comprises: receiving a second certificate sent by the target V-ECS; and performing identity authentication on the target V-ECS based on the second certificate.
  9. 9 . The method of claim 8 , wherein performing the identity authentication on the target V-ECS based on the second certificate comprises: performing authentication on the second certificate using a root certificate authority (CA) corresponding to the target V-ECS; and in response to success of the authentication, determining that information in the second certificate is the identity information authenticated of the V-ECS.
  10. 10 . The method of claim 1 , wherein determining whether the target V-ECS is allowed to establish the connection with the H-ECS based on the identity information authenticated and the authorization information of the V-ECS comprises: in response to the identity information authenticated of the target V-ECS being comprised in the first list of the authorization information of the V-ECS, determining that the target V-ECS is allowed to establish the connection with the H-ECS; or in response to the second certificate used for successfully authenticating the target V-ECS being comprised in the first list of the authorization information of the V-ECS, determining that the target V-ECS is allowed to establish the connection with the H-ECS.
  11. 11 . The method of claim 1 , wherein establishing the connection with the target V-ECS comprises: establishing a transport layer security (TLS) connection with the target V-ECS based on the first certificate corresponding to the H-ECS and the second certificate corresponding to the target V-ECS.
  12. 12 . A method for establishing a connection, performed by a visited edge configuration server (V-ECS), comprising: performing mutual identity authentication with a home edge configuration server (H-ECS); in response to success of the mutual identity authentication, determining whether the H-ECS is allowed to establish a connection with the V-ECS based on identity information authenticated and authorization information of the H-ECS; and in response to the H-ECS being allowed to establish the connection with the V-ECS, establishing a connection with the H-ECS.
  13. 13 . The method of claim 12 , further comprising: extracting the authorization information of the H-ECS from configuration information; or determining the authorization information of the H-ECS according to a protocol.
  14. 14 . The method of claim 12 , wherein performing the mutual identity authentication with the H-ECS comprises: receiving a first certificate sent by the H-ECS; and performing identity authentication on the H-ECS based on the first certificate.
  15. 15 . The method of claim 14 , wherein performing identity authentication on the H-ECS based on the first certificate comprises: performing authentication on the first certificate using a root certificate authority (CA) corresponding to the H-ECS; and in response to success of the authentication, determining that information in the first certificate is the identity information authenticated of the H-ECS.
  16. 16 . The method of claim 12 , wherein performing the mutual identity authentication with the H-ECS comprises: in response to the H-ECS being allowed to establish the connection with the V-ECS, sending a second certificate to the H-ECS.
  17. 17 . The method of claim 12 , wherein determining whether the H-ECS is allowed to establish the connection with the V-ECS based on the identity information authenticated and preset authorization information of the H-ECS comprises: in response to the identity information authenticated of the H-ECS being comprised in a first list of the authorization information of the H-ECS, determining that the H-ECS is allowed to establish the connection with the V-ECS; or in response to the first certificate used for successfully authenticating the H-ECS being comprised in a first list of the authorization information of the H-ECS, determining that the HI-ECS is allowed to establish the connection with the V-ECS.
  18. 18 . The method of claim 12 , wherein establishing the connection with the H-ECS comprises: establishing a transport layer security (TLS) connection with the H-ECS based on the first certificate corresponding to the H-ECS and the second certificate corresponding to the V-ECS.
  19. 19 . A home edge configuration server (H-ECS), comprising: a processor; and a memory for storing instructions executable by the processor, wherein the processor is configured to: determine authorization information of a visited edge configuration server (V-ECS), and a target V-ECS; perform mutual identity authentication with the target V-ECS; in response to success of the mutual identity authentication, determine whether the target V-ECS is allowed to establish a connection with the H-ECS based on identity information authenticated and the authorization information of the V-ECS; and in response to the target V-ECS being allowed to establish the connection with the H-ECS, establish a connection with the target V-ECS.
  20. 20 . A visited edge configuration server (V-ECS), comprising: a processor; and a memory for storing instructions executable by the processor, wherein the processor is configured to execute the method of claim 12 .

Description

CROSS-REFERENCE TO RELATED APPLICATION This application is a U.S. national phase of International Application No. PCT/CN 2022/123346, filed Sep. 30, 2022, the entire content of which is incorporated herein by reference. TECHNICAL FIELD The disclosure relates to a field of communication technologies, and particularly to a method and an apparatus for establishing a connection. BACKGROUND In a roaming architecture, edge configuration servers (ECSs) are provided in both a home public land mobile network (HPLMN) and a visited public land mobile network (VPLMN). Specifically, an edge enabler client (EEC) in a terminal may obtain a service from a visited ECS (V-ECS) and a visited edge enabler server (V-EES). A new connection between the ECSs (i.e., between the V-ECS and the H-ECS) is defined. This new connection may be used for an EES discovery or a V-ECS information retrieval in a roaming PLMN. A malicious H-ECS may obtain EES information or V-ECS information via the new connection, which may attack to cause leakage of topology details and server information in a VPLMN domain. A malicious V-ECS may obtain terminal information from the H-ECS via the new connection, which may cause privacy exposure of the terminal. SUMMARY In a first aspect, embodiments of the disclosure provide a method for establishing a connection, performed by a home edge configuration server (H-ECS), including: determining authorization information of a visited ECS (V-ECS), and a target V-ECS;performing mutual identity authentication with the target V-ECS;in response to success of the mutual identity authentication, determining whether the target V-ECS is allowed to establish a connection with the H-ECS based on identity information authenticated and the authorization information of the V-ECS; andin response to the target V-ECS being allowed to establish the connection with the H-ECS, establishing a connection with the target V-ECS. In a second aspect, embodiments of the disclosure provide a method for establishing a connection, performed by a V-ECS, including: performing mutual identity authentication with a H-ECS;in response to success of the mutual identity authentication, determining whether the H-ECS is allowed to establish a connection with the V-ECS based on identity information authenticated and authorization information of the H-ECS; andin response to the H-ECS being allowed to establish the connection with the V-ECS, establishing a connection with the H-ECS. In a third aspect, embodiments of the disclosure provide a home edge configuration server (H-ECS), including: a processor; and a memory for storing instructions executable by the processor. The processor is configured to execute the method in the first aspect. In a fourth aspect, embodiments of the disclosure provide a visited edge configuration server (V-ECS), including: a processor; and a memory for storing instructions executable by the processor. The processor is configured to execute the method in the second aspect. BRIEF DESCRIPTION OF THE DRAWINGS In order to clearly illustrate technical solutions of embodiments of the disclosure or a background, a brief description is made below to accompanying drawings used in embodiments or the background. FIG. 1 is a schematic diagram illustrating an architecture of a communication system according to an embodiment of the disclosure. FIG. 2 is a flow chart illustrating a method for establishing a connection according to an embodiment of the disclosure. FIG. 3 is a flow chart illustrating a method for establishing a connection according to another embodiment of the disclosure. FIG. 4 is a flow chart illustrating a method for establishing a connection according to another embodiment of the disclosure. FIG. 5 is a flow chart illustrating a method for establishing a connection according to another embodiment of the disclosure. FIG. 6 is a flow chart illustrating a method for establishing a connection according to another embodiment of the disclosure. FIG. 7 is a flow chart illustrating a method for establishing a connection according to another embodiment of the disclosure. FIG. 8 is an interaction diagram illustrating a method for establishing a connection according to another embodiment of the disclosure. FIG. 9 is a block diagram illustrating a communication device according to an embodiment of the disclosure. FIG. 10 is a block diagram illustrating a communication device according to another embodiment of the disclosure. FIG. 11 is a block diagram illustrating a chip according to another embodiment of the disclosure. DETAILED DESCRIPTION To facilitate understanding, terms involved in the disclosure are firstly introduced below. 1. Home Public Land Mobile Network (HPLMN) The HPLMN is a PLMN to which a terminal belongs. In other words, an international mobile subscriber identity (IMSI) in a universal subscriber identity module (USIM) card in the terminal includes a mobile country code (MCC) and a mobile network code (MNC), which are iden