CN101754211A - Authentication and negotiation method, system, security gateway and wireless family access point - Google Patents
Authentication and negotiation method, system, security gateway and wireless family access point Download PDFInfo
- Publication number
- CN101754211A CN101754211A CN200810239705.3A CN200810239705A CN101754211A CN 101754211 A CN101754211 A CN 101754211A CN 200810239705 A CN200810239705 A CN 200810239705A CN 101754211 A CN101754211 A CN 101754211A
- Authority
- CN
- China
- Prior art keywords
- authentication
- ike
- sign
- request
- device authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/24—Negotiation of communication capabilities
Abstract
The embodiment of the invention relates to an authentication and negotiation method, a system, a security gateway and a wireless family access point. The authentication and negotiation method comprises the following steps: receiving an IKE_SA_INIT request transmitted by a H(e)NB; a transmitting an IKE_SA_INIT response to the H(e)NB; receiving a first IKE_AUTH request transmitted by the H(e)NB; and executing the authentication to the H(e)NB according to first identifications carried in the IKE_SA_INIT response and the IKor and the E_SA_INIT request for supporting to authenticate a H(e)NB actuating device and a host. The embodiment of the invention also provides a security gateway, a wireless family access point and an authentication and negotiation system. The embodiment of the invention achieves a simple and accurate authentication and negotiation mechanism between the H(e)NB and a SeGW, also reduces the H(e)NB device and the SeGW device with various editions in the prior art.
Description
Technical field
The present invention relates to the mobile communication technology field, particularly a kind of authentication and negotiation method and system, security gateway, wireless family access point.
Background technology
3GPP and non-3GPP normal structure are being studied a kind of new access module at present: family's access module, subscriber equipment (User Equipment, UE) by wireless family access point (Home Node B, HNB), the frequency spectrum of the usage license is connected to the mobile network of operator by general IP public access network.Because the security gateway (SecurityGateway of the HNB from the equipment of HNB to the mobile network of operator, SeGW) between the network element process be the IP public access network, so just may introduce network attack common in the IP public network, therefore needing core network element, is that the SeGW of HNB authenticates the equipment of HNB here.Wherein this authentication comprises that device authentication and host authenticate (host's module represents that with HPM the host authenticates usually for Host PartyModule, HPM).Device authentication is meant the authentication to the equipment of HNB itself; The host authenticates then to contracting the host's of the equipment of this HNB authentication with operator.
Up-to-date 3GPP H (e) NB (comprising HNB and HeNB (Home Evolved Node B)) safety standard 33.820 V1.2.0 (number of documents S3-081585) have defined following authentication principle:
1. H (e) NB certificate verification or extendible authentication protocol-authentication and key agreement (Extensible Authentication Protocol-Authentication and KeyAgreement, EAP-AKA) a kind of in authenticating in must the support equipment authentication mechanism;
2. H (e) NB supports EAP-AKA host's authentication mechanism alternatively;
3. to the requirement of the SeGW of H (e) NB and above-mentioned two requirements to H (e) NB 1. with 2. the same, SeGW can also be according to the security strategy of operator in addition, which kind of security mechanism decision adopts;
4. the above-mentioned any authentication mechanism of concrete employing also depends on network design.
Mainly the negotiation of carrying out authentication mechanism according to Internet cipher key change version 2 (Internet Key Exchange V2, the IKE V2) agreement of RFC4306 definition between above-mentioned H (e) NB and the SeGW.The main thought of this IKE V2 agreement is, at first carry out Internet cipher key change-Security Association-initialization request (IKE-Security Association-INITial request, IKE_SA_INIT request)/right mutual of IKE_SA_INIT response (IKE_SA_INIT response) message, so that consulted encryption algorithm, the exchange random number, and carry out Di Fu-Hull graceful (Diffie-Hellman) exchange; Carry out Internet cipher key change-authentication request (IKE-Authentication request then, IKE_AUTH request)/right mutual of IKE_AUTH response (IKE_AUTH response) message, so that authenticate above-mentioned IKE_SA_INIT message, exchange identify label and certificate are set up first sub-Security Association.After this also have right mutual of a plurality of IKE-AUTH requests/response messages, to carry out the relevant treatment of subsequent authentication.
Specify the negotiation scheme of existing authentication mechanism below:
If negotiation scheme one SeGW has carried notice (NOTIFY) header field and certificate request (CERTREQ) header field of type of message for many authentication supports (MULTIPLE_AUTH_SUPPORT) simultaneously in the IKE_SA_INIT response message; H (e) NB has carried authentication (AUTH) header field simultaneously in IKE_AUTH request message subsequently, type of message is the NOTIFY header field of MULTIPLE_AUTH_SUPPORT, and type of message is " then be next authentication " NOTIFY header field (ANOTHER_AUTH_FOLLOWS), and then negotiation result is to adopt device authentication and EAP-AKA host based on certificate verification to authenticate.
If negotiation scheme two SeGW have carried type of message in the IKE_SA_INIT response message be the NOTIFY header field of MULTIPLE_AUTH_SUPPORT, but do not carry the CERTREQ header field; H (e) NB does not carry the AUTH header field in IKE_AUTH request message subsequently, but carried type of message simultaneously is the NOTIFY header field of MULTIPLE_AUTH_SUPPORT and the NOTIFY header field that type of message is ANOTHER_AUTH_FOLLOWS, and then negotiation result is to adopt EAP-AKA device authentication and EAP-AKA host to authenticate.
If negotiation scheme three SeGW do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORT in the IKE_SA_INIT response message, but have carried the CERTREQ header field; H (e) NB has carried the AUTH header field in IKE_AUTH request message subsequently, but do not carry type of message is the NOTIFY header field of MULTIPLE_AUTH_SUPPORT and the NOTIFY header field that type of message is ANOTHER_AUTH_FOLLOWS, then negotiation result is the device authentication that adopts based on certificate verification, but does not have EAP-AKA host to authenticate.
If negotiation scheme four SeGW do not carry NOTIFY header field and CERTREQ header field that type of message is MULTIPLE_AUTH_SUPPORT in the IKE_SA_INIT response message; H (e) NB does not carry the AUTH header field yet in IKE_AUTH request message subsequently, type of message is the NOTIFY header field of MULTIPLE_AUTH_SUPPORT, the NOTIFY header field that type of message is ANOTHER_AUTH_FOLLOWS, then negotiation result is to adopt the EAP-AKA device authentication, but does not have EAP-AKA host to authenticate.
Other situations except above-mentioned four kinds of negotiation scheme belong to abnormal conditions, need SeGW further to judge according to the security strategy of operator and handle.
The inventor finds that there are following shortcoming at least in H (e) NB that authentication mechanism of the prior art adopts and SeGW and the negotiation scheme between them in realizing process of the present invention:
On network design, at the different authentication demand of different operators, equipment vendor needs to provide H (e) NB and the SeGW of following different editions at least: only support based on the equipment of the device authentication of certificate, only to support the equipment of EAP-AKA device authentication, support to support EAP-AKA device authentication and EAP-AKA host's authenticated device based on the device authentication of certificate and EAP-AKA host's authenticated device, simultaneously and device authentication, EAP-AKA device authentication and the EAP-AKA host's authenticated device of supporting simultaneously based on certificate also may be provided simultaneously.And for operator, because device version is various, operator may support different authentication modes from H (e) NB that different equipment vendors buys with SeGW, may enter various abnormal conditions when causing authentication to be consulted, even can not finish the authentication to H (e) NB.Thereby can not really satisfy the authentication demand of operator.
Summary of the invention
The embodiment of the invention is to provide a kind of authentication and negotiation method and system, security gateway, wireless family access point, reducing the various H of version of the prior art (e) NB and SeGW equipment, and provide a kind of more simply, authentication mechanism accurately.
According to the one side of the embodiment of the invention, a kind of authentication and negotiation method is provided, comprising:
Receive the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request that wireless family access point H (e) NB sends;
Send the IKE_SA_INIT response to described H (e) NB;
Receive first the Internet Key Exchange-authentication IKE_AUTH request that described H (e) NB sends;
According to whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates in described IKE_SA_INIT response and the IKE_AUTH request, carry out authentication to described H (e) NB.
According to the embodiment of the invention on the other hand, provide a kind of security gateway, having comprised:
Receiver module is used to receive the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request that wireless family access point H (e) NB sends, and receives the Internet Key Exchange-authentication IKE_AUTH request that described H (e) NB sends;
Sending module is used to send IKE_SA_INIT response and IKE_AUTH response to described H (e) NB;
Processing module is used for whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates according to described IKE_SA_INIT response and IKE_AUTH request, carries out the authentication to described H (e) NB.
According to the embodiment of the invention on the other hand, provide a kind of wireless family access point, having comprised:
Sending module is used to send the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request and the Internet Key Exchange-authentication IKE_AUTH and asks to security gateway;
Receiver module is used to receive IKE_SA_INIT response and the IKE_AUTH response that described security gateway sends;
Processing module is used for whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates according to described IKE_SA_INIT response, and whether decision also carries described first sign in described IKE_AUTH request.
According to the embodiment of the invention on the other hand, provide a kind of authentication negotiating system, having comprised:
Wireless family access point H (e) NB is used to send the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request and the Internet Key Exchange-authentication IKE_AUTH request, receives IKE_SA_INIT response and the IKE_AUTH response returned; And according to whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates in the described IKE_SA_INIT response, whether decision also carries described first sign in described IKE_AUTH request;
Security gateway is used to receive IKE_SA_INIT request and the IKE_AUTH request that described H (e) NB sends; Send IKE_SA_INIT response and IKE_AUTH response to described H (e) NB; And, carry out authentication to described H (e) NB according to whether carrying described first sign in described IKE_SA_INIT response and the IKE_AUTH request.
By above technical scheme as can be known, authentication and negotiation method that the embodiment of the invention provides and system, security gateway, wireless family access point, judgement by the sign of carrying during IKE_SA_INIT response and IKE_AUTH are asked, realize authenticating negotiation mechanism simply accurately between H (e) NB and the SeGW, can also reduce the various H of version of the prior art (e) NB and SeGW equipment.
Description of drawings
The system architecture schematic diagram that Fig. 1 inserts for embodiment of the invention family;
Fig. 2 is the schematic flow sheet of authentication and negotiation method first embodiment of the present invention;
Fig. 3 is the first signaling process figure of authentication and negotiation method second embodiment of the present invention;
Fig. 4 is the second signaling process figure of authentication and negotiation method second embodiment of the present invention;
Fig. 5 is the first signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention;
Fig. 6 is the second signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention;
Fig. 7 is the 3rd signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention;
Fig. 8 is the 4th signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention;
Fig. 9 is the first signaling process figure of authentication and negotiation method the 4th embodiment of the present invention;
Figure 10 is the second signaling process figure of authentication and negotiation method the 4th embodiment of the present invention;
Figure 11 is the 3rd signaling process figure of authentication and negotiation method the 4th embodiment of the present invention;
Figure 12 is the 4th signaling process figure of authentication and negotiation method the 4th embodiment of the present invention;
Figure 13 is the structural representation of security gateway embodiment of the present invention;
Figure 14 is the structural representation of wireless family access point embodiment of the present invention;
Figure 15 authenticates the structural representation of negotiating system embodiment for the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The system architecture schematic diagram that Fig. 1 inserts for embodiment of the invention family.As shown in Figure 1, comprise wireless family access point (H (e) NB), the frequency spectrum of the usage license is connected to subscriber equipment (UE) by general IP public network the mobile network of operator.Wireless family access point comprises HNB, operate in universal mobile telecommunications system (Universal Mobile Telecommunications System, UMTS) land radio access web (UMTS Territorial Radio Access Network, the UTRAN) wireless family access point of frequency spectrum; HeNB operates in UMTS Terrestrial radio access network (Evolved-UTRAN, E-UTRAN) wireless family access point of frequency spectrum of evolution; Home non-3GPP WAP (Home non-3GPPwireless access point) operates in the wireless family access point of non-3GPP network (as networks such as CDMA/Wimax/WLAN/HRPD) frequency spectrum.The Gateway Network Element of wireless family access point, comprise HNB gateway (HNB GW), HeNB GW and Home non-3GPP WAP GW, it carries out the management and the access control of wireless family access point, compile wireless family access point, the functions such as data of the signaling between the network element among route and forwarding wireless family access point and the mobile network; Above-mentioned in addition Gateway Network Element (HNB GW, HeNB GW and Home non-3GPP WAP GW) also has the security gateway of wireless family access point, and (Security Gateway, function SeGW) are carried out security-related function, for example authenticate, encryption etc.(Mobility Management Entity MME), is responsible for the chain of command mobile management in the E-UTRAN network to Mobility Management Entity, comprises the management of user's context and mobile status, distributing user temporary identity sign etc.Service universal grouping wireless business supporting node (ServingGPRS Supporting Node, SGSN), be used to realize GPRS (General PacketRadio Service, GPRS)/the UMTS network in function such as routing forwarding, mobile management, session management and user profile storage.Functions such as the mobile management in the non-3GPP network of non-3GPP gateway entity (non-3GPP GW) realization, session management.For wlan network, non-3GPP GW be the evolution packet data gateway (Evolved Packet Data Gateway, EPDG); For the Wimax network, non-3GPP GW is access business network gateway (Access Service Network Gateway, ASN GW); For cdma network, non-3GPP GW be IAD (Access Gateway, AGW); For the HRPD network, non-3GPP GW be the high-speed packet data service gateway (HRPDServing Gateway, HSGW).(Home Subscriber Server HSS) is used for storing user subscription information to home subscriber server.Authenticating, authorize accounting server (Authentication, Authorization and Accounting Server, AAA Server) is used for UE is carried out access authentication, mandate and billing function.(Home Management Server HMS), is responsible for the management function of wireless family access point to family's access-in management server, and wherein HMS can be an independent network element, also can be integrated among the HSS; HMS can also directly link to each other with wireless family access point, and the embodiment of the invention does not limit.In addition, the system architecture that this family inserts does not also mean that it is the system architecture that final family inserts, and the embodiment of the invention does not limit equally.
Because what walk the SeGW network element from wireless family access point to family's WAP (wireless access point) correspondence is the IP public network, so just may introduce the common network attack in the IP network, therefore need core network element, here each SeGW network element that is the wireless family access point correspondence authenticates wireless family access point, comprises that device authentication and host authenticate.Device authentication among at present up-to-date 3GPP H (e) the NB safety standard 33.820V1.2.0 comprises device authentication or the EAP-AKA Over IKE V2 device authentication based on certificate, promptly operate in the two kinds of authentication mechanisms of EAP-AKA device authentication on the IKE V2 agreement, all operators all can adopt the wherein a kind of authentication mechanism in the device authentication; The host authenticates and then only comprises the EAP-AKA authentication mode, and some operator may adopt, and some operator may not adopt, and for the mobile network who adopts the host to authenticate, the host authenticates generally and carries out after device authentication.
Realize in the technology of existing negotiation scheme, if with whether carrying the AUTH header field in the IKE_AUTH request message is the device authentication of supporting based on certificate as judgement, still support the foundation of EAP-AKA device authentication, so because its inevitable AUTH header field that also carry when carrying the NOTIFY header field of ANOTHER_AUTH_FOLLOWS in the IKE_AUTH request message, be that AUTH and ANOTHER_AUTH_FOLLOWS always bind together, so the AUTH header field can not be as the foundation of the mode of determining apparatus authentication.
If with whether carrying the CERTREQ header field in the IKE_SA_INIT response message is the device authentication of supporting based on certificate as judgement, still support the foundation of EAP-AKA device authentication, so because the CERTREQ header field also can ask to carry the content beyond the certificate, so the CERTREQ header field also is inappropriate as the foundation of the mode of determining apparatus authentication.
If MULTIPLE_AUTH_SUPPPORTED and ANOTHER_AUTH_FOLLOWS are bundled in the same IKE_AUTH request message as the judgment basis that judges whether that support equipment authentication simultaneously and host authenticate, because according to RFC4739, " next bar IKE_AUTH will comprise the 2nd identify label; and start next authentication; and be that the host authenticates ", therefore for the scene of supporting that simultaneously EAP-AKA device authentication and EAP-AKA host authenticate, next bar IKE_AUTH still is used to start the EAP-AKA device authentication, rather than EAP-AKA host authenticates, and therefore do not meet the regulation of RFC4739.So when being bundled in both in the same IKE_AUTH request message, only be applicable to the scene of supporting that simultaneously device authentication and EAP-AKA host based on certificate authenticate, and can not be applicable to the scene of supporting that simultaneously EAP-AKA device authentication and EAP-AKA host authenticate.In addition, for H (e) NB, the MULTIPLE_AUTH_SUPPORTED header field is only to be carried in first IKE_AUTH request message, and ANOTHER_AUTH_FOLLOWS can be carried in any one IKE_AUTH requests/response messages that contains the AUTH header field, be that both there is no need to be bundled in the same IKE_AUTH request message, in order to avoid the flexibility that influence is consulted.
At the problem that exists on the above-mentioned existing negotiation scheme, below will be based on the system architecture explanation authentication negotiation method that the embodiment of the invention adopted of family's access shown in Figure 1.
In the following embodiment of the present invention, in order to solve the various problem of existing equipment version, wireless family access point that equipment vendor makes (following represent with H (e) NB) or security gateway network element (following represent with SeGW) or H (e) NB and SeGW will support all authentication modes, so that operator is after carrying out network design, decision uses the degree of freedom of which kind of authentication mode or its combination higher between H (e) NB and SeGW.In the following embodiment of the present invention, in order to solve the problem that exists in the existing certificate scheme, main adopt existing authentication negotiation scheme improved at following 3: 1. expand the type of the type of message of the NOTIFY header field in the IKE V2 agreement with the indicating equipment authentication, SeGW and H (e) NB carries the device authentication mode that the NOTIFY header field of having expanded type of message is supported with indication respectively in IKE_SA_INIT response message and IKE_AUTH request message; 2. directly utilize in the IKE V2 agreement and can carry the EAP header field, the NOTIFY type in the EAP agreement for example, come the type of indicating equipment authentication, SeGW and H (e) NB carries the device authentication mode that the indication of EAP header field is supported respectively in IKE_SA_INIT response message and IKE_AUTH request message; 3. no longer MULTIPLE_AUTH_SUPPPORTED and ANOTHER_AUTH_FOLLOWS are bundled in the same IKE_AUTH request message.
At first H (e) NB is supported all authentication modes, SeGW may only support how to authenticate under the situation of part authentication mode and consult to be elaborated.In such cases, do not have abnormal conditions during authentication is consulted and occur.
Fig. 2 is the schematic flow sheet of authentication and negotiation method first embodiment of the present invention.As shown in Figure 2, comprise the steps:
The IKE_SA_INIT request that step 301, reception wireless family access point (H (e) NB) send;
The IKE_AUTH request that step 303, reception H (e) NB send;
Wherein, step 301~step 303 is specially: H (e) NB sends the IKE_SA_INIT request; SeGW returns IKE_SA_INIT and responds the NB to H (e) after receiving the IKE_SA_INIT request of H (e) NB transmission; H (e) NB sends the IKE_AUTH request; SeGW has promptly finished main authentication agreement process after receiving this IKE_AUTH request.Omitted SeGW in the embodiment of the invention and returned IKE_AUTH and respond to the step of H (e) NB, and the IKE_AUTH requests/response messages in device authentication and host's verification process subsequently.Step 304 is the negotiation result according to step 302 and step 303, be whether to carry first sign that support authenticates H (e) NB actuating equipment and the host authenticates in IKE_SA_INIT response and the IKE_AUTH request, by the authentication of SeGW execution, comprise that device authentication or device authentication and host authenticate to H (e) NB.
For device authentication and EAP-AKA device authentication based on certificate, when SeGW equipment is only supported wherein a kind of mode of device authentication, because some parameter that the response of the IKE_SA_INIT in the step 302 is carried can illustrate the device authentication mode of its support, therefore between H (e) NB and SeGW, only support under the prerequisite of the mode that a kind of host authenticates, as long as whether carry first sign that support authenticates H (e) NB actuating equipment and the host authenticates in IKE_SA_INIT response and the IKE_AUTH request, can determine that SeGW is to the performed authentication of H (e) NB by judging.To be elaborated by specific embodiment below.
The authentication and negotiation method that the embodiment of the invention provides, by the sign of in IKE_SA_INIT response and IKE_AUTH request, carrying the expression authentication mode, can realize between H (e) NB and the SeGW simply, authentication agreement process accurately, and H (e) NB supports all authentication modes, SeGW can reduce because the situation that failure is consulted in authentication appears in the matched problem for supporting all authentication modes or only supporting the equipment of part authentication mode.
Fig. 3 is the first signaling process figure of authentication and negotiation method second embodiment of the present invention.Based on above-mentioned embodiment shown in Figure 2, suppose in the present embodiment that the device authentication mode between H (e) NB and the SeGW has only a kind of, promptly or be based on the device authentication of certificate, it is the EAP-AKA device authentication, and H (e) NB supports all authentication modes, and promptly H (e) NB support equipment authentication mode and host authenticate; As shown in Figure 3, comprise the steps:
Step 401, H (e) NB send the IKE_SA_INIT request message to SeGW;
Step 402, SeGW send the IKE_SA_INIT response message to H (e) NB;
SeGW judges and need authenticate authentication of H (e) NB actuating equipment and host, therefore carry in the IKE_SA_INIT response message that expression SeGW supports or request is carried out first sign that device authentication and host authenticate to H (e) NB, for example first sign can be the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED for type of message; Do not carry second sign of which kind of device authentication of request in this step 402, illustrate that at this moment SeGW and H (e) NB are the equipment of only supporting with a kind of device authentication mode; Suppose that SeGW and H (e) NB among this embodiment all only support the device authentication based on certificate, this SeGW of this step 402 expression supports H (e) NB is carried out authenticating based on the device authentication and the EAP-AKA host of certificate so;
Step 403, H (e) NB send the IKE_AUTH request message to SeGW, carry wherein that expression H (e) NB supports or first sign that device authentication and host authenticate is carried out in request, for example first sign can be that the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED represents that H (e) NB only supports or ask to authenticate based on the device authentication and the EAP-AKA host of certificate for type of message;
So far, H (e) NB and SeGW also may consult the device authentication and the EAP-AKA host that need carry out based on certificate and authenticate in conjunction with local security strategy according to above-mentioned interacting message;
Step 404, SeGW carry out device authentication process based on certificate to H (e) NB, for the purpose of clear, omitted the IKE_AUTH response message that SeGW returns H (e) NB herein;
Step 405, H (e) NB send the IKE_AUTH request message to SeGW, wherein carry type of message for then being that next NOTIFY header field and the authentication of AUTH header field indication equipment that authenticates (ANOTHER_AUTH_FOLLOWS) finished, next step will then be carried out EAP-AKA host to H (e) NB and authenticate;
Need to prove, step 405 and top 403 also may be incorporated in same IKE_AUTH request message, is about to the NOTIFY header field of ANOTHER_AUTH_FOLLOWS and the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED and is bundled in same the IKE_AUTH request message herein;
Step 406, SeGW carry out EAP-AKA host's verification process to H (e) NB, for the purpose of clear, omitted the IKE_AUTH response message that SeGW returns H (e) NB herein.
Concrete authentication agreement process when the concrete authentication agreement process of supposition SeGW when only supporting the EAP-AKA device authentication with H (e) NB and SeGW support device authentication based on certificate is identical, and just step 404 execution is the EAP-AKA device authentication process of SeGW to H (e) NB; And need to prove, the step 405 of this moment and top 403 cannot be incorporated in same IKE_AUTH request message, promptly the NOTIFY header field of ANOTHER_AUTH_FOLLOWS and the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED separately must be carried in different IKE_AUTH message.
Fig. 4 is the second signaling process figure of authentication and negotiation method second embodiment of the present invention.Based on above-mentioned embodiment shown in Figure 2, suppose in the present embodiment that the device authentication mode between H (e) NB and the SeGW has only a kind of, promptly or be based on the device authentication of certificate, it is the EAP-AKA device authentication, and H (e) NB supports all authentication modes, and promptly H (e) NB support equipment authentication mode and host authenticate; Wherein all do not carry in IKE_SA_INIT response and the IKE_AUTH request and express support for first sign that device authentication and host authenticate, for example first identify and to be the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED.As shown in Figure 4, comprise the steps:
SeGW judges only to be needed H (e) NB actuating equipment is authenticated, therefore do not carry in the IKE_SA_INIT response message that expression SeGW supports or request is carried out first sign that device authentication and host authenticate to H (e) NB, for example first sign can be the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED for type of message, to represent that this SeGW only supports or ask H (e) NB is carried out device authentication; Do not carry second sign of which kind of device authentication of request in this step 502, illustrate that SeGW and H (e) NB of this moment is the equipment of only supporting with a kind of device authentication mode; For example suppose that SeGW and H (e) NB all only support the EAP-AKA device authentication among this embodiment, this SeGW of this step 502 expression carries out the EAP-AKA device authentication to H (e) NB so;
So far, H (e) NB and SeGW also may consult and need carry out the EAP-AKA device authentication in conjunction with local security strategy according to above-mentioned interacting message;
Difference embodiment illustrated in fig. 4 and embodiment illustrated in fig. 3 is not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED in embodiment illustrated in fig. 4, then sign only authenticates H (e) NB actuating equipment, and does not have host's verification process of step 405 and step 406.In addition, concrete authentication agreement process when SeGW only supports the EAP-AKA device authentication among the concrete authentication agreement process when SeGW only supports based on the device authentication of certificate and above-mentioned Fig. 4 is identical, what just step 504 was carried out is the device authentication process based on certificate of SeGW to H (e) NB, does not repeat them here.
Sum up Fig. 3 and embodiment shown in Figure 4 as can be known, when not carrying first sign in IKE_SA_INIT response and the IKE_AUTH request, according to the local security policy of SeGW, execution is to the device authentication of H (e) NB; When carrying first sign in IKE_SA_INIT response and the IKE_AUTH request, according to the local security policy of SeGW, the device authentication and the host that carry out H (e) NB authenticate.
Support on the basis of all authentication modes based on above-mentioned H (e) NB, if SeGW also supports all authentication modes, then can also authenticate negotiation by carrying second sign in the IKE_SA_INIT response, this second sign is used for request to device authentication or the EAP-AKA device authentication of H (e) NB execution based on certificate.To describe by specific embodiment below.
Fig. 5 is the first signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention.Be example only with SeGW in the present embodiment to the device authentication that H (e) NB carries out based on certificate.Do not carry first sign in IKE_SA_INIT response this moment and the IKE_AUTH request, and second sign of carrying in the IKE_SA_INIT response expresses support for the device authentication of H (e) NB execution based on certificate, and for example second sign can be the NOTIFY header field or certificate request (CERTREQ) header field of certificate verification (CERT_AUTH) for type of message.As shown in Figure 5, comprise the steps:
SeGW judges only to be needed the device authentication of H (e) NB execution based on certificate, therefore in the IKE_SA_INIT response message, do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, but carry expression SeGW support or request second sign based on the device authentication of certificate, for example second sign can be NOTIFY header field or the CERTREQ header field of CERT_AUTH for type of message, to represent that this SeGW only asks or support H (e) NB is carried out device authentication based on certificate;
So far, H (e) NB and SeGW also may consult the device authentication that need carry out based on certificate in conjunction with local security strategy according to above-mentioned interacting message;
Fig. 6 is the second signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention.Only H (e) NB being carried out the EAP-AKA device authentication with SeGW in the present embodiment is example.Do not carry first sign in IKE_SA_INIT response this moment and the IKE_AUTH request, and second sign of carrying in the IKE_SA_INIT response expresses support for carries out the EAP-AKA device authentication to H (e) NB, and for example second sign can be the NOTIFY header field or the EAP header field of EAP-AKA authentication (EAP-AKA_AUTH) for type of message.As shown in Figure 6, comprise the steps:
SeGW judges only to be needed H (e) NB is carried out the EAP-AKA device authentication, therefore in the IKE_SA_INIT response message, do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, but carry second sign that expression SeGW supports the EAP-AKA device authentication, for example second sign can be NOTIFY header field or the EAP header field of EAP-AKA_AUTH for type of message, to represent that this SeGW only asks or support H (e) NB is carried out device authentication;
So far, H (e) NB and SeGW also may consult and need carry out the EAP-AKA device authentication in conjunction with local security strategy according to above-mentioned interacting message;
Among above-mentioned Fig. 5 and the embodiment shown in Figure 6, support or ask second of distinct device authentication to be designated example to carry expression SeGW in the IKE_SA_INIT response message, illustrate that when carrying in the IKE_SA_INIT response message that expression SeGW supports or request during promptly SeGW carries out device authentication based on certificate to H (e) NB based on second sign of the device authentication of certificate; When carrying second sign of expression SeGW support or request EAP-AKA device authentication in the IKE_SA_INIT response message, promptly SeGW carries out the EAP-AKA device authentication to H (e) NB.
In addition, also can be when carrying in the IKE_SA_INIT response message that expression SeGW supports or request during based on second sign of the device authentication of certificate, promptly SeGW carries out device authentication based on certificate to H (e) NB; And when not carrying second sign in the IKE_SA_INIT response message, promptly SeGW carries out the EAP-AKA device authentication to H (e) NB.Perhaps also can be that promptly SeGW carries out the EAP-AKA device authentication to H (e) NB when carrying second sign of expression SeGW support or request EAP-AKA device authentication in the IKE_SA_INIT response message; And when not carrying second sign in the IKE_SA_INIT response message, promptly SeGW is to the device authentication of H (e) NB execution based on certificate.
Fig. 7 is the 3rd signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention.Only H (e) NB is carried out to authenticate based on the device authentication of certificate and EAP-AKA host with SeGW in the present embodiment and be example.Carry first sign in IKE_SA_INIT response this moment and the IKE_AUTH request, and the second sign expression SeGW that carries in the IKE_SA_INIT response supports that based on the certificate device authentication for example second sign can be NOTIFY header field or the CERTREQ header field of CERT_AUTH for type of message.As shown in Figure 7, comprise the steps:
SeGW judges and need device authentication and the EAP-AKA host that H (e) NB carries out based on certificate be authenticated, therefore in the IKE_SA_INIT response message, carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, also carry expression SeGW support or request second sign based on the device authentication of certificate, for example second sign can be NOTIFY header field or the CERTREQ header field of CERT_AUTH for type of message, to represent that this SeGW only asks or support H (e) NB is carried out authenticating based on the device authentication and the EAP-AKA host of certificate;
So far, H (e) NB and SeGW also may consult the device authentication and the EAP-AKA host that need carry out based on certificate and authenticate in conjunction with local security strategy according to above-mentioned interacting message;
Need to prove, step 805 and top 803 also may be incorporated in same IKE_AUTH request message, is about to the NOTIFY header field of ANOTHER_AUTH_FOLLOWS and the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED and is bundled in same the IKE_AUTH request message herein;
Fig. 8 is the 4th signaling process figure of authentication and negotiation method the 3rd embodiment of the present invention.Only H (e) NB being carried out EAP-AKA device authentication and EAP-AKA host with SeGW in the present embodiment authenticates and is example.Carry first sign in IKE_SA_INIT response this moment and the IKE_AUTH request, and second sign of carrying in the IKE_SA_INIT response expresses support for carries out the EAP-AKA device authentication to H (e) NB, and for example second sign can be NOTIFY header field or the EAP header field of EAP-AKA_AUTH for type of message.As shown in Figure 8, comprise the steps:
SeGW judges and need authenticate H (e) NB execution EAP-AKA device authentication and EAP-AKA host, therefore in the IKE_SA_INIT response message, carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, also carrying expression SeGW supports second of EAP-AKA device authentication to identify, for example second sign can be NOTIFY header field or the EAP header field of EAP-AKA_AUTH for type of message, to represent that this SeGW only asks or support H (e) NB is carried out device authentication and the host authenticates;
So far, H (e) NB and SeGW be according to above-mentioned interacting message, also may be in conjunction with the security strategy of this locality, and consult and need carry out the EAP-AKA device authentication and EAP-AKA host authenticates;
Need to prove, step 905 and top 903 cannot be incorporated in same IKE_AUTH request message, promptly the NOTIFY header field of ANOTHER_AUTH_FOLLOWS and the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED separately must be carried in different IKE_AUTH message herein;
With above-mentioned Fig. 5 and embodiment shown in Figure 6, among this Fig. 7 and the embodiment shown in Figure 8, also can be when carrying in the IKE_SA_INIT response message that expression SeGW supports or request during based on second sign of the device authentication of certificate, promptly SeGW carries out device authentication based on certificate to H (e) NB; And when not carrying second sign in the IKE_SA_INIT response message, promptly SeGW carries out the EAP-AKA device authentication to H (e) NB.Perhaps also can be that promptly SeGW carries out the EAP-AKA device authentication to H (e) NB when carrying second sign of expression SeGW support or request EAP-AKA device authentication in the IKE_SA_INIT response message; And when not carrying second sign in the IKE_SA_INIT response message, promptly SeGW is to the device authentication of H (e) NB execution based on certificate.
Can realize that by the foregoing description H (e) NB supports under the condition of all authentication modes, no matter SeGW supports all authentication modes or only supports the part authentication mode, the authentication that all can adopt the sign in the foregoing description to finish between H (e) NB and the SeGW is consulted, thereby realize authentication, and abnormal conditions can not occur H (e) NB.
Below SeGW is supported all authentication modes, H (e) NB may support all or only support how to authenticate under the situation of part authentication mode and consult to be elaborated.In such cases, except carrying request in the IKE_SA_INIT response H (e) NB is carried out second sign based on the device authentication of certificate or EAP-AKA device authentication, the request of also will carrying in the IKE_AUTH request is carried out the 3rd sign based on the device authentication or the EAP-AKA device authentication of certificate to H (e) NB.And may still there be abnormal conditions in the authentication in view of the situation in consulting.
Fig. 9 is the first signaling process figure of authentication and negotiation method the 4th embodiment of the present invention.Be example with SeGW to the device authentication that H (e) NB carries out based on certificate in the present embodiment.Do not carry first sign in IKE_SA_INIT response this moment and the IKE_AUTH request, and the 3rd sign of carrying in second sign of carrying in the IKE_SA_INIT response and the IKE_AUTH request all expression request or support to the device authentication of H (e) NB execution based on certificate.As shown in Figure 9, comprise the steps:
SeGW judges only to be needed the device authentication of H (e) NB execution based on certificate, therefore in the IKE_SA_INIT response message, do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, but carry expression SeGW support or request second sign based on the device authentication of certificate, for example second sign can be NOTIFY header field or the CERTREQ header field of CERT_AUTH for type of message, to represent that this SeGW only asks or support H (e) NB is carried out device authentication based on certificate;
So far, H (e) NB and SeGW also may consult the device authentication that need carry out based on certificate in conjunction with local security strategy according to above-mentioned interacting message;
Step 1004, SeGW carry out device authentication process based on certificate to H (e) NB, for the purpose of clear, omitted the IKE_AUTH response message that SeGW returns H (e) NB herein.
In addition, when carrying first sign in IKE_SA_INIT response and the IKE_AUTH request, if the 3rd sign of carrying in second sign of carrying in the IKE_SA_INIT response and the IKE_AUTH request all the expression request to the device authentication of H (e) NB execution based on certificate, then can be according to the local security policy of SeGW, device authentication and the EAP-AKA host based on the certificate that carry out H (e) NB authenticate.Wherein H (e) NB and SeGW carry out interacting message with consult authentication mode and based on the signaling process of the device authentication of certificate with above-mentioned embodiment shown in Figure 9, the signaling process that EAP-AKA host authenticates is identical with the signaling process that the above-mentioned host of having authenticates among the embodiment, does not repeat them here.
Figure 10 is the second signaling process figure of authentication and negotiation method the 4th embodiment of the present invention.With SeGW H (e) NB being carried out the EAP-AKA device authentication in the present embodiment is example.Do not carry first sign in IKE_SA_INIT response this moment and the IKE_AUTH request, and the 3rd sign of carrying in second sign of carrying in the IKE_SA_INIT response and the IKE_AUTH request all expression request or support to H (e) NB execution EAP-AKA device authentication.As shown in figure 10, comprise the steps:
According to local security policy, SeGW judges only to be needed H (e) NB is carried out the EAP-AKA device authentication, therefore in the IKE_SA_INIT response message, do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, expression SeGW supports or second sign of request EAP-AKA device authentication but carry, for example second sign can be NOTIFY header field or the EAP header field of EAP-AKA_AUTH for type of message, to represent that this SeGW only asks or support H (e) NB is carried out the EAP-AKA device authentication;
So far, H (e) NB and SeGW also may consult and need carry out the EAP-AKA device authentication in conjunction with local security strategy according to above-mentioned interacting message;
In addition, when carrying first sign in IKE_SA_INIT response and the IKE_AUTH request, if the 3rd sign of carrying in second sign of carrying in the IKE_SA_INIT response and the IKE_AUTH request all expression request is carried out the EAP-AKA device authentication to H (e) NB, then can be according to the local security policy of SeGW, the EAP-AKA device authentication and the EAP-AKA host that carry out H (e) NB authenticate.Wherein H (e) NB and SeGW carry out interacting message with the signaling process of consulting authentication mode and EAP-AKA device authentication with above-mentioned embodiment shown in Figure 10, the signaling process that EAP-AKA host authenticates is identical with the signaling process that the above-mentioned host of having authenticates among the embodiment, does not repeat them here.
Figure 11 is the 3rd signaling process figure of authentication and negotiation method the 4th embodiment of the present invention.When not carrying first sign in IKE_SA_INIT response and the IKE_AUTH request, if second sign asks respectively wireless family access point is carried out different device authentication with the 3rd sign, then will be according to the local security policy of SeGW, refusal is to the authentication of H (e) NB actuating equipment, and perhaps the device authentication of carrying out according to the 3rd identification request is carried out the device authentication to H (e) NB.As shown in figure 11, comprise the steps:
According to local security policy, SeGW judges only to be needed H (e) NB actuating equipment is authenticated, therefore in the IKE_SA_INIT response message, do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, to represent that this SeGW only asks or support H (e) NB is carried out device authentication; Wherein the device authentication of SeGW support comprises device authentication and the EAP-AKA device authentication based on certificate again, therefore carry expression SeGW request or support second sign in this step 1202 based on the device authentication of certificate, for example second sign can be NOTIFY header field or the CERTREQ header field of CERT_AUTH for type of message, with the device authentication of explanation SeGW support at this moment based on certificate;
Because H (e) NB may only support the EAP-AKA device authentication, therefore show that H (e) NB only supports the EAP-AKA device authentication in the IKE_AUTH request message that in step 1203, sends, but SeGW is chosen as the device authentication of asking or supporting based on certificate in the step 1202, abnormal conditions therefore occur;
Figure 12 is the 4th signaling process figure of authentication and negotiation method the 4th embodiment of the present invention.The difference of comparing with Figure 11 is, second sign and the 3rd identify with information opposite, as shown in figure 12, comprise the steps:
Step 1301, H (e) NB send the IKE_SA_INIT request message to SeGW;
Step 1302, SeGW send the IKE_SA_INIT response message to H (e) NB;
According to local security policy, SeGW judges only to be needed H (e) NB actuating equipment is authenticated, therefore in the IKE_SA_INIT response message, do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED, to represent that this SeGW only asks or support H (e) NB is carried out device authentication; Wherein the device authentication of SeGW support comprises device authentication and the EAP-AKA device authentication based on certificate again, therefore carry expression SeGW request in this step 1302 or support second of EAP-AKA device authentication to identify, for example second sign can be NOTIFY header field or the EAP header field of EAP-AKA_AUTH for type of message, with the explanation SeGW support EAP-AKA device authentication of this moment;
Step 1303, H (e) NB send the IKE_AUTH request message to SeGW, wherein correspondingly do not carry the NOTIFY header field that type of message is MULTIPLE_AUTH_SUPPORTED yet, represent that H (e) NB only supports the 3rd sign based on the device authentication of certificate but carry, for example the 3rd sign can be the NOTIFY header field of CERT_AUTH or AUTH header field or the indication network access Identifier (NAI) based on the device authentication of certificate for type of message, and expression H (e) NB supports the device authentication based on certificate;
Because H (e) NB may only support the device authentication based on certificate, therefore show that H (e) NB only supports the device authentication based on certificate in the IKE_AUTH request message that in step 1303, sends, but SeGW is chosen as request or supports the EAP-AKA device authentication in the step 1302, abnormal conditions therefore occur;
Step 1304, SeGW further process according to local security policy, and particularly, SeGW can refuse H (e) NB is carried out device authentication under these abnormal conditions according to strategy, and process ends; Because SeGW supports all authentication modes, so SeGW also can allow the device authentication based on certificate of execution to H (e) NB according to strategy.
In addition, when carrying first sign in IKE_SA_INIT response and the IKE_AUTH request, if the content of second sign and the 3rd sign is inconsistent, when belonging to Figure 11 or situation shown in Figure 12, then SeGW is according to local security policy, refusal authenticates H (e) NB actuating equipment authentication and host, and perhaps the device authentication type execution of carrying out according to the 3rd identification request authenticates the device authentication (based on certificate or EAP-AKA) and the EAP-AKA host of the type of H (e) NB.Wherein H (e) NB and SeGW carry out interacting message with consult authentication mode and based on the signaling process of the device authentication of certificate with above-mentioned Figure 11 or embodiment shown in Figure 12, the signaling process that EAP-AKA host authenticates is identical with the signaling process that the above-mentioned host of having authenticates among the embodiment, does not repeat them here.
A plurality of signaling processes that four embodiment of the above-mentioned authentication and negotiation method of the present invention provide by carry different signs in IKE_SA_INIT response and IKE_AUTH ask, can be realized authentication agreement process; But because SeGW supports all authentication modes, and H (e) NB may only support part or all authentication modes, therefore the process of this authentication negotiation may exist device authentication mode H (e) NB of SeGW setting not support, SeGW can adjust and continue following verification process in theory this moment, so authentication is under any circumstance consulted still can realize.
Figure 13 is the structural representation of security gateway embodiment of the present invention.As shown in figure 13, this security gateway comprises: receiver module 11, sending module 12 and processing module 13.Wherein receiver module 11 is used to receive the Internet Key Exchange-Security Association-initialization (IKE_SA_INIT) request that wireless family access point (H (e) NB) sends, and receives the Internet Key Exchange-authentication (IKE_AUTH) request that H (e) NB sends; Sending module 12 is used to send the IKE_SA_INIT response and IKE_AUTH responds the NB to H (e); Processing module is used for whether carrying first sign that support authenticates H (e) NB actuating equipment and the host authenticates according to IKE_SA_INIT response and IKE_AUTH request, carries out the authentication to H (e) NB.
Adopt this security gateway realization that the concrete grammar of the authentication of H (e) NB is seen for details above-mentioned authentication and negotiation method embodiment, do not repeat them here.
Security gateway provided by the invention by and H (e) NB between interacting message finish the process that authentication is consulted, and H (e) NB is authenticated, a kind of authentication mechanism simply accurately is provided.
Figure 14 is the structural representation of wireless family access point embodiment of the present invention.As shown in figure 14, this wireless family access point comprises: sending module 21, receiver module 22 and processing module 23.Wherein sending module 21 is used to send IKE_SA_INIT request and IKE_AUTH asks to security gateway (SeGW); Receiver module 22 is used to receive IKE_SA_INIT response and the IKE_AUTH response that SeGW sends; Processing module 23 is used for whether response carries first sign that support authenticates H (e) NB actuating equipment and the host authenticates according to IKE_SA_INIT, and whether decision also carries first sign in the IKE_AUTH request.
Adopt this wireless family access point and SeGW to realize the mutual of information, thereby can realize the authentication to H (e) NB, its concrete grammar sees above-mentioned authentication and negotiation method embodiment for details, does not repeat them here.
Figure 15 authenticates the structural representation of negotiating system embodiment for the present invention.As shown in figure 15, this authentication negotiating system comprises: security gateway (SeGW) 1 and wireless family access point (H (e) NB) 2.Wherein H (e) NB2 is used to send IKE_SA_INIT request and IKE_AUTH request, receives IKE_SA_INIT response and the IKE_AUTH response returned; And according to whether carrying first sign that support authenticates H (e) NB2 actuating equipment and the host authenticates in the IKE_SA_INIT response, whether decision also carries first sign in the IKE_AUTH request; SeGW1 is used to receive IKE_SA_INIT request and the IKE_AUTH request that H (e) NB2 sends; Send IKE_SA_INIT response and IKE_AUTH and respond NB2 to H (e); And, carry out authentication to H (e) NB2 according to whether carrying first sign that support authenticates H (e) NB2 actuating equipment and the host authenticates in IKE_SA_INIT response and the IKE_AUTH request.
Wherein, SeGW1 comprises: receiver module 11, sending module 12 and processing module 13.H (e) NB2 comprises: sending module 21, receiver module 22 and processing module 23.
Adopt this authentication negotiating system to realize that SeGW sees above-mentioned authentication and negotiation method embodiment for details to the concrete grammar of the authentication of H (e) NB, does not repeat them here.
Authentication negotiating system provided by the invention is finished the process that authentication is consulted by the interacting message between SeGW and H (e) NB, and H (e) NB is authenticated, and a kind of authentication mechanism simply accurately is provided.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in a computer and can obtain in the storage medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (20)
1. an authentication and negotiation method is characterized in that, comprising:
Receive the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request that wireless family access point H (e) NB sends;
Send the IKE_SA_INIT response to described H (e) NB;
Receive first the Internet Key Exchange-authentication IKE_AUTH request that described H (e) NB sends;
According to whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates in described IKE_SA_INIT response and the IKE_AUTH request, carry out authentication to described H (e) NB.
2. authentication and negotiation method according to claim 1 is characterized in that, described first is designated the notice header field that type of message is supported for many authentications.
3. authentication and negotiation method according to claim 2 is characterized in that, described according to whether carrying described first sign in described IKE_SA_INIT response and the IKE_AUTH request, the authentication of carrying out described H (e) NB specifically comprises:
When not carrying described first sign in described IKE_SA_INIT response and the IKE_AUTH request, support authenticates described H (e) NB actuating equipment.
4. authentication and negotiation method according to claim 3, it is characterized in that, carry second sign in the described IKE_SA_INIT response, be used for request device authentication or the extendible authentication protocol-authentication and key agreement EAP-AKA device authentication of described H (e) NB execution based on certificate.
5. authentication and negotiation method according to claim 4 is characterized in that, authentication specifically comprises to described H (e) NB actuating equipment in described support:
If the request of carrying in the described IKE_SA_INIT response is then supported the device authentication of described H (e) NB execution based on certificate second sign of described H (e) NB execution based on the device authentication of certificate; Perhaps
If the request of carrying in the described IKE_SA_INIT response is then supported described H (e) NB is carried out the EAP-AKA device authentication to second sign that described H (e) NB carries out the EAP-AKA device authentication.
6. authentication and negotiation method according to claim 4 is characterized in that, carries the 3rd sign in the described IKE_AUTH request, is used for request to device authentication or the EAP-AKA device authentication of described H (e) NB execution based on certificate.
7. authentication and negotiation method according to claim 6 is characterized in that, authentication specifically comprises to described H (e) NB actuating equipment in described support:
If described second sign and described the 3rd sign are request to the sign of described H (e) NB execution based on the device authentication of certificate, then support the device authentication of described H (e) NB execution based on certificate; Perhaps
If described second sign and described the 3rd sign are request to the sign that described H (e) NB carries out the EAP-AKA device authentication, then support described H (e) NB is carried out the EAP-AKA device authentication; Perhaps
If described second sign is respectively different device authentication is carried out in request to described H (e) NB sign with described the 3rd sign, then refuse the authentication of described H (e) NB actuating equipment, perhaps the device authentication support of carrying out according to described the 3rd identification request authenticates described H (e) NB actuating equipment.
8. authentication and negotiation method according to claim 2 is characterized in that, described according to whether carrying described first sign in described IKE_SA_INIT response and the IKE_AUTH request, the authentication of carrying out described H (e) NB specifically comprises:
When carrying described first sign in described IKE_SA_INIT response and the IKE_AUTH request, support described H (e) NB actuating equipment is authenticated and the host authenticates.
9. authentication and negotiation method according to claim 8 is characterized in that, also carries second sign in the described IKE_SA_INIT response, is used for request to device authentication or the EAP-AKA device authentication of described H (e) NB execution based on certificate.
10. authentication and negotiation method according to claim 9 is characterized in that, described support authenticates specifically described H (e) NB actuating equipment authentication and host and comprises:
If the request of carrying in the described IKE_SA_INIT response is then supported device authentication and host that described H (e) NB carries out based on certificate are authenticated to second sign of described H (e) NB execution based on the device authentication of certificate; Perhaps
The request of carrying in the described IKE_SA_INIT response is then supported described H (e) NB execution EAP-AKA device authentication and host are authenticated to second sign that described H (e) NB carries out the EAP-AKA device authentication.
11. authentication and negotiation method according to claim 9 is characterized in that, also carries the 3rd sign in the described IKE_AUTH request, is used for request to device authentication or the EAP-AKA device authentication of described H (e) NB execution based on certificate.
12. authentication and negotiation method according to claim 11 is characterized in that, described support authenticates specifically described H (e) NB actuating equipment authentication and host and comprises:
If described second sign and described the 3rd sign are request to the sign of described H (e) NB execution based on the device authentication of certificate, then support device authentication and host that described H (e) NB carries out based on certificate are authenticated; Perhaps
If described second sign and described the 3rd sign are request to the sign that described H (e) NB carries out the EAP-AKA device authentication, then support described H (e) NB execution EAP-AKA device authentication and host are authenticated; Perhaps
If described second sign is respectively different device authentication is carried out in request to described H (e) NB sign with described the 3rd sign, then refuse authentication of described H (e) NB actuating equipment and host are authenticated, perhaps the device authentication support of carrying out according to described the 3rd identification request authenticates authentication of described H (e) NB actuating equipment and host.
13. according to Claim 8,10 or 12 described authentication and negotiation methods, it is characterized in that described support authenticates specifically the authentication of described H (e) NB actuating equipment and host and comprises:
To carry out the 4th sign that the host authenticates to described H (e) NB if also carry expression in the described IKE_AUTH request, the device authentication and the host that then carry out described H (e) NB authenticate; Perhaps
Behind the device authentication of execution to described H (e) NB, the expression that carries that receives described H (e) NB transmission will be asked the 4th the 2nd IKE_AUTH that identifies that described H (e) NB execution host authenticates, and the host who then carries out described H (e) NB authenticates.
14. authentication and negotiation method according to claim 13 is characterized in that, described the 4th sign comprises: type of message is for then being the notice header field and the authentication header field of another kind of authentication.
15. according to claim 4,5,6,7,9,10,11 or 12 arbitrary described authentication and negotiation methods, it is characterized in that,
Request comprises described second sign of described H (e) NB execution based on the device authentication of certificate: type of message is the notice header field or the certificate request header field of certificate verification; Perhaps
Request comprises described second sign that described H (e) NB carries out the EAP-AKA device authentication: type of message is the notice header field or the EAP header field of EAP-AKA authentication.
16. according to claim 6,7,11 or 12 described authentication and negotiation methods, it is characterized in that,
Request comprises described the 3rd sign that described H (e) NB carries out based on the device authentication of certificate: type of message is the notice header field of certificate verification or authentication header field or the indication network access Identifier based on the device authentication of certificate; Perhaps
Request comprises described the 3rd sign that described H (e) NB carries out the EAP-AKA device authentication: type of message is the notice header field of EAP-AKA authentication or the network access Identifier of indication EAP-AKA device authentication.
17., it is characterized in that described execution specifically comprises the authentication of described H (e) NB according to claim 3,5,7,8,10 or 12 described authentication and negotiation methods:, carry out authentication to described H (e) NB according to the local security policy of security gateway.
18. a security gateway is characterized in that, comprising:
Receiver module is used to receive the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request that wireless family access point H (e) NB sends, and receives the Internet Key Exchange-authentication IKE_AUTH request that described H (e) NB sends;
Sending module is used to send IKE_SA_INIT response and IKE_AUTH response to described H (e) NB;
Processing module is used for whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates according to described IKE_SA_INIT response and IKE_AUTH request, carries out the authentication to described H (e) NB.
19. a wireless family access point is characterized in that, comprising:
Sending module is used to send the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request and the Internet Key Exchange-authentication IKE_AUTH and asks to security gateway;
Receiver module is used to receive IKE_SA_INIT response and the IKE_AUTH response that described security gateway sends;
Processing module is used for whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates according to described IKE_SA_INIT response, and whether decision also carries described first sign in described IKE_AUTH request.
20. an authentication negotiating system is characterized in that, comprising:
Wireless family access point H (e) NB is used to send the Internet Key Exchange-Security Association-initialization IKE_SA_INIT request and the Internet Key Exchange-authentication IKE_AUTH request, receives IKE_SA_INIT response and the IKE_AUTH response returned; And according to whether carrying first sign that support authenticates described H (e) NB actuating equipment and the host authenticates in the described IKE_SA_INIT response, whether decision also carries described first sign in described IKE_AUTH request;
Security gateway is used to receive IKE_SA_INIT request and the IKE_AUTH request that described H (e) NB sends; Send IKE_SA_INIT response and IKE_AUTH response to described H (e) NB; And, carry out authentication to described H (e) NB according to whether carrying described first sign in described IKE_SA_INIT response and the IKE_AUTH request.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810239705.3A CN101754211A (en) | 2008-12-15 | 2008-12-15 | Authentication and negotiation method, system, security gateway and wireless family access point |
| PCT/CN2009/074561 WO2010069202A1 (en) | 2008-12-15 | 2009-10-22 | Authentication negotiation method and the system thereof, security gateway, home node b |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810239705.3A CN101754211A (en) | 2008-12-15 | 2008-12-15 | Authentication and negotiation method, system, security gateway and wireless family access point |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101754211A true CN101754211A (en) | 2010-06-23 |
Family
ID=42268298
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810239705.3A Pending CN101754211A (en) | 2008-12-15 | 2008-12-15 | Authentication and negotiation method, system, security gateway and wireless family access point |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101754211A (en) |
| WO (1) | WO2010069202A1 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101909297A (en) * | 2010-08-20 | 2010-12-08 | 中兴通讯股份有限公司 | Mutual authenticating method between access network equipment and access network equipment |
| CN102833359A (en) * | 2011-06-14 | 2012-12-19 | 中兴通讯股份有限公司 | Tunnel information acquiring method, SeGW (security gateway), evolution H(e)NB (home node B)/H(e)NB |
| CN104955021A (en) * | 2010-10-21 | 2015-09-30 | 中兴通讯股份有限公司 | User subscription information processing method and system |
| US9510255B2 (en) | 2011-11-08 | 2016-11-29 | Huawei Technologies Co., Ltd. | Network handover method and apparatus |
| CN101909297B (en) * | 2010-08-20 | 2016-12-14 | 中兴通讯股份有限公司 | Inter-authentication method between a kind of access network device and access network device |
| CN106302018A (en) * | 2016-08-18 | 2017-01-04 | 北京锦鸿希电信息技术股份有限公司 | Train-ground communication method and EMRM |
| CN107820242A (en) * | 2016-09-14 | 2018-03-20 | 中国移动通信有限公司研究院 | A kind of machinery of consultation of authentication mechanism and device |
| WO2019137232A1 (en) * | 2018-01-15 | 2019-07-18 | 华为技术有限公司 | Method and apparatus for sending message |
| WO2021134724A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Authentication method and apparatus, and system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011023223A1 (en) * | 2009-08-25 | 2011-03-03 | Nokia Siemens Networks Oy | Method of performing an authentication in a communications network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8315246B2 (en) * | 2006-05-18 | 2012-11-20 | Cisco Technology, Inc. | System and method employing strategic communications between a network controller and a security gateway |
| US8176327B2 (en) * | 2006-12-27 | 2012-05-08 | Airvana, Corp. | Authentication protocol |
| EP2168068B1 (en) * | 2007-06-11 | 2015-08-26 | Telefonaktiebolaget L M Ericsson (publ) | Method and arrangement for certificate handling |
-
2008
- 2008-12-15 CN CN200810239705.3A patent/CN101754211A/en active Pending
-
2009
- 2009-10-22 WO PCT/CN2009/074561 patent/WO2010069202A1/en active Application Filing
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101909297A (en) * | 2010-08-20 | 2010-12-08 | 中兴通讯股份有限公司 | Mutual authenticating method between access network equipment and access network equipment |
| WO2012022234A1 (en) * | 2010-08-20 | 2012-02-23 | 中兴通讯股份有限公司 | Network accessing device and method for mutual authentication therebetween |
| CN101909297B (en) * | 2010-08-20 | 2016-12-14 | 中兴通讯股份有限公司 | Inter-authentication method between a kind of access network device and access network device |
| CN104955021A (en) * | 2010-10-21 | 2015-09-30 | 中兴通讯股份有限公司 | User subscription information processing method and system |
| CN104955021B (en) * | 2010-10-21 | 2018-10-16 | 中兴通讯股份有限公司 | A kind of user signing contract information processing method and system |
| CN102833359A (en) * | 2011-06-14 | 2012-12-19 | 中兴通讯股份有限公司 | Tunnel information acquiring method, SeGW (security gateway), evolution H(e)NB (home node B)/H(e)NB |
| US9510255B2 (en) | 2011-11-08 | 2016-11-29 | Huawei Technologies Co., Ltd. | Network handover method and apparatus |
| CN106302018A (en) * | 2016-08-18 | 2017-01-04 | 北京锦鸿希电信息技术股份有限公司 | Train-ground communication method and EMRM |
| CN106302018B (en) * | 2016-08-18 | 2019-04-23 | 北京锦鸿希电信息技术股份有限公司 | Train-ground communication method and enhanced mobile wireless module EMRM |
| CN107820242A (en) * | 2016-09-14 | 2018-03-20 | 中国移动通信有限公司研究院 | A kind of machinery of consultation of authentication mechanism and device |
| WO2019137232A1 (en) * | 2018-01-15 | 2019-07-18 | 华为技术有限公司 | Method and apparatus for sending message |
| WO2021134724A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Authentication method and apparatus, and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2010069202A1 (en) | 2010-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101754211A (en) | Authentication and negotiation method, system, security gateway and wireless family access point | |
| EP2137925B1 (en) | User profile, policy and pmip key distribution in a wireless communication network | |
| EP2103077B1 (en) | Method and apparatus for determining an authentication procedure | |
| KR102345932B1 (en) | Network Security Management Methods and Devices | |
| CN101983517B (en) | Security for a non-3gpp access to an evolved packet system | |
| KR100762644B1 (en) | WLAN-UMTS Interworking System and Authentication Method Therefor | |
| CN101682630B (en) | Methods and apparatus for providing pmip key hierarchy in wireless communication networks | |
| EP2278840B1 (en) | Handover in a communication network comprising plural heterogeneous access networks | |
| EP1707024B1 (en) | Improvements in authentication and authorization in heterogeneous networks | |
| EP1693995B1 (en) | A method for implementing access authentication of wlan user | |
| CN101227494B (en) | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network | |
| EP2731382A2 (en) | Method for setting terminal in mobile communication system | |
| US8611859B2 (en) | System and method for providing secure network access in fixed mobile converged telecommunications networks | |
| EP1705828B2 (en) | A method of obtaining the user identification for the network application entity | |
| CN101411115A (en) | System and method for optimizing authentication procedure during inter access system handovers | |
| CN102014381A (en) | Encryption algorithm consultation method, network element and mobile station | |
| CN102223634A (en) | Method and device for controlling mode of accessing user terminal into Internet | |
| WO2002001904A1 (en) | Control of unciphered user traffic | |
| CN103402201A (en) | Pre-authentication-based authentication method for WiFi-WiMAX (wireless fidelity-worldwide interoperability for microwave access) heterogeneous wireless network | |
| CN101754210A (en) | Method and system for authenticating home base station equipment | |
| CN103297964A (en) | Resource accepting control method, BNG and PDP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100623 |