CN102196428B - Method, device and system for accessing personal network by card-free equipment - Google Patents

Method, device and system for accessing personal network by card-free equipment Download PDF

Info

Publication number
CN102196428B
CN102196428B CN201110069048.4A CN201110069048A CN102196428B CN 102196428 B CN102196428 B CN 102196428B CN 201110069048 A CN201110069048 A CN 201110069048A CN 102196428 B CN102196428 B CN 102196428B
Authority
CN
China
Prior art keywords
personal network
card equipment
equipment
card
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110069048.4A
Other languages
Chinese (zh)
Other versions
CN102196428A (en
Inventor
许怡娴
杨艳梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201110069048.4A priority Critical patent/CN102196428B/en
Publication of CN102196428A publication Critical patent/CN102196428A/en
Application granted granted Critical
Publication of CN102196428B publication Critical patent/CN102196428B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method, a device and a system for accessing a personal network by card-free equipment. The card-free equipment can be registered in the personal network. The method comprises the following steps of: judging whether the card-free equipment is allowed to access the personal network or not, allocating a personal network element identifier to the card-free equipment allowed to access the personal network, and transmitting the personal network element identifier to the card-free equipment allowed to access the personal network. The invention also discloses a personal network management entity and an access system. The invention solves the problem of registration of the card-free equipment in the personal network, provides a security registration method and prevents the personal network of a user from the intrusions of malicious terminals.

Description

The method of personal network access by non-card equipment, Apparatus and system
Technical field
The present invention relates to the communications field, particularly a kind of technology of personal network access by non-card equipment.
Background technology
Along with development of Communication Technique, at present a lot of contracted users have more than equipment and carry out the mobile communication service, and all devices that the contracted user can have it connects into personal network's (Personal Network is called for short " PN ").
PN is by personal area network (Personal Area Network, be called for short " PAN ") form, wherein, PAN comprises that at least one has general contracted user's identity module of activation (Universal Subscriber Identity Module, abbreviation " USIM ") subscriber equipment (User Equipment, be called for short " UE "), can also comprise other non-card equipments, such as mobile device (Mobile Equipment is called for short " ME "), terminal equipment (Terminal equipment, be called for short " TE "), portable terminal (Mobile Termination is called for short " MT "), conventional equipments such as PC.When having only the UE of an activation among the PAN, this UE also can regard the component of PN as.
In PN, various terminal equipments (as TE, ME etc.) all are called personal network's element (Personal Network Element is called for short " PNE "), and PN also comprises personal network management entity (Personal Network Management is called for short " PNM ").The PNM entity belongs to PNE among the same contracted user PN by management, satisfies the various services of contracted user's needs.The PNM entity can be personal network management application server (Personal Network Management Application Server in network, be called for short " PNM AS "), its function mainly comprises personal network's foundation, configuration and management, the safety between the registration of service terminal and personalization and personal network's element are connected etc.
In following document, such as: 3GPP TS22.259, can also find more information relevant with technique scheme.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: prior art can only solve the problem of the terminal access PN of band USIM, carry out professional demand and just defined non-card equipment in the prior art by the PNM entity, but how to insert PN for non-card equipment, also do not have effective solution.
Summary of the invention
In view of this, the main purpose of the embodiment of the invention is to provide a kind of method, Apparatus and system of personal network access by non-card equipment, makes non-card equipment can be registered to the personal network.
For achieving the above object, on the one hand, the embodiment of the invention provides a kind of method of personal network access by non-card equipment, comprises following steps:
Judge whether to allow personal network access by non-card equipment,
Distribute personal network's component identification for the non-card equipment that allows to insert, described personal network's component identification is sent to the non-card equipment that described permission inserts.
On the other hand, the embodiment of the invention also provides a kind of personal network management entity, comprises:
Judging unit: be used for judging whether to allow personal network access by non-card equipment;
Allocation units: be used for giving the non-card equipment that allows to insert to distribute personal network's component identification;
Transmitting element: be used for personal network's component identification that described allocation units distribute is sent to the non-card equipment that allows access.
On the one hand, the embodiment of the invention also provides a kind of connecting system, comprises again:
Described network entity is used for connecting non-card equipment and personal network management entity;
Described non-card equipment: be used for sending the identification sign by described access network entity to the personal network management entity;
Described personal network management entity: be used for judging whether to allow described personal network access by non-card equipment, and the non-card equipment that allows to insert is carried out corresponding access operation.
By relatively finding that a technical scheme in the technique scheme compared with prior art has following advantage or beneficial effect:
The embodiment of the invention judges according to the identification sign whether non-card equipment allows personal network access by obtaining the identification sign of non-card equipment, perhaps by the verification process to non-card equipment, judges whether described non-card equipment allows personal network access; Distribute personal network's component identification for the non-card equipment that allows to insert, personal network's component identification is sent to the non-card equipment that described permission inserts.Solve the problem that non-card equipment is registered to the personal network, the method for secure registration is provided, made the user to be linked among the personal network safely.
Description of drawings
Fig. 1 is the flow chart according to the method for embodiment of the invention personal network access by non-card equipment;
Fig. 2 is the method flow diagram according to the personal network access by non-card equipment of first embodiment of the invention;
Fig. 3 is the method flow diagram according to the personal network access by non-card equipment of second embodiment of the invention;
Fig. 4 is the method flow diagram according to the personal network access by non-card equipment of third embodiment of the invention;
Fig. 5 is the method flow diagram according to the personal network access by non-card equipment of fourth embodiment of the invention;
Fig. 6 is the method flow diagram according to the personal network access by non-card equipment of fifth embodiment of the invention;
Fig. 7 is the method flow diagram according to the personal network access by non-card equipment of sixth embodiment of the invention;
Fig. 8 is the method flow diagram according to the personal network access by non-card equipment of seventh embodiment of the invention;
Fig. 9 is the method flow diagram according to the personal network access by non-card equipment of eighth embodiment of the invention;
Figure 10 is the method flow diagram according to the personal network access by non-card equipment of ninth embodiment of the invention;
Figure 11 is the method flow diagram according to the personal network access by non-card equipment of tenth embodiment of the invention;
Figure 12 is the method flow diagram according to the personal network access by non-card equipment of eleventh embodiment of the invention;
Figure 13 is the method flow diagram according to the personal network access by non-card equipment of twelveth embodiment of the invention;
Figure 14 is the personal network management entity structure diagram according to the embodiment of the invention;
Figure 15 is the connecting system structure chart according to the embodiment of the invention.
Specific embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, below in conjunction with accompanying drawing the embodiment of the invention is described in further detail.
In the process of personal network access by non-card equipment, non-card equipment need carry out registration process.Registration refers to that a certain entity adds the process of PN, and this entity can be an equipment, also can be one group of equipment.Registration process will guarantee that the equipment that need register obtains contracted user's permission, and this equipment is authenticated to add contracted user's PN by safety method, after in a single day each equipment succeed in registration, the PNM entity can be given this devices allocation personal network component identification, and this sign has been determined the identity of this equipment in PN.
The embodiment of the invention provides a kind of method of personal network access by non-card equipment, and as shown in Figure 1, Fig. 1 is the flow chart of the method for a kind of personal network access by non-card equipment of the embodiment of the invention, may further comprise the steps:
In step 101, judge whether to allow personal network access by non-card equipment;
Network side obtains the identification sign of non-card equipment, judges whether to allow described personal network access by non-card equipment according to described identification sign; Perhaps, network side judges whether to allow described personal network access by non-card equipment by non-card equipment is authenticated;
Wherein, the identification sign is generally the equipment mark code of non-card equipment, it needs to be noted, it is corresponding that this equipment mark code is used for personal network's component identification of issuing with later individual NM network management entity, be convenient to PNM AS and preserve management, therefore, be not limited to is equipment mark code herein, as long as can be as the identification sign of non-card equipment in the sign of unique this non-card equipment of differentiation in people's network one by one;
In step 102, distribute personal network's component identification for the non-card equipment that allows to insert;
Wherein, personal network's component identification is the identifier number of sign non-card equipment in the personal network.Can be PNE identifier in embodiments of the present invention, but only be for convenience of description and the title that adopts.This title can not limit embodiment of the invention applicable scope, does not namely perhaps have the title of PNE identifier in some system, still, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.Perhaps, PNE identifier can be numbering unique in whole PN, and another kind of situation is, in order to save the cell space, PNE identifier is identical numbering in different PAN, but adds after the different PAN signs, just becomes identifier number unique among the whole PN.
In step 103, personal network's component identification is sent to the non-card equipment that described permission inserts.
One of in the following manner described personal network's component identification is sent to described non-card equipment:
Described personal network management entity sends to the non-card equipment that described permission inserts directly with described personal network's component identification;
Described personal network management entity is notified to the network application function entity with described personal network's component identification, and described network application function entity sends to the non-card equipment that described permission inserts with described personal network's component identification;
Described personal network management entity sends to subscriber equipment with described personal network's component identification, and described subscriber equipment sends to the non-card equipment that described permission inserts with described personal network's component identification;
Described personal network management entity is notified to the network application function entity with described personal network's component identification, described network application function entity sends to subscriber equipment with described personal network's component identification, and described subscriber equipment sends to the non-card equipment that described permission inserts with described personal network's component identification.
Below embodiment of the present invention is specifically described, user's side of the embodiment of the invention comprises personal area network (the Personal Area Network that equipment is formed, be called for short " PAN "), have the general contracted user's identity module of activation (Universal Subscriber Identity Module comprising at least one, abbreviation " USIM ") UE, can also comprise other non-card equipments, such as mobile device (Mobile Equipment is called for short " ME "), terminal equipment (Terminal equipment, be called for short " TE "), portable terminal (Mobile Termination is called for short " MT "), PC, printer, conventional equipments such as scanner.To choose comparatively typical WLAN (wireless local area network) (Wireless Local Area Network is called for short " WLAN ") equipment be example to non-card equipment in the present embodiment.
Certainly need to prove, can there be more than one PAN among the PN, clear for conveniently introducing, do not influencing under the normal prerequisite that realizes of the embodiment of the invention, the embodiment of the invention is chosen and is comprised a PAN among the PN, comprises the situation of UE and a plurality of non-card equipments among the PAN.Of particular note, still can be suitable for the situation that has a plurality of PAN and UE among the PN in the embodiment of the invention, so can not think that the technical scheme in the embodiment of the invention can not be applicable to these systems.
The network side of first embodiment of the invention comprises personal network management entity (Personal Network Management, be called for short " PNM "), network application function entity (Network Application Function, be called for short " NAF "), bootstrapping server functional entity (Bootstrapping Server Function, be called for short " BSF "), home subscriber server (Home Subscriber Server, be called for short " HSS "), wherein the PNM entity can be personal network management application server (Personal Network Management Application Server in network, be called for short " PNM AS "), perhaps other finish the entity of personal network management function.
Of particular note, PNM AS, the HSS in the embodiment of the invention, BSF, NAF etc. only are for convenience of description and the title that adopts.These titles can not limit embodiment of the invention applicable scope, the title that namely in some system, does not perhaps have entities such as PNM AS, HSS, BSF, NAF entity, but, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.
In the present embodiment, when PNM AS separates with the NAF function, have two functional entitys of PNM AS and NAF in the network simultaneously, PNM AS makes authentication function, and NAF makes authorization function.Wlan device is from registration, and network side utilizes general bootstrapping architecture technology (Generic Bootstrapping Architecture is called for short " GBA ") authentication login request message.Specifically as shown in Figure 2.
In step 201, UE, BSF, HSS carry out the GBA process, and UE and BSF generate and share key K s.The GBA technology can realize checking and identity verification using professional user, and the key of secure communication is provided for user's access application business; Because the GBA technology belongs to normalized technology in the technical field of communication safety and comprising, therefore, repeats no more the details of GBA technology in the present embodiment;
In step 202, based on sharing key K s in the step 201, BSF derivative key Ks_NAF, this derivative key also can be the situation Ks_int_NAF of GBA_U, can also be the keys such as situation Ks_ext_NAF of GBA_ME.
In step 203, BSF sends to NAF with derivative key Ks_NAF;
In step 204, NAF receives the derivative key Ks_NAF that BSF sends, and preserves this derivative key Ks_NAF;
In step 205, UE is based on sharing key K s, derivative key Ks_NAF in the step 201;
In step 206, UE sends derivative key Ks_NAF by local interface to the wlan device in the described PAN.By this step, NAF and wlan device have just had shared key K s_NAF; Special needs to be pointed out is that the shared key that is used for setting up escape way here can be Ks_NAF, also can be based on the key that Ks_NAF derives again; Special needs to be pointed out is that the existing related specifications of this local interface defines, and belongs to known technology in the industry, does not repeat them here;
UE sends derivative key Ks_NAF by local interface to the wlan device in the described PAN in this step, optionally can also send relevant parameter, these parameters can be set up the relevant parameter of escape way, or the parameter relevant with concrete service application, or other relevant parameters.
In step 207, NAF and wlan device are set up escape way based on shared key K s_NAF, this escape way can be wildcard Transport Layer Security passage (pre-shared key transport layer security, be called for short " PSK TLS "), or IP escape way (IP security, be called for short " Ipsec "), the perhaps escape way of other types; Special needs to be pointed out is that the technology of setting up escape way belongs to the technology of knowing in the industry, therefore do not give unnecessary details the details of escape way technology at this; By the operation of step 207, communicating by letter and can be undertaken by this escape way between NAF and the wlan device;
In step 208, wlan device sends the registration request to NAF, and wherein this registration request can include but not limited to the identification marking of wlan device, is the equipment mark code of wlan device in the present embodiment; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNE identifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, as long as can the sign of unique this non-card equipment of differentiation can identify as the identification of wlan device in a PN;
In step 209, NAF receives from after the wlan device registration request, sends indication to PNM AS, and indication PNM AS distributes PNE sign (PNE identifier is called for short " PNE sign ") to wlan device, and sends the wlan device identification code; PNE identifier is unique in PN, has also just determined identity and the position of this PNE in PN;
Of particular note, the PNE identifier in the embodiment of the invention only is for convenience of description and the title that adopts.This title can not limit embodiment of the invention applicable scope, does not namely perhaps have the title of PNE identifier in some system, still, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.Perhaps, PNE identifier can be numbering unique in whole PN, and another kind of situation is, in order to save the cell space, PNE identifier is identical numbering in different PAN, but adds after the different PAN signs, just becomes identifier number unique among the whole PN.
In step 210, after PNM AS receives the registration request from wlan device of NAF transmission, judge whether allow to insert according to the wlan device identification code, judge according to the information of self preserving whether this wlan device allows to insert, and these information can be subscriber blacklist or equipment blacklist etc. such as PNM AS.
Distribute PNE identifier for the wlan device that allows to insert, preserve this corresponding relation, send this PNE identifier to NAF;
In this step, PNM AS can also judge whether this user has the right to register this equipment according to some other user profile (such as the common identity sign);
This step of while, PNM AS also can preserve device number or the public user identity sign that this wlan device can be used in this locality.
Perhaps device number or the public user identity sign of the equipment that the user can use preserved in user's CAMEL-Subscription-Information the inside, this information is carried at the GBA user security message (GBA User Security Settings is set, abbreviation " GUSS ") the inside is issued to NAF, and NAF issues PNM AS again.
In step 211, NAF sends the registration response by escape way to wlan device, and this registration response can be carried the PNE identifier that distributes to wlan device;
Of particular note, in the present embodiment, after PNM AS is to distribute PNEidentifier to wlan device, NAF can send this PNE identifier to wlan device by escape way, wherein can utilize in the existing message and transmit this PNE identifier, also can define a new message and transmit this PNE identifier.
In step 212, this wlan device sends the response that success is registered by local interface to UE, notifies UE its registered personal network of advancing.
In the present embodiment, when PNM AS separates with the NAF function, there are two functional entitys of PNM AS and NAF in the network simultaneously; wlan device authenticates registration message by the GBA mode; protected issuing of PNE identifier by escape way, prevented that PN from being invaded by malice, improved fail safe.
The application scenarios of second embodiment of the invention and first embodiment are basic identical, and difference is: only exist PNM AS, PNM AS not only to have outside the function of PN management in network, the function that also possesses NAF participates in the GBA process.Wlan device is from registration, and network side utilizes GBA authentication login request message.Specifically as shown in Figure 3.
In step 301, UE, BSF, HSS carry out the GBA process, and UE and BSF generate and share key K s.The GBA technology can realize checking and identity verification using professional user, and the key of secure communication is provided for user's access application business; Because the GBA technology belongs to normalized technology in the technical field of communication safety and comprising, therefore, repeats no more the details of GBA technology in the present embodiment;
In step 302, based on sharing key K s in the step 301, BSF derivative key Ks_NAF, this derivative key also can be the situation Ks_int_NAF of GBA_U, can also be the situation Ks_ext_NAF of GBA_ME, or other derivative keys;
In step 303, BSF sends to PNM AS with derivative key Ks_NAF;
In step 304, PNM AS receives the derivative key Ks_NAF that BSF sends, and preserves this derivative key Ks_NAF;
In step 305, UE is based on sharing key K s, derivative key Ks_NAF in the step 301;
In step 306, UE sends derivative key Ks_NAF by local interface to the wlan device in the described PAN.By this step, NAF and wlan device have just had shared key K s_NAF; Special needs to be pointed out is that the shared key that is used for setting up escape way here can be Ks_NAF, also can be based on the key that Ks_NAF derives again; Special needs to be pointed out is that the existing related specifications of this local interface defines, and belongs to known technology in the industry, does not repeat them here;
UE sends derivative key Ks_NAF by local interface to the wlan device in the described PAN in this step, optionally can also send relevant parameter, these parameters can be set up the relevant parameter of escape way, or the parameter relevant with concrete service application, or other relevant parameters.
In step 307, PNM AS and wlan device are set up escape way based on shared key K s_NAF, this escape way can be wildcard Transport Layer Security passage (pre-shared key transport layer security, be called for short " PSK TLS "), or IP escape way (IP security, be called for short " Ipsec "), the perhaps escape way of other types; Special needs to be pointed out is that the technology of setting up escape way belongs to the technology of knowing in the industry, therefore do not give unnecessary details the details of escape way technology at this; By the operation of step 307, communicating by letter and can be undertaken by this escape way between PNM AS and the wlan device;
In step 308, wlan device sends the registration request to PNM AS, and wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNE identifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
In step 309, after PNM AS receives the registration request from wlan device of NAF transmission, judge whether allow to insert according to the wlan device identification code, judge according to the information of self preserving whether this wlan device allows to insert, and these information can be subscriber blacklist or equipment blacklist etc. such as PNM AS.
Distribute PNE identifier for the wlan device that allows to insert, preserve this corresponding relation, send this PNE identifier to NAF;
Of particular note, the PNE identifier in the embodiment of the invention only is for convenience of description and the title that adopts.This title can not limit embodiment of the invention applicable scope, does not namely perhaps have the title of PNE identifier in some system, still, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.Perhaps, PNE identifier can be numbering unique in whole PN, and another kind of situation is, in order to save the cell space, PNE identifier is identical numbering in different PAN, but adds after the different PAN signs, just becomes identifier number unique among the whole PN.
PNE identifier is unique in PN, has also just determined identity and the position of this PNE in PN; Of particular note, the PNE identifier in the embodiment of the invention only is for convenience of description and the title that adopts.This title can not limit embodiment of the invention applicable scope, does not namely perhaps have the title of PNE identifier in some system, still, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.Perhaps, PNE identifier can be numbering unique in whole PN, also may be in order to save the cell space, and PNE identifier is identical numbering in different PAN, but add after the different PAN signs, just become identifier number unique among the whole PN.
In this step, PNM AS can also judge whether this user has the right to register this equipment according to some other user profile (such as the common identity sign);
This step, PNM AS also can preserve device number or the public user identity sign that this wlan device can be used in this locality.
Perhaps device number or the public user identity sign of the equipment that the user can use preserved in user's CAMEL-Subscription-Information the inside, this information is carried at the GBA user security message (GBA User Security Settings is set, abbreviation " GUSS ") the inside is issued to NAF, and NAF issues PNM AS again.
In step 310, this wlan device sends the response that success is registered by local interface to UE, notifies UE its registered personal network of advancing.
In the present embodiment, when PNM AS and the merging of NAF function, wlan device authenticates registration message by the GBA mode, has protected issuing of PNE identifier by escape way, prevents that PN from being invaded by malice, improved fail safe.
The application scenarios of third embodiment of the invention and first embodiment are basic identical, PNM AS separates with the NAF function, there are two functional entitys of PNM AS and NAF in the network simultaneously, network side utilizes general bootstrapping architecture technology (Generic Bootstrapping Architecture is called for short " GBA ") authentication login request message.Difference is: UE replaces the wlan device registration, specifically as shown in Figure 4.
Step 401 step 201 to step 406 and first embodiment is identical to step 206, does not repeat them here;
In step 407, UE also can be the interface of other network sides by the Ua mouth, sends wlan device registration request and wlan device identification code to NAF, this message GBA derivative key Ks_NAF encipherment protection;
Wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNEidentifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
In step 408, NAF and wlan device are set up escape way based on shared key K s_NAF, this escape way can be wildcard Transport Layer Security passage (pre-shared key transport layer security, be called for short " PSK TLS "), or IP escape way (IP security, be called for short " Ipsec "), the perhaps escape way of other types; Special needs to be pointed out is that the technology of setting up escape way belongs to the technology of knowing in the industry, therefore do not give unnecessary details the details of escape way technology at this; By the operation of step 408, communicating by letter and can be undertaken by this escape way between NAF and the wlan device;
Step 409 step 209 to step 412 and first embodiment is identical to step 212, does not repeat them here.
In the present embodiment, protected issuing of PNE identifier by escape way, prevented that PN from being invaded by malice, improved fail safe, provide UE to replace the logon mode of wlan device registration simultaneously, the user can be according to liking selecting logon mode.
The application scenarios of fourth embodiment of the invention and the 3rd embodiment are basic identical, and difference is: only exist PNM AS, PNM AS not only to have outside the function of PN management in network, the function that also possesses NAF participates in the GBA process.Network side utilizes general bootstrapping architecture technology (Generic Bootstrapping Architecture is called for short " GBA ") authentication login request message.Difference is: UE replaces the wlan device registration, specifically as shown in Figure 5.
Step 501 step 301 to step 506 and second embodiment is identical to step 306, does not repeat them here.
In step 507, UE also can be the interface of other network sides by the Ut mouth, sends wlan device registration request and wlan device identification code to PNMAS, this message GBA derivative key Ks_NAF encipherment protection;
Wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNEidentifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
In step 508, PNM AS and wlan device are set up escape way based on shared key K s_NAF, this escape way can be wildcard Transport Layer Security passage (pre-shared key transport layer security, be called for short " PSK TLS "), or IP escape way (IP security, be called for short " Ipsec "), the perhaps escape way of other types; Special needs to be pointed out is that the technology of setting up escape way belongs to the technology of knowing in the industry, therefore do not give unnecessary details the details of escape way technology at this; By the operation of step 508, communicating by letter and can be undertaken by this escape way between NAF and the wlan device;
Step 509 step 309 to step 510 and second embodiment is identical to step 310, does not repeat them here.
In the present embodiment; protected issuing of PNE identifier by escape way; prevent that PN from being invaded by malice; improved fail safe; provide UE to replace the logon mode of wlan device registration simultaneously; the user can be according to local policy, or the network side strategy, perhaps in advance by the policy selection logon mode of network side with user's negotiation.
The application scenarios of fifth embodiment of the invention and the 3rd embodiment are basic identical, and difference is: UE once registers a plurality of wlan devices, is example with 2 wlan devices in the present embodiment, specifically as shown in Figure 6.
Step 601 step 201 to step 605 and first embodiment is identical to step 205, does not repeat them here;
In step 606, UE sends derivative key Ks_NAF by local interface to the WLAN1 equipment in the described PAN.By this step, NAF and WLAN1 equipment have just had shared key K s_NAF; Special needs to be pointed out is that the shared key that is used for setting up escape way here can be Ks_NAF, also can be based on the key that Ks_NAF derives again; Special needs to be pointed out is that the existing related specifications of this local interface defines, and belongs to known technology in the industry, does not repeat them here;
UE sends derivative key Ks_NAF by local interface to the wlan device in the described PAN in this step, optionally can also send relevant parameter, these parameters can be set up the relevant parameter of escape way, or the parameter relevant with concrete service application, or other relevant parameters.
In step 607, UE sends derivative key Ks_NAF by local interface to the WLAN2 equipment in the described PAN, and by this step, NAF and WLAN2 equipment have just had shared key K s_NAF; Special needs to be pointed out is that the shared key that is used for setting up escape way here can be Ks_NAF, also can be based on the key that Ks_NAF derives again; Special needs to be pointed out is that the existing related specifications of this local interface defines, and belongs to known technology in the industry, does not repeat them here;
UE sends derivative key Ks_NAF by local interface to the WLAN2 equipment in the described PAN in this step, optionally can also send relevant parameter, these parameters can be set up the relevant parameter of escape way, or the parameter relevant with concrete service application, or other relevant parameters.
In step 608, UE also can be the interface of other network sides by the Ua mouth, sends the identification code that wlan device is registered request and wlan device 1 and 2 to NAF, this message GBA derivative key Ks_NAF encipherment protection.
Wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNEidentifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
Step 609 to step 613 and step 614 to step 618, be respectively the registration process of WLAN1 equipment and WLAN2 equipment, identical to step 412 with step 408 among the 3rd embodiment, do not repeat them here.
In the present embodiment, can support a plurality of wlan devices to be registered to PNM simultaneously simultaneously, improve registration efficient.Simultaneously, protected issuing of PNE identifier by escape way, prevented that PN from being invaded by malice, improved fail safe.
The application scenarios of sixth embodiment of the invention and the 5th embodiment are basic identical, and difference is: only exist PNM AS, PNM AS not only to have outside the function of PN management in the network, the function that also possesses NAF participates in the GBA process.UE once registers a plurality of wlan devices, is example with 2 wlan devices in the present embodiment, issues PNE identifier to each wlan device respectively by PNM AS.Specifically as shown in Figure 7.
Step 701 step 301 to step 705 and second embodiment is identical to step 305, does not repeat them here;
Step 706 step 606 to step 707 and the 5th embodiment is identical to step 607, does not repeat them here;
In step 708, UE also can be the interface of other network sides by the Ut mouth, sends the identification code that wlan device is registered request and wlan device 1 and 2 to PNMAS, this message GBA derivative key Ks_NAF encipherment protection.
Wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNEidentifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
Step 709 to step 711 and step 712 to step 714 with the 4th embodiment in step 508 identical to step 510.
In the present embodiment, can support a plurality of wlan devices to be registered to PNM simultaneously simultaneously, improve registration efficient.Simultaneously, protected issuing of PNE identifier by escape way, prevented that PN from being invaded by malice, improved fail safe.
The application scenarios of seventh embodiment of the invention and the 6th embodiment are basic identical, only exist PNM AS, PNM AS not only to have outside the function of PN management in the network, and the function that also possesses NAF participates in the GBA process.UE once registers a plurality of wlan devices, is example with 2 wlan devices in the present embodiment, and difference is: by PNM AS PNE identifier all is handed down to UE, is handed down to each wlan device by UE.Specifically as shown in Figure 8.
Step 801 step 701 to step 805 and the 6th embodiment is identical to step 705, does not repeat them here;
In step 806, UE sends the identification code that wlan device is registered request and wlan device 1 and 2 by the Ua mouth to PNM AS, this message GBA derivative key Ks_NAF encipherment protection.
Wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNEidentifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
In step 807, if thinking, PNM AS succeeds in registration that (PNM AS may also need to judge according to some user profile whether this user has the right to register this equipment, then distribute PNE identifier for all wlan devices according to the wlan device identification code, and preserve this corresponding relation;
It is worthy of note that PNM AS may preserve this locality device number or public user identity sign that the user can use.
In step 808, PNM AS to UE send the distribution of encrypting with Ks_NAF PNEidentifier and with the corresponding relation of wlan device identification code.
In step 809 and step 810, the PNE identifier that UE sends over according to PNM AS and the corresponding relation of wlan device identification code issue separately PNE identifier by local interface to wlan device.
In the present embodiment, can support a plurality of wlan devices to be registered to PNM simultaneously simultaneously, improve registration efficient.Simultaneously, protected issuing of PNE identifier by escape way, prevented that PN from being invaded by malice, improved fail safe.
The application scenarios of eighth embodiment of the invention and the 7th embodiment are basic identical, and difference is: PNM AS separates with the NAF function, has two functional entitys of PNM AS and NAF in the network simultaneously, and PNM AS makes authentication function, and NAF makes authorization function.UE once registers a plurality of wlan devices, is example with 2 wlan devices in the present embodiment, by NAF PNE identifier all is handed down to UE, is handed down to each wlan device by UE.Specifically as shown in Figure 9.
Step 901 step 601 to step 905 and the 5th embodiment is identical to step 605, does not repeat them here;
Step 906 is identical with step 806 among the 7th embodiment, also repeats no more at this;
Key is that in step 907, NAF sends indication to PNM AS after receiving the registration request, and indication PNM AS distributes PNE identifier for wlan device 1 and 2, and sends the identification code of wlan device 1 and 2.
In step 908, if thinking, PNM AS succeeds in registration (PNM AS may also need to judge according to some user profile whether this user has the right to register this equipment), then distribute PNE identifier for all wlan devices according to the wlan device identification code, and preserve this corresponding relation;
It is worthy of note that PNM AS may preserve this locality device number or public user identity sign that the user can use.
Perhaps device number or the public user identity sign of the equipment that the user can use preserved in user's CAMEL-Subscription-Information the inside.This information is put into the GUSS the inside and is issued to NAF, and NAF issues PNM AS again.
In step 909, PNM AS sends the PNE identifier of distributing to NAF, reaches the corresponding relation with the wlan device identification code.
In step 910, NAF encrypts PNEidentifiers with Ks_NAF after receiving the message of PNM AS, and with the corresponding relation of wlan device identification code, send to UE by the Ua mouth.
In step 911 and step 912, the PNE identifier that UE sends over according to PNM AS and the corresponding relation of wlan device identification code issue separately PNE identifier by local interface to wlan device, and expression is succeeded in registration.
More than several embodiment, network side adopts the registration message of GBA mode authenticated user, when receiving the non-card equipment registration message that user's side sends, adopts the legitimacy of the key authentication message that GBA association key or GBA association key further derive.
In the ninth embodiment of the invention, network side can also adopt Authentication and Key Agreement mode (Authentication and key agreement, be called for short " AKA mode ") register, this moment, the user directly got the authentication parameter five-tuple to HSS, utilize the AKA technology to generate and share key, authenticate the legitimacy of registration message with this.Specifically as shown in figure 10.
In step 1001, UE sends the request of sharing key that generates to PNM AS;
In step 1002, PNM AS gets one group of authentication parameter five-tuple to HSS;
In step 1003, UE and PNM AS carry out the AKA technical process, and two-way authentication generates and shares key K; The AKA algorithm can be realized checking and identity verification using professional user, and the key of secure communication is provided for user's access application business; Because the AKA technology belongs to normalized technology in the technical field of communication safety and comprising, therefore, repeats no more the details of AKA technology in the present embodiment;
In step 1004, UE sends to wlan device and shares key K, and sets up the escape way relevant parameter, and PNM AS and wlan device have just had shared key like this;
Here the shared key that is used for setting up escape way can be K, also can be based on the key that K derives again;
In step 1005, PNM AS and wlan device are set up escape way based on shared key K, as PSK TLS, or IPsec etc.; By step 1005, communicating by letter between PNM AS and the wlan device all undertaken by this escape way.
In step 1006, wlan device sends the registration request to PNM AS, and wherein this registration request can include but not limited to the equipment mark code of wlan device; It needs to be noted, the PNE that this wlan device identification code is used for issuing with later PNM AS identifies (PNE identifier, be called for short " PNE sign ") corresponding, be convenient to PNM and preserve management, therefore, be not limited to is the wlan device identification code herein, if can be in a PN sign of unique this non-card equipment of differentiation can;
In step 1007, after PNM AS received the registration request from wlan device of NAF transmission, judgement was succeeded in registration, and distributes PNEidentifier according to the wlan device identification code to wlan device, and preserve this corresponding relation, send this PNE identifier to NAF;
In this step, PNM AS can also judge whether this user has the right to register this equipment according to some other user profile (such as the common identity sign);
This step is optional simultaneously, and PNM AS also can preserve device number or the public user identity sign that this wlan device can be used in this locality.
Perhaps device number or the public user identity sign of the equipment that the user can use preserved in user's CAMEL-Subscription-Information the inside.This information is put into the GUSS the inside and is issued to NAF, and NAF issues PNM AS again.
In step 1008, wlan device sends successfully registration response by local interface to UE, notifies UE its registered personal network of advancing.
It is pointed out that the embodiment of the invention when adopting AKA technical certification registration message, not only is applicable to non-card equipment from the situation of registration, can also be applicable to that UE replaces the situation of non-card equipment registration; Not only be applicable to the situation of single non-card equipment registration, can also be applicable to the situation of a plurality of non-card equipment registrations; Its basic principle is described in aforementioned each embodiment, and those skilled in the art can associate the solution based on AKA according to GBA technology enlightenment, perhaps based on the solution of other identifying algorithm.Here just these technical schemes have been enumerated no longer one by one.
In the tenth embodiment of the invention, network side can also adopt GBA mode authentication registration information, and when PNM AS has the NAF function, wlan device is from registration, can be directly and BSF carry out the GBA process and obtain shared key.Specifically as shown in figure 11.
In step 1101, wlan device, BSF and HSS carry out the GBA process, and wlan device and BSF generate and share key K s.
In step 1102, BSF derivative key Ks_NAF.
In step 1103 and step 1104, BSF is with derivative key Ks_NAF and set up the escape way relevant parameter and send to PNM AS, and PNM AS preserves derivative key.
In step 1105, wlan device generates derivative key Ks_NAF, and like this, PNM AS and wlan device have just had shared key.
In step 1106, PNM AS and wlan device are set up escape way based on shared key, and this escape way can be PSK TLS, or IPsec etc.After this, communicating by letter between PNM AS and the wlan device all undertaken by this escape way.
In step 1107, wlan device sends the registration request to PNM AS, comprising the equipment mark code of wlan device.
In step 1108 neutralization procedure 1109, if thinking, PNM AS succeeds in registration that (PNM AS may also need to judge according to some user profile whether this user has the right to register this equipment, perhaps common identity identifies), then distribute PNE identifier according to the wlan device identification code to wlan device, and preserve this corresponding relation, send PNE identifier to wlan device.
It is worthy of note that PNM AS may preserve this locality device number or public user identity sign that the user can use.
Perhaps device number or the public user identity sign of the equipment that the user can use preserved in user's CAMEL-Subscription-Information the inside.This information is put into the GUSS the inside and is issued to NAF, and NAF issues PNM AS again.
In step 1110, wlan device sends the response that success is registered to UE, notifies UE its registered personal network of advancing.
Present embodiment has solved the problem that non-card equipment is registered to the personal network, and the method for secure registration is provided, and makes user's the personal network can not to be subjected to the invasion of malice terminal.
In the eleventh embodiment of the invention, network side can also adopt public key certificate mode authentication registration information, authenticates the legitimacy of registration message with this.Specifically as shown in figure 12.
In step 1201, wlan device carries out verification process by public key certificate (perhaps sharing key, i.e. wlan device and network cipher key shared in advance) and PNM AS.After the PNM AS checking wlan device identity, judge whether to allow its adding PNM according to user and the equipment corresponding relation of user signing contract information or local storage.
PNM AS judges whether that the mode that permission equipment adds also may be, certain facility registration of PNM notice UE after the UE approval, just allows its adding.
In step 1202, wlan device (is perhaps shared public key certificate with key by local interface, be wlan device and network cipher key shared in advance) send to UE, after UE and PNM AS authenticate mutually, set up escape way based on public key certificate (perhaps sharing key, i.e. wlan device and network cipher key shared in advance).
In step 1203, UE sends the registration request to PNM AS, comprises the identification code of wlan device.
In step 1204, PNM AS distributes PNE identifier according to the identification code of wlan device to wlan device, and preserves this corresponding relation.
In step 1205, PNM AS sends the registration response to UE, comprises the PNE identifier that distributes to wlan device.
In step 1206, UE sends PNE identifier to wlan device.
Present embodiment has solved the problem that non-card equipment is registered to the personal network, and the method for secure registration is provided, and makes user's the personal network can not to be subjected to the invasion of malice terminal.
In the twelveth embodiment of the invention, difference is: UE once registers a plurality of wlan devices, and a plurality of wlan device does not belong to same PAN.Be example (WLAN1, WLAN2) with 2 wlan devices in the present embodiment, belong to different PAN respectively, corresponding corresponding different UE (as UE1, UE2), BSF (BSF1, BSF2), HSS (HSS1, HSS2).Only have PNM AS in the network, PNM AS not only has outside the function of PN management, and the function that also possesses NAF participates in the GBA process.UE registers for wlan device, and network side utilizes GBA authentication login request message.Specifically as shown in figure 13.
Step 1301 is respectively to step 1305 and step 1306 to step 1310 and produces the process of sharing key, and previous embodiment has been described flow process in detail, repeats no more here; And step 1301 to step 1305 and step 1306 to step 1310 there is no order backward in time;
Step 1311 is respectively UE with step 1312 and sends derivative key Ks_NAF and set up the escape way relevant parameter to wlan device by local interface, and by these two steps, PNM AS and wlan device have just had shared key K s_NAF; Special needs to be pointed out is that the shared key that is used for setting up escape way here can be Ks_NAF, also can be based on the key that Ks_NAF derives again; Special needs to be pointed out is that the existing related specifications of this local interface defines, and belongs to known technology in the industry, does not repeat them here;
These two steps there is no the strict sequential order restriction, and certain UE also can only could will share key and send to wlan device after producing shared key.
Step 1313 is respectively the process that wlan device is registered to PNM AS to step step 1316 and step 1317 to step step 1320, and previous embodiment has been described flow process in detail, repeats no more here; And step 1313 to step step 1316 and step 1317 to step step 1320 there is no order backward in time.
Whether the embodiment of the invention merges to separate with NAF for PNM AS does not limit, and unifying with PNM AS and NAF in the above execution mode is that embodiment describes, but the flow process under not influencing PNM AS and NAF separating.Under separating, the signaling between these entities will be arranged also except flow process of the present invention between PNM AS and the NAF.
It is pointed out that when having the situation of non-card equipment registration, and do not belong to same PAN when a plurality of non-card equipments, the embodiment of the invention not only is applicable to non-card equipment from the situation of registration, can also be applicable to that UE replaces the situation of non-card equipment registration; Not only be applicable to the situation that PNM AS separates with NAF, can also be applicable to the situation of PNM AS and NAF unification; Not only be applicable to GBA algorithm verification process, can also be applicable in the prior art solution based on other identifying algorithm; Its basic principle is described in aforementioned each embodiment, and those of ordinary skill in the art should be understood that and can do various changes to it in the form and details, and without departing from the spirit and scope of the present invention.Here just enumerate no longer one by one, these technical schemes.
In the embodiment of the invention, owing to chosen wlan device as non-card equipment, but can not think that the embodiment of the invention is only applicable to wlan device, other non-card equipments insert the method at individual networking and can be derived by the above-mentioned several embodiment of the present invention, but different be may be in some some simple substitution of conceptive work.Such as, in above-mentioned several embodiment, the identification of wlan device sign is the wlan device identification code, if the words of other non-card equipment, may not equipment mark code just, as long as therefore can in a PN, the sign of unique this non-card equipment of differentiation can identify as identification.
Introduce personal network management entity in the embodiment of the invention (PNM AS) embodiment below, see also Figure 14, personal network management entity 1400 comprises in the embodiment of the invention:
Judging unit 1410: be used for judging whether to allow personal network access by non-card equipment;
Allocation units 1420: be used for giving the non-card equipment that allows to insert to distribute personal network's component identification;
Transmitting element 1430: be used for personal network's component identification that described allocation units distribute is sent to the non-card equipment that allows access.
Wherein, judging unit 1410 comprises:
Acquiring unit: the identification sign that is used for obtaining non-card equipment;
Determining unit: the identification sign that is used for obtaining according to described acquiring unit judges whether to allow described personal network access by non-card equipment.
Wherein, acquiring unit comprises:
Escape way is set up the unit: be used for setting up escape way;
Information acquisition unit: be used for setting up the identification sign that the escape way of setting up the unit obtains non-card equipment by described escape way.
Wherein, judging unit 1410 also can comprise::
Authentication ' unit: be used for non-card equipment is authenticated;
Determining unit: be used for judging whether to allow described personal network access by non-card equipment according to the authentication result of described authentication ' unit.
One of ordinary skill in the art will appreciate that all or part of step that realizes in above-described embodiment method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program is when carrying out, comprise the steps: to obtain the identification sign of non-card equipment among the personal network, judge according to the described identification sign of obtaining whether described non-card equipment allows to insert described personal network, and the non-card equipment that allows to insert is carried out corresponding access operation.Wherein said access operation comprises: distribute corresponding personal network's component identification for the non-card equipment that allows to insert, described personal network's component identification is sent to user's side.
The above-mentioned storage medium of mentioning can be read-only memory, disk or CD etc.
Introduce connecting system embodiment in the embodiment of the invention below, see also Figure 15, connecting system comprises in the embodiment of the invention:
Described network entity 1502 is used for connecting non-card equipment 1501 and personal network management entity 1503;
Described non-card equipment 1501: be used for sending the identification sign by described access network entity to personal network management entity 1503;
Described personal network management entity 1503: be used for judging whether to allow described personal network access by non-card equipment, and the non-card equipment that allows to insert is carried out corresponding access operation.
Wherein, personal network management entity 1503 comprises:
Judging unit 1510: be used for judging whether to allow personal network access by non-card equipment;
Allocation units 1520: be used for giving the non-card equipment that allows to insert to distribute personal network's component identification;
Transmitting element 1530: be used for personal network's component identification that described allocation units distribute is sent to the non-card equipment that allows access.
The embodiment of the invention judges according to the identification sign whether non-card equipment allows personal network access by obtaining the identification sign of non-card equipment, perhaps by the verification process to non-card equipment, judges whether described non-card equipment allows personal network access; Distribute personal network's component identification for the non-card equipment that allows to insert, personal network's component identification is sent to the non-card equipment that described permission inserts.Solve the problem that non-card equipment is registered to the personal network, the method for secure registration is provided, made the user to be linked among the personal network safely.
Though by with reference to some preferred embodiment of the present invention, the present invention is illustrated and describes, those of ordinary skill in the art should be understood that and can do various changes to it in the form and details, and without departing from the spirit and scope of the present invention.

Claims (6)

1. the method for a personal network access by non-card equipment is characterized in that,
Judge whether to allow personal network access by non-card equipment,
Distribute personal network's component identification for the non-card equipment that allows to insert, described personal network's component identification is sent to the non-card equipment that described permission inserts;
Network side obtains the identification sign of non-card equipment, judges whether to allow described personal network access by non-card equipment according to described identification sign;
Described method further comprises:
Subscriber equipment and network side obtain to share key;
The identification sign that described network side obtains non-card equipment comprises:
Network side obtains the registration request based on described shared secret key encryption that described subscriber equipment sends, and carries the identification sign of described non-card equipment in the described registration request.
2. the method for personal network access by non-card equipment according to claim 1 is characterized in that,
The personal network management entity of network side obtains the registration request based on described shared secret key encryption that described subscriber equipment sends, and carries the identification sign of described non-card equipment in the described registration request;
Perhaps,
The network application function entity of network side receives the registration request based on described shared secret key encryption that described subscriber equipment sends, carry the identification sign of described non-card equipment in the described registration request, described network application function entity sends the identification sign of described non-card equipment to the personal network management entity of network side, and described personal network management entity obtains the identification sign of described non-card equipment.
3. according to the method for each described personal network access by non-card equipment in claim 1 or 2, subscriber equipment and network side one of in the following manner obtain to share key, it is characterized in that,
Described subscriber equipment obtains to share key by carrying out general bootstrapping architecture technical process with network side;
Described subscriber equipment obtains to share key by carrying out the Authentication and Key Agreement technical process with network side.
4. the method for personal network access by non-card equipment according to claim 2 is characterized in that, one of in the following manner described personal network's component identification is sent to the non-card equipment that described permission inserts:
Described personal network management entity sends to the non-card equipment that described permission inserts directly with described personal network's component identification;
Described personal network management entity is notified to the network application function entity with described personal network's component identification, and described network application function entity sends to the non-card equipment that described permission inserts with described personal network's component identification;
Described personal network management entity sends to subscriber equipment with described personal network's component identification, and described subscriber equipment sends to the non-card equipment that described permission inserts with described personal network's component identification;
Described personal network management entity is notified to the network application function entity with described personal network's component identification, described network application function entity sends to subscriber equipment with described personal network's component identification, and described subscriber equipment sends to the non-card equipment that described permission inserts with described personal network's component identification.
5. the method for a personal network access by non-card equipment is characterized in that,
Judge whether to allow personal network access by non-card equipment,
Distribute personal network's component identification for the non-card equipment that allows to insert, described personal network's component identification is sent to the non-card equipment that described permission inserts;
Network side judges whether to allow described personal network access by non-card equipment by non-card equipment is authenticated, and wherein, network side authenticates non-card equipment by public key certificate or shared key;
Described method further comprises:
The non-card equipment that described permission inserts sends to subscriber equipment with public key certificate or shared key, and the personal network management entity of described subscriber equipment and network side is set up escape way based on described public key certificate or shared key; Wherein, the described non-card equipment that allows to insert of giving distributes personal network's component identification to comprise:
Obtain the identification sign of the non-card equipment that allows access, identify the non-card equipment that inserts to described permission according to described identification and distribute personal network's component identification, wherein, the described identification sign of obtaining the non-card equipment that allows access comprises:
Described personal network management entity obtains the registration request that described subscriber equipment sends by described escape way, carries the identification sign of the non-card equipment of described permission access in the described registration request.
6. the method for personal network access by non-card equipment according to claim 1 is characterized in that,
If described non-card equipment does not belong to subscriber blacklist, and/or, if described non-card equipment does not belong to the equipment blacklist, then allow described personal network access by non-card equipment.
CN201110069048.4A 2007-08-07 2007-08-07 Method, device and system for accessing personal network by card-free equipment Active CN102196428B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110069048.4A CN102196428B (en) 2007-08-07 2007-08-07 Method, device and system for accessing personal network by card-free equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110069048.4A CN102196428B (en) 2007-08-07 2007-08-07 Method, device and system for accessing personal network by card-free equipment

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN2007100757098A Division CN101364909B (en) 2007-08-07 2007-08-07 Method, apparatus and system for personal network access by non-card equipment

Publications (2)

Publication Number Publication Date
CN102196428A CN102196428A (en) 2011-09-21
CN102196428B true CN102196428B (en) 2013-08-28

Family

ID=44603668

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110069048.4A Active CN102196428B (en) 2007-08-07 2007-08-07 Method, device and system for accessing personal network by card-free equipment

Country Status (1)

Country Link
CN (1) CN102196428B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2798867A4 (en) 2011-12-30 2015-10-14 Ericsson Telefon Ab L M Virtual sim card cloud platform
CN103974251A (en) * 2013-02-06 2014-08-06 异术科技股份有限公司 Method for automatically authenticating identities for wireless network access
CN111464963B (en) * 2020-04-01 2021-11-09 中国联合网络通信集团有限公司 Registration method of card-free terminal and identity registration server

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805391A (en) * 2005-01-13 2006-07-19 华为技术有限公司 Method and apparatus for supporting multiple logical networks in wireless LAN
CN1835622A (en) * 2005-03-17 2006-09-20 华为技术有限公司 Method of controlling access of user's terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805391A (en) * 2005-01-13 2006-07-19 华为技术有限公司 Method and apparatus for supporting multiple logical networks in wireless LAN
CN1835622A (en) * 2005-03-17 2006-09-20 华为技术有限公司 Method of controlling access of user's terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP.Technical Specification Group Service and System Aspects *
Service requirements for Personal Network Management (PNM).《3GPP TS 22.259 v8.3.0》.2006, *

Also Published As

Publication number Publication date
CN102196428A (en) 2011-09-21

Similar Documents

Publication Publication Date Title
US8352739B2 (en) Two-factor authenticated key exchange method and authentication method using the same, and recording medium storing program including the same
US5455863A (en) Method and apparatus for efficient real-time authentication and encryption in a communication system
CN103596173B (en) Wireless network authentication method, client and service end wireless network authentication device
CN1929371B (en) Method for negotiating key share between user and peripheral apparatus
KR100832893B1 (en) A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
KR101374810B1 (en) Virtual subscriber identity module
US8417218B2 (en) SIM based authentication
Jiang et al. An efficient scheme for user authentication in wireless sensor networks
CN101969638B (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
KR101038096B1 (en) Secure key authentication method for binary cdma network
Dantu et al. EAP methods for wireless networks
US20070239994A1 (en) Bio-metric encryption key generator
CN108683510A (en) A kind of user identity update method of encrypted transmission
CN102111766A (en) Network accessing method, device and system
US7913096B2 (en) Method and system for the cipher key controlled exploitation of data resources, related network and computer program products
CN101192927B (en) Authorization based on identity confidentiality and multiple authentication method
CN101364909B (en) Method, apparatus and system for personal network access by non-card equipment
CN101483870A (en) Cross-platform mobile communication security system implementing method
CN101282215A (en) Method and apparatus for distinguishing certificate
CN102196428B (en) Method, device and system for accessing personal network by card-free equipment
Khan et al. Privacy preserving AKMA in 5G
Sharma et al. A review on wireless network security
CN101877852A (en) User access control method and system
Hoeper et al. Where EAP security claims fail
CN101267663A (en) A method, system and device for user identity validation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant