CN109151816B - Network authentication method and system - Google Patents
Network authentication method and system Download PDFInfo
- Publication number
- CN109151816B CN109151816B CN201710510229.3A CN201710510229A CN109151816B CN 109151816 B CN109151816 B CN 109151816B CN 201710510229 A CN201710510229 A CN 201710510229A CN 109151816 B CN109151816 B CN 109151816B
- Authority
- CN
- China
- Prior art keywords
- network
- mme
- random number
- autn
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The method comprises the steps of adding L network identifications of a TE-U network in a first attachment request to generate a second attachment request and sending the second attachment request to an MME of a L0 TE network when the MME of a L TE-U network receives the first attachment request, sending an authentication data request carrying the network identifications of the L TE-U network and the network identifications of the L TE network to an HSS by the MME of the L TE network based on the second attachment request, generating an authentication vector by the HSS based on the authentication data request and sending the authentication vector to an MME of a L TE network by the HSS, interacting the MME of a L TE network with the UE and the MME of a L TE-U network based on the authentication vector to realize network authentication, namely, finishing authentication between the UE and an operator network and a L TE-U network at one time when the UE is accessed to the operator network and the L TE-U network by the method provided by the application.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a network authentication method and system.
Background
For example, a hospital has network devices such as L TE-U base station (Evolved Node B, eNB), L TE-U Mobility Management Entity (MME), L TE-U Gateway (Gateway, GW) deployed in the hospital, which constitute L TE-U network, and User devices (User Equipment, UE) in the hospital can communicate by accessing the L TE-U network, so as to ensure that the UE can access the L TE-U network and use the operator network such as the network service provided by the long Term Evolution (L ong Term Evolution, L TE) network, and the UE can access the operator network such as the operator TE-U network when the UE is connected to the L TE-U network, so that the UE is not connected to the L TE-U network.
In the related art, when a UE initially accesses an L TE network, the UE performs bidirectional authentication with an MME of a L TE network, if the UE determines that L TE network is real, and the MME also determines that the UE is real, then the bidirectional authentication is successful, after the bidirectional authentication is successful, the MME generates a Non-Access Stratum (NAS) key and performs algorithm negotiation with the UE according to the NAS key, after the algorithm negotiation between the MME and the UE is successful, a base station (Evolved Node B, eNodeB) of the L TE network generates an Access Stratum (Access Stratum, AS) key and performs algorithm negotiation with the UE according to the AS key, and if the algorithm negotiation between the eNodeB and the UE is successful, authentication between the UE and the L TE network is completed, and the UE can successfully Access the L TE network.
As can be seen from the above description, the related art provides only a method for directly authenticating the UE with the network device in the operator network when the UE accesses the operator network, and does not provide a method for performing network authentication when the UE accesses the operator network and the L TE-U network when the L TE-U network exists.
Disclosure of Invention
In order to solve the problem that a method for accessing L TE network and L TE-U network for network authentication is not provided in the related art, the application provides a network authentication method, and the technical scheme is as follows:
in a first aspect, a network authentication method is provided, where the method includes:
when a Mobile Management Entity (MME) of an unlicensed L TE-U network based on long term evolution receives a first attachment request from User Equipment (UE), adding a network identifier of the L TE-U network in the first attachment request to generate a second attachment request, and sending the second attachment request to an MME of a L TE network;
when the MME of the L TE network receives the second attach request, sending an authentication data request to a home subscriber server HSS based on the second attach request, where the authentication data request carries a network identifier of the L TE-U network and a network identifier of the L TE network;
when the HSS receives the authentication data request, generating an authentication vector based on a network identification of the L TE-U network and a network identification of the L TE network, and sending the authentication vector to an MME of the L TE network, the authentication vector including parameters for authenticating the UE, the L TE-U network, and the L TE network;
when the MME of the L TE network receives the authentication vector, interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication.
Optionally, the authentication vector includes a first basic key, expected reply information, a first random number, and an authentication flag AUTN, where the first basic key is a key corresponding to the L TE-U network;
the interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication comprises:
the MME of the L TE network storing the expected reply information and sending the first random number, the AUTN, the network identification of the L TE-U network, and a first ciphering result to the UE by the MME of the L TE-U network, the first ciphering result being generated by the MME of the L TE-U network based on the first base key;
when the UE receives the first random number, the AUTN, the L TE-U network identification, and the first ciphering result, authenticating the L TE network based on the first random number and the AUTN, and authenticating the L TE-U network based on the first random number, the AUTN, the L TE-U network identification, and the first ciphering result;
generating reply information and generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network when the UE determines that both the L TE network and the L TE-U network are verified;
the UE sends the second encryption result to the MME of the L TE-U network and sends the reply information to the MME of the L TE network;
authenticating the UE based on the second ciphering result when the second ciphering result is received by the MME of the L TE-U network, and authenticating the UE based on the expected reply information and the reply information when the reply information is received by the MME of the L TE network.
Optionally, the L MME of TE network sending the first random number, the AUTN and the first ciphering result to the UE through the L MME of TE-U network, including:
the MME of the L TE network stores the expected reply information and sends the first basic key, the first random number and the AUTN to the MME of the L TE-U network;
when the MME of the L TE-U network receives the first basic key, the first random number and the AUTN, the MME stores the first basic key, generates a first encryption result based on the first basic key, and sends the first random number, the AUTN, the network identifier of the L TE-U network and the first encryption result to the UE.
Optionally, the generating a first encryption result based on the first base key includes:
the MME of the L TE-U network generates a second random number, and encrypts the second random number through the first basic key to obtain the first encryption result;
accordingly, the sending the first random number, the AUTN, the network identification of the L TE-U network, and the first encryption result to the UE includes:
the MME of the L TE-U network sends the first random number, the AUTN, the network identification of the L TE-U network, the first encryption result and the second random number to the UE.
Optionally, the AUTN includes a message authentication code MAC;
the UE authenticating the L TE network based on the first nonce and the AUTN, including:
the UE generates an expected message authentication code (XMAC) based on the first random number and other parameters except the MAC in the AUTN;
if the XMAC and the MAC are the same, the UE determines that the L TE network is authenticated.
Optionally, the UE authenticating the L TE-U network based on the first nonce, the AUTN, the L TE-U network's network identification, and the first ciphering result, comprising:
the UE generates a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
the UE encrypts the second random number through the second basic key to obtain a third encryption result;
if the first encryption result is equal to the third encryption result, the UE determines that the L TE-U network is authenticated.
Optionally, the generating a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network includes:
the UE generates a third random number, and integrally encrypts the second random number and the third random number through the second basic key to obtain a second encryption result;
accordingly, the UE sending the second ciphering result to the MME of the L TE-U network, including:
the UE sends the second encryption result and the third random number to an MME of the L TE-U network;
accordingly, the L MME of the TE-U network authenticating the UE based on the second ciphering result includes:
the MME of the L TE-U network integrally encrypts the second random number and the third random number through the stored first basic key to obtain a fourth encryption result;
the MME of the L TE-U network determines that the UE is authenticated if the second ciphering result and the fourth ciphering result are equal.
Optionally, the L sending, by the MME of the L TE-U network, the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result to the UE, including:
the MME of the L TE network stores the expected reply information and sends the first basic key, the expected reply information, the first random number and the AUTN to the MME of the L TE-U network;
when the MME of the L TE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, the first basic key and the expected reply information are stored, a first encryption result is generated based on the first basic key, and the first random number, the AUTN, the network identifier of the L TE-U network and the first encryption result are sent to the UE.
Optionally, the AUTN comprises a MAC;
the generating a first encryption result based on the first base key comprises:
and the MME of the L TE-U network encrypts the MAC through the first basic key to obtain the first encryption result.
Optionally, the UE authenticating the L TE-U network based on the first nonce, the AUTN, the L TE-U network's network identification, and the first ciphering result, comprising:
the UE generates a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
the UE encrypts the MAC through the second basic key to obtain a fifth encryption result;
if the first encryption result is equal to the fifth encryption result, the UE determines that the L TE-U network is authenticated.
Optionally, the generating a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network includes:
the UE encrypts the reply information through the second basic key to obtain a second encryption result;
accordingly, the L MME of the TE-U network authenticating the UE based on the second ciphering result includes:
the MME of the L TE-U network encrypts the reply information through the stored first basic key to obtain a sixth encryption result;
if the expected reply information stored by the MME of the L TE-U network is the same as the reply information and the sixth encryption result is equal to the second encryption result, the MME of the L TE-U network determines that the UE is authenticated.
Optionally, the second attach request carries a security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication flag AUTN, and the third basic key is a key corresponding to the L TE network;
the interacting with the UE and the MME of the L TE-U based on the authentication vector to realize network authentication comprises:
the MME of the L TE network interacting with the UE based on the third base key, the expected reply information, the first random number, and the AUTN to enable authentication of the UE to the L TE network and authentication of the UE to the MME of the L TE network;
generating a second random number when the MME of the L TE network determines that the authentication of the UE passes, and generating a first basic key based on the network identification of the L TE-U network and the third basic key;
the MME of the L TE network generates a non-access stratum (NAS) key based on the security algorithm of the UE, and encrypts the second random number through the NAS key to obtain a seventh encryption result;
the MME of the L TE network sending the first base key, the third base key, the NAS key, the network identification of the L TE-U network, the second random number, and the seventh ciphering result to the MME of the L TE-U network;
the MME of the L TE-U network encrypts the second random number through the first basic key to obtain an eighth encryption result, and sends the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result and the eighth encryption result to the UE;
the UE generates a second basic key based on the third basic key and the network identifier of the L TE-U network, decrypts the eighth encryption result through the second basic key to obtain a first decryption result, and decrypts a seventh encryption result through the NAS key to obtain a second decryption result;
if the first decryption result and the second decryption result are the same, the UE determines that the L TE-U network is authenticated.
The network authentication system comprises UE, L MME of TE-U network, MME of L TE network and HSS, wherein the UE, MME of L TE-U network, MME of L TE network and HSS are used for realizing the network authentication method provided by the first aspect.
In a third aspect, a network device is provided, where the structure of the network device includes a processor and a memory, where the memory is used to store a program that supports the network device to execute the network authentication method provided in the first aspect, and store data used to implement the network authentication method provided in the first aspect. The processor is configured to execute programs stored in the memory. The operating means of the memory device may further comprise a communication bus for establishing a connection between the processor and the memory.
In a fourth aspect, a computer-readable storage medium is provided, having stored therein instructions, which, when run on a computer, cause the computer to perform the network authentication method of the first aspect described above.
In a fifth aspect, there is provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the network authentication method of the first aspect described above.
The technical effects obtained by the above second, third, fourth and fifth aspects are similar to the technical effects obtained by the corresponding technical means in the first aspect, and are not described herein again.
The technical solution provided by the present application brings about the advantages that, for a UE not accessing an operator network, when the UE accesses L TE-U network, a first attach request can be sent to the MME of L TE-U network, when the MME of L TE-U network receives the first attach request, the network identifier of the L TE-U network can be added to the first attach request to generate a second attach request, and the second attach request is sent to the MME of L TE network, the MME of < translation = L ">t L <tt/t >t TE network generates an authentication data request based on the second attach request to request an authentication vector to the HSS, when the HSS receives the authentication data request, an authentication vector is generated based on the authentication data request and sent to the MME of L TE network, and then L the MME of TE network can perform authentication with the network according to the received authentication vector and the MME of the operator network, so that the UE can use the authentication method for the network between the network and the network when the UE is implemented by the network, the invention is implemented as No. 3, the UE, the invention can be implemented by the network, the TE-U network, the invention can be implemented by the invention, when the invention is implemented by the network, the invention is implemented by the No. L.
Drawings
Fig. 1 is a system architecture diagram of a network authentication method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention;
fig. 3 is a flowchart of a network authentication method according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for performing network authentication interactively between an MME of L TE network and an MME of L TE-U network and a UE according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for performing network authentication interactively between an MME of L TE network and an MME of L TE-U network and a UE according to an embodiment of the present invention;
fig. 6 is a flowchart of another method for performing network authentication interactively between an MME of an L TE network, an MME of a L TE-U network, and a UE according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Currently, organizations such as enterprises, hospitals, government units, etc. can deploy network devices belonging to themselves in certain areas for facilitating communication of internal employees or for pushing specific information and services to users of services, and use unlicensed spectrum to communicate through the deployed network devices, wherein the unlicensed spectrum may be the same spectrum as WIreless Fidelity (WIFI) spectrum, the networks consisting of network devices deployed by third parties and using the unlicensed spectrum for communication are L TE-U networks, the third party deploying the L TE-U network can provide specific services to users accessing the L TE-U network by controlling the deployed network devices, for example, a hospital within the range of the hospital may deploy L TE-U eNB, L TE-U network, and the ttt transfer t network may provide information to the ttt network, such as ttt-U network, TE-n # 52, TE-U, TE-n # 3, and so as to facilitate the medical service, such as ttt-t-U, TE-n # 3, TE-U, TE-n # 3, and the hospital may provide information to the medical service terminal via the ttt-g network.
It should be noted that, a third party may not only provide a specific service to a user through the deployed L TE-U network, but also may connect network equipment in the L TE-U network with network equipment in the operator network, so that a user accessing the L TE-U network may use network services provided by the operator network at the same time.
After introducing the application scenario of the embodiment of the present invention, a system architecture related to the embodiment of the present invention is described next.
FIG. 1 is a system architecture diagram of a network authentication method according to an embodiment of the present invention, as shown in FIG. 1, the system includes an eNB 102 of a UE101, L TE-U network, an MME 103 of a L TE-U network, an MME 104 of a L TE network, and an HSS 105, wherein the UE101 is connected to the eNB 102 of the L TE-U network, the MME 103 of the L TE-U network is connected to the MME 104 of the L TE network, and the MME 104 of the L TE network is connected to the HSS 105.
When performing network authentication, the UE101 initiates an attach request to the eNB 102 of L TE-U network, the eNB 102 of L TE-U network forwards the attach request sent by the UE101 to the MME 103 of L0 TE-U network, the MME 103 of L1 TE-U network and the MME 104 of L2 TE network interact with the UE according to the attach request sent by the UE to realize authentication between the MME 103 of the UE101, L TE-U network and the MME 104 of L TE network, in the process, the MME 104 of L TE network can request authentication vector from HSS according to the attach request sent by the UE101, the network identification of L TE-U network and the network identification of L TE network, the HSS 105 generates authentication vector according to the received information and returns the authentication vector to the MME 104 of L TE network, so that the MME 103 of L TE-U network and the MME 104 of L TE network perform authentication with the UE101 according to the authentication vector.
Fig. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention. The network device may be the UE, eNB, MME or HSS in fig. 1. Referring to fig. 2, the network device includes at least one processor 201, a communication bus 202, a memory 203, and at least one communication interface 204.
The processor 201 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more ics for controlling the execution of programs in accordance with the present invention.
The communication bus 202 may include a path that conveys information between the aforementioned components.
The Memory 203 may be a Read-Only Memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an Electrically Erasable Programmable Read-Only Memory (EEPROM), a compact disc Read-Only Memory (CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory 203 may be self-contained and coupled to the processor 201 via the communication bus 202. The memory 203 may also be integrated with the processor 201.
The communication interface 204 may be any device, such as a transceiver, for communicating with other devices or communication Networks, such as AN ethernet, a Radio Access Network (RAN), a Wireless L o cal Area Networks (W L AN), etc.
In particular implementations, processor 201 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 2, as one embodiment.
In particular implementations, a network device may include multiple processors, such as processor 201 and processor 205 shown in fig. 2, for example, as an embodiment. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In particular implementations, as an example, the network device may also include an output device 206 and an input device 207, the output device 206 and the processor 201 may communicate to display information in a variety of ways the output device 206 may be, for example, a liquid crystal display (L CD), a light emitting diode (L ED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector), the input device 207 and the processor 201 communicate to receive user input in a variety of ways the input device 207 may be, for example, a mouse, a keyboard, a touch screen device, a sensor device, or the like.
The network device may be a general purpose computer device or a special purpose computer device. In a specific implementation, the network device may be a desktop computer, a laptop computer, a network server, a Personal Digital Assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, or an embedded device. The embodiment of the invention does not limit the type of the network equipment.
The memory 203 is used for storing program codes for executing the scheme of the application, and the processor 201 controls the execution. The processor 201 is operable to execute program code 208 stored in the memory 203. One or more software modules may be included in program code 208. The network device shown in fig. 1 may implement network authentication through the processor 201 and one or more software modules in the program code 208 in the memory 203.
After the application scenario and the system architecture related to the embodiment of the present invention are explained through the above description, a detailed description will be given to a specific implementation process of the embodiment of the present invention.
Fig. 3 is a flowchart of a network authentication method according to an embodiment of the present invention, and as shown in fig. 3, the method includes the following steps:
step 301, the UE sends L a first attach request to the MME of the TE-U network.
Wherein, for a UE not accessing an operator network, when the UE accesses L TE-U network, the UE may send a first Attach Request (Attach Request) to the eNB of the L TE-U network, and when the eNB of the L TE-U network receives the first Attach Request, the eNB of the L TE-U network forwards the first Attach Request to the MME of the L TE-U network.
The first attach request is an NAS message, and cannot be parsed by an eNB of the L TE-U network, and the International Mobile Subscriber Identity (IMSI) of the UE and a security algorithm of the UE may be carried in the first attach request.
Step 302, when L MME of TE-U network receives the first attach request from UE, adding L network identification of TE-U network in the first attach request to generate a second attach request.
After the second attach request is generated, the MME of L TE-U network may determine, according to the IMSI of the UE carried in the first attach request, the MME of L TE network corresponding to the UE.
L the MME of the TE-U network sends a second attach request to the MME of the L TE network.
After determining the L TE network MME corresponding to the UE, the L TE-U network MME may send the generated second attach request to the determined L TE network MME.
Step 304, when the MME of the L TE network receives the second attach request, sending an authentication data request to the HSS based on the second attach request.
When the MME of the L TE network receives the second attach request, as can be seen from the foregoing description, the second attach request carries the IMSI of the UE, the security capability, and the network identifier of the L TE-U network, and at this time, the MME of the L TE network may add the network identifier of the L TE network to the second attach request, so as to generate an authentication data request, and send the authentication data request to the HSS.
When the HSS receives the authentication data request, an authentication vector is generated based on the network identity of the L TE-U network and the network identity of the L TE network, step 305.
After receiving the Authentication data request, the HSS may determine, according to the IMSI carried in the Authentication data request, a long-term Key corresponding to the IMSI of the UE from the stored multiple long-term keys, where the long-term Key may also be referred to as a mobile phone Authentication code (Ki), and then, the HSS may generate, according to the determined long-term Key and a network identifier of the L TE network, a third basic Key corresponding to the L TE network, and generate, using the long-term Key and a network identifier of the L TE-U network, a first basic Key corresponding to the L TE-U network.
It should be noted that the authentication vector may include the first basic key, the third basic key, the first random number, the expected reply information, and the AUTN, or may not include the first basic key and only include the third basic key, the first random number, the expected reply information, and the AUTN. Alternatively, the authentication vector may not include the third basic key, but include the first basic key, the first random number, the expected reply information, and the AUTN. When the authentication vector does not include the first or third basic key, the HSS may not generate the first or third basic key in the above procedure.
The HSS sends L the MME of the TE network an authentication vector, step 306.
And 307, when the MME of the L TE network receives the authentication vector, interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication.
When the MME of the L TE network receives the authentication vector, the MME of the L TE-U network and the UE can interact according to the authentication vector, so that the verification of the L TE network to the UE, the verification of the L TE-U network to the UE and the verification of the L TE network and L TE-U network by the UE are completed.
It should be noted that, in the embodiment of the present invention, the UE may simultaneously verify the L TE-U network and the L TE network, or may first verify the L TE network with each other successfully, and then verify the L TE-U network with each other, in addition, when the UE simultaneously verifies the L TE-U network and the L TE network, the UE may also verify the L TE-U network by using different parameters in the authentication vector, and a specific implementation process of performing network authentication based on interaction between the authentication vector and the UE and the MME of the L TE-U network will be described in detail through the following embodiments.
In the embodiment of the present invention, for a UE that does not access an operator network, when the UE accesses L TE-U network, a first attach request may be sent to the MME of L TE-U network, when the MME of L0 TE-U network receives the first attach request, the network identifier of the L TE-U network may be added to the first attach request, thereby generating a second attach request, and sending the second attach request to the MME of L TE network, <tttranslation = L ">gttttl &/ttt >tgtt TE network's MME generates an authentication data request based on the second attach request, to request an authentication vector from the HSS, when the HSS receives the authentication data request, an authentication vector is generated based on the authentication data request, and the authentication vector is sent to the MME of L TE network, and then the MME of L TE network may perform an interaction with the UE and the TE network according to the authentication vector brought about the network, so that the UE may conveniently use the network access network of the present invention, when the UE accesses 673 TE-U network, the authentication method is implemented by the MME of the network, thereby enabling the UE to conveniently using the UE-U network, the embodiment of the present invention, the network, and the network, the.
Based on the foregoing description, the UE may simultaneously verify the L TE-U network and the L TE network, or may first verify the L TE network successfully with each other, and then verify the L TE-U network with each other, in addition, when the UE simultaneously verifies the L TE-U network and the L TE network, the UE may also verify the L TE-U network by using different parameters in the authentication vector.
Fig. 4 is a flowchart of a first method for performing network authentication based on an authentication vector according to an embodiment of the present invention, as shown in fig. 4, the method includes the following steps:
l the MME of the TE network stores the expected reply information in the authentication vector, step 401.
Based on the description in the foregoing embodiment, the authentication vector may include the first basic key, the first random number, the expected reply information, and the AUTN, and when the MME of the L TE network receives the authentication vector, the expected reply information in the authentication vector may be stored for later verification of the UE, and the first basic key, the first random number, and the AUTN in the authentication vector may be forwarded to the MME of the L TE-U network.
L the MME of the TE network sends the first base key, the first random number, and the AUTN to the MME of the L TE-U network.
And step 403, when the MME of the L TE-U network receives the first basic key, the first random number and the AUTN, storing the first basic key, generating a second random number, and generating a first encryption result based on the first basic key and the second random number.
At the same time, the MME of the L TE-U network may also generate a first ciphering result based on the first base key, which is used for the UE to authenticate the L TE-U network.
When receiving the first basic key, the first random number, and the AUTN, the MME of the L TE-U network may generate a second random number using a random number generator, and encrypt the second random number with the first basic key, thereby obtaining a first encryption result.
L the MME of the TE-U network sends the first random number, the AUTN, the network identification of the L TE-U network, the first encryption result and the second random number to the UE.
After the MME of the L TE-U network generates the first ciphering result, the first random number, the network identifier of the AUTN, L TE-U network, the first ciphering result, and the second random number used to generate the first ciphering result may be sent to the eNB of the L TE-U network, and the eNB of the L TE-U network forwards the first random number, the network identifier of the AUTN, L TE-U network, the first ciphering result, and the second random number to the UE.
Step 405, when the UE receives the first random number, the AUTN, the network identification of the L TE-U network, the first encryption result and the second random number, the L TE network and the L TE-U network are verified based on the first random number, the AUTN, the network identification of the L TE-U network, the first encryption result and the second random number.
When the UE receives the first random number, AUTN, and first ciphering result, the UE may authenticate L TE network according to the first random number and AUTN, and authenticate L TE-U network according to the first random number, AUTN, and first ciphering result.
When the UE authenticates L the TE network, the UE may generate the expected message authentication code XMAC based on the first random number and other parameters in the AUTN except the MAC, and if the XMAC and the MAC are the same, the UE determines that authentication of L the TE network passes.
Wherein, the UE may calculate the Expected Message Authentication Code (XMAC) according to its stored Ki, the first random number, the sequence number in AUTN, and the AMF, as known from the description of step 305 in the foregoing embodiment, the AUTN includes a MAC, and the MAC is calculated by the HSS according to the determined Ki, the first random number, the sequence number in AUTN, and the AMF, and after the UE generates the XMAC, if the XMAC and the MAC are the same, it indicates that the Ki determined by the HSS is consistent with the Ki stored in the UE, and the Ki determined by the HSS is determined according to the IMSI of the UE, that is, the Ki determined by the HSS is actually the Ki stored by the UE on the L TE network side, therefore, when the XMAC and the MAC are the same, the UE may determine that the current L TE network is authentic, and that the UE passes the Authentication of the L TE network.
When the UE authenticates L TE-U network, the UE can generate a second basic key according to the network identifier of L TE-U network, the first random number and AUTN, encrypt the second random number by the UE through the second basic key to obtain a third encryption result, and if the first encryption result is equal to the third encryption result, the UE determines that the L TE-U network is authenticated.
The UE can generate a second basic key according to Ki stored by the UE, network identification of the L TE-U network, a first random number and AUTN (autonomous authentication unit) stored by the UE when the UE authenticates the L TE-U network, and then the UE encrypts the second random number through the second basic key to obtain a third encryption result, wherein the first basic key is a key corresponding to the L TE-U network, and the first encryption result is obtained by encrypting the second random number through the first basic key, so that if the third encryption result is the same as the first encryption result, the second basic key is the same as the first basic key, namely, the UE can determine that the L TE-U network is authenticated, otherwise, if the third encryption result is different from the first encryption result, the second basic key is different from the first basic key, and at this moment, the UE authenticates the L TE-U network fails.
And 406, when the UE determines that the L TE network and the L TE-U network are verified, generating reply information and a third random number, and generating a second encryption result based on the network identification of the L TE-U network, the first random number, the AUTN and the third random number.
After the UE determines that the UE passes the authentication of L TE network, it may generate a reply message with its stored Ki and the received first random number, and the reply message is used for the subsequent L TE network to authenticate the UE.
After the UE determines that the L TE-U network is verified, the UE may generate a third random number, and then, the UE may perform overall encryption on the received second random number and the generated third random number according to the network identifier of the L TE-U network, the first random number, and a second basic key generated by AUTN, thereby obtaining a second encryption result.
Step 407, the UE sends the second encryption result, the third random number and the reply message to L the MME of the TE-U network.
After the UE generates the reply information and the second encryption result, the third random number, and the reply information may be sent to the eNB of the L TE-U network and forwarded by the eNB of the L TE-U network to the MME of the L TE-U network.
And step 408, when the MME of the L TE-U network receives the second encryption result and the third random number, authenticating the UE based on the second encryption result.
Based on the foregoing description in step 403, the MME of the L TE-U network stores the first basic key, and the second random number is generated by the MME of the L TE-U network and stored in the MME of the L TE-U network, so that, after the MME of the L TE-U network receives the second encryption result and the third random number, the stored second random number and the received third random number may be encrypted integrally by the stored first basic key, so as to obtain a fourth encryption result.
And step 409, when the MME of the L TE-U network receives the reply information, sending the reply information to the MME of the L TE network.
Based on the description in step 407, the UE sends the second encryption result, the third random number and the reply information to the MME of L TE-U network, where the MME of L TE-U network can authenticate the UE in step 408 using the second encryption result and the third random number, and for the received reply information, since the reply information is used for the L TE network to authenticate the UE, the MME of L TE-U network can directly forward the reply information to the MME of L TE network.
And step 410, when the MME of the L TE network receives the reply information, verifying the UE based on the reply information.
Therefore, when the MME of the L TE network receives the reply information, if the reply information is the same as the expected reply information, the MME of the L TE network can determine that Ki used for generating the expected reply information is the same as Ki used for generating the reply information, that is, Ki stored on the L TE network side is consistent with Ki stored by the UE itself, and at this time, the MME of the L TE network can determine that the current UE is really valid, that is, the MME of the L TE network can determine that the UE passes authentication.
In the embodiment of the invention, after the MME of the L TE network receives the authentication vector, the MME of the L TE network and the MME of the L TE-U network can send the first random number, AUTN and the first encryption result to the UE, after the UE receives the first random number, AUTN and the first encryption result, the L TE-U network and the L TE network can be verified simultaneously according to the first random number, AUTN and the first encryption result, and then the MME of the L TE-U network and the MME of the L TE network can verify the UE according to the reply information from the UE and the second encryption result.
The method for the UE to simultaneously authenticate the L TE-U network and the L TE network according to the second random number generated by the L TE-U network and other parameters is described through the above embodiments, and next, another method for the UE to simultaneously authenticate the L TE-U network and the L TE network will be described.
Fig. 5 is a flowchart of a second method for network authentication based on an authentication vector according to an embodiment of the present invention, as shown in fig. 5, the method includes the following steps:
l the MME of the TE network stores the expected reply information in the authentication vector, step 501.
As can be seen from the description of step 305 in the foregoing embodiment, the authentication vector includes the first basic key, the first random number, the expected reply information and AUTN, and when the MME of the L TE network receives the authentication vector, the expected reply information may be stored for subsequent authentication of the UE.
L the MME of the TE network sends the first base key, the expected reply information, the first random number, and the AUTN to the MME of the L TE-U network.
L after the MME of the TE network stores the expected reply information, in addition to sending the first basic key, the first random number and AUTN remaining in the authentication vector to the MME of the L TE-U network, the expected reply information also needs to be sent to the MME of the L TE-U network.
And 503, when the MME of the L TE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, storing the first basic key and the expected reply information, and generating a first encryption result based on the first basic key.
At the same time, the MME of the L TE-U network may generate a first ciphering result based on the first base key.
It should be noted that, as can be seen from the description of step 305 in the foregoing embodiment, the MAC is included in the AUTN, and when the MME of the L TE-U network receives the first basic key, the expected reply information, the first random number, and the AUTN, the MAC in the AUTN may be encrypted by the first basic key, so as to obtain the first encryption result.
L the MME of the TE-U network sends the first random number, the AUTN, the network identification of the L TE-U network and the first ciphering result to the UE.
After generating the first ciphering result, the MME of the L TE-U network may send the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result to the eNB of the L TE-U network, and forward the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result to the UE by the eNB of the L TE-U network.
And 505, when the UE receives the first random number, the network identification of the AUTN, L TE-U network and the first encryption result, verifying the L TE network and the L TE-U network based on the first random number, the AUTN, the network identification of the L TE-U network and the first encryption result.
When the UE receives the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result, the UE may authenticate the L TE network according to the first random number and the AUTN, and authenticate the L TE-U network according to the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result.
The specific implementation manner of the UE verifying the L TE network may refer to the verification manner of the L TE network by the UE in step 405, and the embodiment of the present invention is not described in detail again.
When the UE authenticates L TE-U network, the UE may generate a second basic key according to the network identification of L TE-U network, the first random number and AUTN, encrypt the MAC with the second basic key to obtain a fifth encryption result, and if the first encryption result is equal to the fifth encryption result, the UE determines that the L TE-U network is authenticated.
The UE can generate a second basic key according to Ki stored by the UE, network identification of a L TE-U network, a first random number and AUTN when the UE authenticates the L TE-U network, and then encrypts MAC included in the AUTN through the second basic key to obtain a fifth encryption result.
And step 506, when the UE determines that the L TE network and the L TE-U network are verified, generating reply information, and generating a second encryption result based on the network identification of the L TE-U network, the first random number and the AUTN.
When the UE determines that the authentication to the L TE network passes, a reply message may be generated with its own stored Ki and the received first random number.
After the UE determines that the L TE-U network is verified and generates the reply message, the UE may encrypt the reply message with the second basic key generated according to the network identification of the L TE-U network, the first random number, and the AUTN in step 505, thereby obtaining a second encryption result.
In step 507, the UE sends the second encryption result and the reply message to L MME of the TE-U network.
After the UE generates the reply information and the second ciphering result, the reply information and the second ciphering result may be sent to the eNB of the L TE-U network and forwarded by the eNB of the L TE-U network to the MME of the L TE-U network.
And step 508, when the MME of the L TE-U network receives the reply information and the second encryption result, verifying the UE based on the reply information and the second encryption result.
After the MME of the L TE-U network receives the reply information and the second decryption result, the reply information may be first compared with the expected reply information, and then the MME of the L TE-U network may encrypt the reply information by using the first basic key stored by itself to obtain a sixth encryption result.
L the MME of the TE-U network sends the reply message to the MME of the L TE network, step 509.
L the MME of the TE-U network may send the reply information to the MME of the L TE network when receiving the reply information, or of course, may send the reply information to the MME of the L TE network after the authentication of the UE is completed.
And step 510, when the MME of the L TE network receives the reply information, verifying the UE based on the reply information.
When the MME of the L TE network receives the reply information, the specific implementation manner of verifying the UE based on the reply information may refer to the implementation manner in step 410, and the embodiment of the present invention is not described again.
In the embodiment of the present invention, after the MME of the L TE network receives the authentication vector, the MME of the L TE network and the MME of the L TE-U network may send the first random number, AUTN, and the first encryption result to the UE, where the first encryption result is obtained by encrypting the MAC in the AUTN by the MME of the 3526 TE-U network, and after the UE receives the first random number, AUTN, and the first encryption result, the MME of the L TE-U network and the MME of the L TE network may simultaneously verify the UE according to the first random number, AUTN, and the first encryption result, where the second encryption result is obtained by encrypting the reply information by the UE, after that, the MME of the L TE-U network and the MME of the L TE network do not have to regenerate the random number, and the MME of the L TE-U network and the UE do not have to perform encryption, and the authentication method of the L TE-U network and the UE do not have to perform encryption on the reply information from the UE.
The two verification methods for the UE to verify the L TE-U network and the L TE network simultaneously, and then the MME of the L TE-U network and the MME of the L TE network verify the UE are described in the foregoing with reference to fig. 4 and 5, and next, the network authentication method for the UE to verify the L TE network and then verify the L TE-U network is described with reference to fig. 6.
Fig. 6 is a flowchart of a third method for performing network authentication based on an authentication vector according to an embodiment of the present invention, in the method, an MME of an L TE network first interacts with a UE through the methods in steps 601-60 based on a third basic key, expected reply information, a first random number and an AUTN to complete mutual authentication with the UE, and then, as shown in fig. 6, the method includes the following steps:
l the MME of the TE network stores the third basic key and the expected reply information in the authentication vector.
Based on the description of step 305 in the foregoing embodiment, the authentication vector may include the third basic key, the expected reply information, the first random number, and the AUTN when the third basic key, the expected reply information, the first random number, and the AUTN are included in the authentication vector, the MME of the L TE network may store the third basic key and the expected reply information in the authentication vector upon receiving the authentication vector for subsequent authentication of the UE.
L the MME of the TE network sends the first random number and AUTN to the UE.
After the MME of the L TE network stores the third basic key and the expected reply information, the MME of the L TE network may send the first random number and AUTN in the authentication vector to the MME of the L TE-U network, <tttranslation = L "&tttl &/t &tttte-U network, after receiving the first random number and AUTN, may send the first random number and AUTN to the eNB of the L TE-U network, <tttranslation & ttt translation & L &/t &ttt &tte-U network, after receiving the first random number and AUTN, the eNB of the L TE-U network may forward the first random number and AUTN to the UE.
And step 603, when the UE receives the first random number and the AUTN, verifying L the TE network based on the first random number and the AUTN.
The specific implementation manner of this step may refer to the implementation manner in step 405 in which the UE verifies the L TE network based on the first random number and the AUTN, and this embodiment of the present invention is not described again.
When the UE determines L that the TE network is verified, a reply message is generated, step 604.
The specific implementation manner of this step may refer to that in step 406, when the UE determines that the verification of the L TE network passes, the relevant description of the reply information is generated, and the embodiment of the present invention is not described again.
Step 605, the UE sends L the reply message to MME of TE network.
After the UE generates the reply information, the reply information may be sent to the MME of the L TE network via the eNB and MME of the L TE-U network.
When L the MME of the TE network receives the reply information, the UE is authenticated based on the reply information, step 606.
The specific implementation manner of this step may refer to the relevant description that the MME of the L TE network verifies the UE based on the reply information in step 410, and this embodiment of the present invention is not described again.
Step 607, when the MME of L TE network determines that the UE is verified, generating a second random number, and generating a first basic key based on the network identifier of L TE-U network and the third basic key, generating an NAS key based on the security algorithm of the UE, and encrypting the second random number by the NAS key to obtain a seventh encryption result.
As can be seen from the description in step 302, the MME of the L TE-U network adds L the network identification of the TE-U network to the first attach request, thereby generating a second attach request, and sends the second attach request to the MME of the L TE network, so that when the MME of the L TE network determines that the UE is authenticated, the first basic key can be generated based on the network identification of the L TE-U network and the third basic key.
It should be noted that, since the second attach request further includes the security algorithm of the UE, after the MME of the L TE network generates the second random number and the first basic key, the MME of the L TE network may generate the NAS key according to the security algorithm of the UE.
L the MME of the TE network sends the first basic key, the third basic key, the NAS key, the network identification of the L TE-U network, the second random number and the seventh encryption result to the MME of the L TE-U network.
Step 609, when the MME of the L TE-U network receives the first basic key, the third basic key, the NAS key, the L network identifier of the TE-U network, the second random number and the seventh encryption result, the MME encrypts the second random number through the first basic key to obtain an eighth encryption result.
L the MME of the TE-U network sends the third basic key, the NAS key, the network identification of the L TE-U network, the seventh ciphering result and the eighth ciphering result to the UE.
L the MME of the TE-U network sends the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result and the eighth encryption result to the eNB of the L TE-U network, and forwards the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result and the eighth encryption result to the UE through the eNB of the L TE-U network.
Step 611, when the UE receives the third basic key, the NAS key, the network identifier of L TE-U network, the seventh encryption result, and the eighth encryption result, generates a second basic key based on the third basic key and the network identifier of L TE-U network, decrypts the eighth encryption result with the second basic key to obtain a first decryption result, and decrypts the seventh encryption result with the NAS key to obtain a second decryption result.
Since the first base key is generated by the MME of the L TE network from the third base key and the network identification of the L TE-U network, to verify the authenticity of the L TE-U network, when the UE receives the third base key and the network identification of the L TE-U network, the UE may generate the second base key from the third base key and the network identification of the L TE-U network to verify whether the second base key and the first base key are the same, thereby implementing the verification of the L TE-U network.
It should be noted that, in order to prevent the information from being tampered during the process of transferring the information to the UE by the MME of the L TE-U network, the MME of the L TE-U network does not directly send the first basic key to the UE, but encrypts the second random number by using the first basic key through the method in step 609 to obtain the eighth encryption result, and sends the eighth encryption result to UE., after the UE receives the eighth encryption result, the UE may decrypt the eighth encryption result by using the second basic key to obtain the first decryption result, and decrypt the seventh encryption result by using the NAS key to obtain the second decryption result.
And step 612, the UE authenticates L the TE-U network based on the first decryption result and the second decryption result.
Since the eighth encryption result is obtained by encrypting the second random number by the MME of the L TE-U network through the first basic key, and the seventh encryption result is obtained by encrypting the second random number by the MME of the L TE network through the NAS key, after the UE decrypts the eighth encryption result by the second basic key and decrypts the seventh encryption result by the NAS key, if the first encryption result and the second encryption result are equal, it indicates that the second basic key generated by the UE is the same as the first basic key, that is, the UE may determine that the L TE-U network is authentic, and at this time, the UE may determine that the L TE-U network is authenticated.
In this embodiment of the present invention, after the MME of the L TE network receives the authentication vector, the MME of the L TE network may interact with the UE based on the third basic key, the first random number, the expected reply information, and the AUTN in the authentication vector to complete mutual authentication with the UE, and then the MME of the L TE network may generate the first basic key, the second random number to obtain the NAS key, and send the first basic key, the second random number, and the NAS key to the MME of the L TE-U network, and then the MME of the L TE-U network and the UE may perform network authentication through the first basic key, the second random number, and the NAS key.
After the network authentication method provided by the embodiment of the present invention is introduced, a network authentication system provided by the embodiment of the present invention is introduced next.
The embodiment of the invention provides a network authentication system, which comprises UE, an MME of L TE-U network, an MME of L TE network and HSS.
The MME of the L TE-U network is configured to perform steps 302 and 303 in the above embodiments;
the MME of the L TE network is configured to perform step 304 in the above embodiment;
the HSS is configured to perform steps 305 and 306 in the above embodiments;
the MME of the L TE network is used to perform step 307 in the above embodiment.
Optionally, the authentication vector includes a first basic key, expected reply information, a first random number, and an authentication flag AUTN, where the first basic key is a key corresponding to the L TE-U network;
the MME of the L TE network is specifically configured to store the expected reply information, and send the first random number, the AUTN, the network identifier of the L TE-U network, and a first encryption result to the UE through the MME of the L TE-U network, where the first encryption result is generated by the MME of the L TE-U network based on the first basic key;
the UE is configured to authenticate the L TE network based on the first random number and the AUTN and authenticate the L TE-U network based on the first random number, the AUTN, a network identification of the L TE-U network, and the first ciphering result when the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result are received;
the UE is further configured to generate reply information and generate a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network when it is determined that both the L TE network and the L TE-U network are verified;
the UE is further configured to send the second encryption result to the MME of the L TE-U network and send the reply information to the MME of the L TE network;
the MME of the L TE-U network is configured to authenticate the UE based on the second ciphering result when the second ciphering result is received, and to authenticate the UE based on the expected reply information and the reply information when the MME of the L TE network receives the reply information.
Optionally, the MME of the L TE network is specifically configured to:
storing the expected reply information, and sending the first basic key, the first random number and the AUTN to an MME of the L TE-U network;
the MME of the L TE-U network is further configured to, when receiving the first basic key, the first random number, and the AUTN, store the first basic key, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the L TE-U network, and the first encryption result to the UE.
Optionally, the MME of the L TE-U network is specifically configured to:
generating a second random number, and encrypting the second random number through the first basic key to obtain the first encryption result;
and sending the first random number, the AUTN, the network identifier of the L TE-U network, the first encryption result and the second random number to the UE.
Optionally, the AUTN includes a message authentication code MAC;
the UE is specifically configured to:
generating an expected message authentication code (XMAC) based on the first random number and other parameters except the MAC in the AUTN;
if the XMAC and the MAC are the same, determining that the L TE network is authenticated.
Optionally, the UE is specifically configured to:
generating a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
encrypting the second random number through the second basic key to obtain a third encryption result;
determining that the L TE-U network is authenticated if the first encryption result is equal to the third encryption result.
Optionally, the UE is specifically configured to:
generating a third random number, and integrally encrypting the second random number and the third random number through the second basic key to obtain a second encryption result;
sending the second encryption result and the third random number to an MME of the L TE-U network;
correspondingly, the MME of the L TE-U network is specifically configured to:
integrally encrypting the second random number and the third random number through the stored first basic key to obtain a fourth encryption result;
and if the second encryption result and the fourth encryption result are equal, determining that the UE is verified.
Optionally, the MME of the L TE network is specifically configured to:
storing the expected reply information, and sending the first basic key, the expected reply information, the first random number and the AUTN to an MME of the L TE-U network;
the MME of the L TE-U network is configured to, when receiving the first basic key, the expected reply information, the first random number, and the AUTN, store the first basic key and the expected reply information, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the L TE-U network, and the first encryption result to the UE.
Optionally, the AUTN comprises a MAC;
the MME of the L TE-U network is specifically configured to:
and encrypting the MAC through the first basic key to obtain the first encryption result.
Optionally, the UE is specifically configured to:
generating a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
encrypting the MAC through the second basic key to obtain a fifth encryption result;
determining that the L TE-U network is authenticated if the first encryption result is equal to the fifth encryption result.
Optionally, the UE is specifically configured to:
encrypting the reply information through the second basic key to obtain a second encryption result;
correspondingly, the MME of the L TE-U network is specifically configured to:
encrypting the reply information through the stored first basic key to obtain a sixth encryption result;
determining that authentication of the UE is passed if the expected reply information stored by the MME of the L TE-U network is the same as the reply information and the sixth encryption result is equal to the second encryption result.
Optionally, the second attach request carries a security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication flag AUTN, and the third basic key is a key corresponding to the L TE network;
the MME of the L TE network is specifically configured to interact with the UE based on the third basic key, the expected reply information, the first random number, and the AUTN to implement authentication of the UE to the L TE network and authentication of the UE to the MME of the L TE network;
the MME of the L TE network is further to generate a second random number when authentication of the UE is determined to be passed, and generate a first base key based on the network identification of the L TE-U network and the third base key;
the MME of the L TE network is further configured to generate a non-access stratum NAS key based on the security algorithm of the UE, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;
the MME of the L TE network is further to send the first base key, the third base key, the NAS key, the network identification of the L TE-U network, the second random number, and the seventh ciphering result to the MME of the L TE-U network;
the MME of the L TE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and send the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result, and the eighth encryption result to the UE;
the UE is specifically configured to generate a second basic key based on the third basic key and the network identifier of the L TE-U network, decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and decrypt the seventh encryption result by using the NAS key to obtain a second decryption result;
the UE is further configured to determine that the L TE-U network is authenticated if the first decryption result and the second decryption result are the same.
To sum up, in the embodiment of the present invention, for a UE that is not accessed to an operator network, when the UE accesses to the L TE-U network, a first attach request may be sent to the MME of the L TE-U network, when the MME of the L TE-U network receives the first attach request, a network identifier of the L TE-U network may be added to the first attach request, thereby generating a second attach request, and sending the second attach request to the MME of the L TE network, &l &ttt translation = L &l &/t &tt &te network's MME generates an authentication data request based on the second attach request, to request an authentication vector from the HSS, when the HSS receives the authentication data request, an authentication vector is generated based on the authentication data request, and sent to the MME of the L TE network, and then the MME of the L TE network may bring about interaction with the UE and the TE network according to the received authentication vector, so that the authentication network is easily accessible by the operator network when the UE accesses to the network, the embodiment of the invention may be implemented by the network, thereby providing a convenient for the UE to the TE-U network and the TE network.
It should be noted that: the network authentication system provided in the foregoing embodiment is only illustrated by dividing the functional modules when performing network authentication, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the embodiments of the network authentication system and the network authentication method provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the embodiments of the methods, which is not described herein again.
The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g., from one website, computer, server, or data center via a wired (e.g., coaxial cable, fiber optic, Digital Subscriber line (Digital Subscriber line L ine, DS L)) or wireless (e.g., infrared, wireless, microwave, etc.) manner to transmit to another website, computer, server, or data center via a wired (e.g., Digital Subscriber line (DVD), DS L)) or wireless (e.g., infrared, wireless, microwave, etc.), may be any available media such as a Solid State Disk (DVD), or optical Disk (SSD), a Solid State Disk (DVD), or optical Disk (optical Disk), a Solid State Disk (optical Disk), or optical Disk).
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (24)
1. A method of network authentication, the method comprising:
when a Mobile Management Entity (MME) of an unlicensed L TE-U network based on long term evolution receives a first attachment request from User Equipment (UE), adding a network identifier of the L TE-U network in the first attachment request to generate a second attachment request, and sending the second attachment request to an MME of a L TE network;
when the MME of the L TE network receives the second attach request, sending an authentication data request to a home subscriber server HSS based on the second attach request, where the authentication data request carries a network identifier of the L TE-U network and a network identifier of the L TE network;
when the HSS receives the authentication data request, generating an authentication vector based on a network identification of the L TE-U network and a network identification of the L TE network, and sending the authentication vector to an MME of the L TE network, the authentication vector including parameters for authenticating the UE, the L TE-U network, and the L TE network;
when the authentication vector is received by the MME of the L TE network, interacting with the UE and the MME of the L TE-U network based on the authentication vector to enable network authentication between the UE and the L TE network and between the UE and the L TE-U network.
2. The method of claim 1, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the L TE-U network;
the interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication comprises:
the MME of the L TE network storing the expected reply information and sending the first random number, the AUTN, the network identification of the L TE-U network, and a first ciphering result to the UE by the MME of the L TE-U network, the first ciphering result being generated by the MME of the L TE-U network based on the first base key;
when the UE receives the first random number, the AUTN, the L TE-U network identification, and the first ciphering result, authenticating the L TE network based on the first random number and the AUTN, and authenticating the L TE-U network based on the first random number, the AUTN, the L TE-U network identification, and the first ciphering result;
generating reply information and generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network when the UE determines that both the L TE network and the L TE-U network are verified;
the UE sends the second encryption result to the MME of the L TE-U network and sends the reply information to the MME of the L TE network;
authenticating the UE based on the second ciphering result when the second ciphering result is received by the MME of the L TE-U network, and authenticating the UE based on the expected reply information and the reply information when the reply information is received by the MME of the L TE network.
3. The method of claim 2, wherein the L MME of the TE network sending the first random number, the AUTN, and a first ciphering result to the UE through the MME of the L TE-U network comprises:
the MME of the L TE network stores the expected reply information and sends the first basic key, the first random number and the AUTN to the MME of the L TE-U network;
when the MME of the L TE-U network receives the first basic key, the first random number and the AUTN, the MME stores the first basic key, generates a first encryption result based on the first basic key, and sends the first random number, the AUTN, the network identifier of the L TE-U network and the first encryption result to the UE.
4. The method of claim 3, wherein the generating a first encryption result based on the first base key comprises:
the MME of the L TE-U network generates a second random number, and encrypts the second random number through the first basic key to obtain the first encryption result;
accordingly, the sending the first random number, the AUTN, the network identification of the L TE-U network, and the first encryption result to the UE includes:
the MME of the L TE-U network sends the first random number, the AUTN, the network identification of the L TE-U network, the first encryption result and the second random number to the UE.
5. The method of claim 3 or 4, wherein the AUTN comprises a message authentication code MAC;
the UE authenticating the L TE network based on the first nonce and the AUTN, including:
the UE generates an expected message authentication code (XMAC) based on the first random number and other parameters except the MAC in the AUTN;
if the XMAC and the MAC are the same, the UE determines that the L TE network is authenticated.
6. The method of claim 4, wherein the UE authenticating the L TE-U network based on the first nonce, the AUTN, the L TE-U network's network identification, and the first ciphering result, comprising:
the UE generates a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
the UE encrypts the second random number through the second basic key to obtain a third encryption result;
if the first encryption result is equal to the third encryption result, the UE determines that the L TE-U network is authenticated.
7. The method of claim 6, wherein the generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network comprises:
the UE generates a third random number, and integrally encrypts the second random number and the third random number through the second basic key to obtain a second encryption result;
accordingly, the UE sending the second ciphering result to the MME of the L TE-U network, including:
the UE sends the second encryption result and the third random number to an MME of the L TE-U network;
accordingly, the L MME of the TE-U network authenticating the UE based on the second ciphering result includes:
the MME of the L TE-U network integrally encrypts the second random number and the third random number through the stored first basic key to obtain a fourth encryption result;
the MME of the L TE-U network determines that the UE is authenticated if the second ciphering result and the fourth ciphering result are equal.
8. The method of claim 1, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the L TE-U network;
the interacting with the UE and the MME of the L TE-U network based on the authentication vector to enable network authentication between the UE and the L TE network and between the UE and the L TE-U network comprises:
the MME of the L TE network stores the expected reply information and sends the first basic key, the expected reply information, the first random number and the AUTN to the MME of the L TE-U network;
when the MME of the L TE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, storing the first basic key and the expected reply information, generating a first encryption result based on the first basic key, and sending the first random number, the AUTN, the network identifier of the L TE-U network and the first encryption result to the UE;
when the UE receives the first random number, the AUTN, the L TE-U network identification, and the first ciphering result, authenticating the L TE network based on the first random number and the AUTN, and authenticating the L TE-U network based on the first random number, the AUTN, the L TE-U network identification, and the first ciphering result;
generating reply information and generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network when the UE determines that both the L TE network and the L TE-U network are verified;
the UE sends the second encryption result and the reply information to an MME of the L TE-U network and sends the reply information to an MME of the L TE network;
authenticating the UE based on the reply information and the second ciphering result when the MME of the L TE-U network receives the second ciphering result and the reply information, and authenticating the UE based on the expected reply information and the reply information when the MME of the L TE network receives the reply information.
9. The method of claim 2 or 8, wherein the AUTN comprises a MAC;
the generating a first encryption result based on the first base key comprises:
and the MME of the L TE-U network encrypts the MAC through the first basic key to obtain the first encryption result.
10. The method of claim 9, wherein the UE authenticating the L TE-U network based on the first nonce, the AUTN, the L TE-U network's network identification, and the first ciphering result, comprising:
the UE generates a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
the UE encrypts the MAC through the second basic key to obtain a fifth encryption result;
if the first encryption result is equal to the fifth encryption result, the UE determines that the L TE-U network is authenticated.
11. The method of claim 10, wherein the generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network comprises:
the UE encrypts the reply information through the second basic key to obtain a second encryption result;
accordingly, the L MME of the TE-U network authenticating the UE based on the second ciphering result includes:
the MME of the L TE-U network encrypts the reply information through the stored first basic key to obtain a sixth encryption result;
if the expected reply information stored by the MME of the L TE-U network is the same as the reply information and the sixth encryption result is equal to the second encryption result, the MME of the L TE-U network determines that the UE is authenticated.
12. The method of claim 1, wherein the second attach request carries a security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication flag AUTN, and the third basic key is a key corresponding to the L TE network;
the interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication comprises:
the MME of the L TE network interacting with the UE based on the third base key, the expected reply information, the first random number, and the AUTN to enable authentication of the UE to the L TE network and authentication of the UE to the MME of the L TE network;
generating a second random number when the MME of the L TE network determines that the authentication of the UE passes, and generating a first basic key based on the network identification of the L TE-U network and the third basic key;
the MME of the L TE network generates a non-access stratum (NAS) key based on the security algorithm of the UE, and encrypts the second random number through the NAS key to obtain a seventh encryption result;
the MME of the L TE network sending the first base key, the third base key, the NAS key, the network identification of the L TE-U network, the second random number, and the seventh ciphering result to the MME of the L TE-U network;
the MME of the L TE-U network encrypts the second random number through the first basic key to obtain an eighth encryption result, and sends the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result and the eighth encryption result to the UE;
the UE generates a second basic key based on the third basic key and the network identifier of the L TE-U network, decrypts the eighth encryption result through the second basic key to obtain a first decryption result, and decrypts a seventh encryption result through the NAS key to obtain a second decryption result;
if the first decryption result and the second decryption result are the same, the UE determines that the L TE-U network is authenticated.
13. A network authentication system, the system comprising:
the mobile management entity MME of the unlicensed L TE-U network based on the long term evolution is used for adding a network identifier of the L TE-U network in a first attachment request to generate a second attachment request when the first attachment request is received from user equipment UE, and sending the second attachment request to the MME of the L TE network;
the MME of the L TE network is configured to send, when the second attach request is received, an authentication data request to a home subscriber server HSS based on the second attach request, where the authentication data request carries a network identifier of the L TE-U network and a network identifier of the L TE network;
the HSS to, upon receiving the authentication data request, generate an authentication vector based on a network identification of the L TE-U network and a network identification of the L TE network and send the authentication vector to an MME of the L TE network, the authentication vector including parameters for authenticating the UE, the L TE-U network, and the L TE network;
the MME of the L TE network, configured to interact with the UE and the MME of the L TE-U network based on the authentication vector when receiving the authentication vector, to implement network authentication between the UE and the L TE network and network authentication between the UE and the L TE-U network.
14. The system of claim 13, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, the first basic key being a key corresponding to the L TE-U network;
the MME of the L TE network is specifically configured to store the expected reply information, and send the first random number, the AUTN, the network identifier of the L TE-U network, and a first encryption result to the UE through the MME of the L TE-U network, where the first encryption result is generated by the MME of the L TE-U network based on the first basic key;
the UE is configured to authenticate the L TE network based on the first random number and the AUTN and authenticate the L TE-U network based on the first random number, the AUTN, a network identification of the L TE-U network, and the first ciphering result when the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result are received;
the UE is further configured to generate reply information and generate a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network when it is determined that both the L TE network and the L TE-U network are verified;
the UE is further configured to send the second encryption result to the MME of the L TE-U network and send the reply information to the MME of the L TE network;
the MME of the L TE-U network is configured to authenticate the UE based on the second ciphering result when the second ciphering result is received, and to authenticate the UE based on the expected reply information and the reply information when the MME of the L TE network receives the reply information.
15. The system of claim 14, wherein the MME of the L TE network is specifically configured to:
storing the expected reply information, and sending the first basic key, the first random number and the AUTN to an MME of the L TE-U network;
the MME of the L TE-U network is further configured to, when receiving the first basic key, the first random number, and the AUTN, store the first basic key, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the L TE-U network, and the first encryption result to the UE.
16. The system of claim 15, wherein the MME of the L TE-U network is specifically configured to:
generating a second random number, and encrypting the second random number through the first basic key to obtain the first encryption result;
and sending the first random number, the AUTN, the network identifier of the L TE-U network, the first encryption result and the second random number to the UE.
17. The system of claim 15 or 16, wherein the AUTN comprises a message authentication code MAC;
the UE is specifically configured to:
generating an expected message authentication code (XMAC) based on the first random number and other parameters except the MAC in the AUTN;
if the XMAC and the MAC are the same, the authentication to the L TE network passes.
18. The system of claim 16, wherein the UE is specifically configured to:
generating a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
encrypting the second random number through the second basic key to obtain a third encryption result;
determining that the L TE-U network is authenticated if the first encryption result is equal to the third encryption result.
19. The system of claim 18, wherein the UE is specifically configured to:
generating a third random number, and integrally encrypting the second random number and the third random number through the second basic key to obtain a second encryption result;
sending the second encryption result and the third random number to an MME of the L TE-U network;
correspondingly, the MME of the L TE-U network is specifically configured to:
integrally encrypting the second random number and the third random number through the stored first basic key to obtain a fourth encryption result;
and if the second encryption result and the fourth encryption result are equal, determining that the UE is verified.
20. The system of claim 14, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the L TE-U network;
the MME of the L TE network is used for storing the expected reply information and sending the first basic key, the expected reply information, the first random number and the AUTN to the MME of the L TE-U network;
the MME of the L TE-U network is configured to, when receiving the first basic key, the expected reply information, the first random number, and the AUTN, store the first basic key and the expected reply information, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the L TE-U network, and the first encryption result to the UE;
the UE is configured to authenticate the L TE network based on the first random number and the AUTN and authenticate the L TE-U network based on the first random number, the AUTN, a network identification of the L TE-U network, and the first ciphering result when the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result are received;
the UE is further configured to generate reply information and generate a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network when it is determined that both the L TE network and the L TE-U network are verified;
the UE is further configured to send the second encryption result and the reply information to an MME of the L TE-U network and send the reply information to an MME of the L TE network;
the MME of the L TE-U network is further to authenticate the UE based on the reply information and the second ciphering result when the second ciphering result and the reply information are received;
the MME of the L TE network is further to authenticate the UE based on the expected reply information and the reply information when the reply information is received.
21. The system of claim 14 or 20, wherein the AUTN comprises a MAC;
the MME of the L TE-U network is specifically configured to:
and encrypting the MAC through the first basic key to obtain the first encryption result.
22. The system of claim 21, wherein the UE is specifically configured to:
generating a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;
encrypting the MAC through the second basic key to obtain a fifth encryption result;
determining that the L TE-U network is authenticated if the first encryption result is equal to the fifth encryption result.
23. The system of claim 22, wherein the UE is specifically configured to:
encrypting the reply information through the second basic key to obtain a second encryption result;
correspondingly, the MME of the L TE-U network is specifically configured to:
encrypting the reply information through the stored first basic key to obtain a sixth encryption result;
determining that authentication of the UE is passed if the expected reply information stored by the MME of the L TE-U network is the same as the reply information and the sixth encryption result is equal to the second encryption result.
24. The system according to claim 13, wherein the second attach request carries a security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication token AUTN, and the third basic key is a key corresponding to the L TE network;
the MME of the L TE network is specifically configured to interact with the UE based on the third basic key, the expected reply information, the first random number, and the AUTN to implement authentication of the UE to the L TE network and authentication of the UE to the MME of the L TE network;
the MME of the L TE network is further to generate a second random number when authentication of the UE is determined to be passed, and generate a first base key based on the network identification of the L TE-U network and the third base key;
the MME of the L TE network is further configured to generate a non-access stratum NAS key based on the security algorithm of the UE, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;
the MME of the L TE network is further to send the first base key, the third base key, the NAS key, the network identification of the L TE-U network, the second random number, and the seventh ciphering result to the MME of the L TE-U network;
the MME of the L TE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and send the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result, and the eighth encryption result to the UE;
the UE is specifically configured to generate a second basic key based on the third basic key and the network identifier of the L TE-U network, decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and decrypt the seventh encryption result by using the NAS key to obtain a second decryption result;
the UE is further configured to determine that the L TE-U network is authenticated if the first decryption result and the second decryption result are the same.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710510229.3A CN109151816B (en) | 2017-06-28 | 2017-06-28 | Network authentication method and system |
| PCT/CN2018/093319 WO2019001509A1 (en) | 2017-06-28 | 2018-06-28 | Network authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710510229.3A CN109151816B (en) | 2017-06-28 | 2017-06-28 | Network authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109151816A CN109151816A (en) | 2019-01-04 |
| CN109151816B true CN109151816B (en) | 2020-08-07 |
Family
ID=64741115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710510229.3A Expired - Fee Related CN109151816B (en) | 2017-06-28 | 2017-06-28 | Network authentication method and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109151816B (en) |
| WO (1) | WO2019001509A1 (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016074707A1 (en) * | 2014-11-12 | 2016-05-19 | Nokia Solutions And Networks Oy | Method, apparatus and system |
| WO2016136647A1 (en) * | 2015-02-25 | 2016-09-01 | 京セラ株式会社 | Network device and user terminal |
| CN106465242A (en) * | 2014-05-06 | 2017-02-22 | 高通股份有限公司 | Techniques for network selection in unlicensed frequency bands |
| CN106470382A (en) * | 2015-08-14 | 2017-03-01 | 中兴通讯股份有限公司 | Authority checking method, configuration information method of reseptance, device, base station and terminal |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9942762B2 (en) * | 2014-03-28 | 2018-04-10 | Qualcomm Incorporated | Provisioning credentials in wireless communications |
| CN106455065A (en) * | 2015-08-06 | 2017-02-22 | 阿尔卡特朗讯 | Method and device to control the use of unauthorized frequency band |
| CN106888482B (en) * | 2015-12-15 | 2020-04-07 | 展讯通信(上海)有限公司 | Terminal, LTE-U base station and communication method thereof |
| CN106851662B (en) * | 2017-01-18 | 2019-11-19 | 京信通信系统(中国)有限公司 | A kind of unlicensed spectrum resource allocation methods and device |
-
2017
- 2017-06-28 CN CN201710510229.3A patent/CN109151816B/en not_active Expired - Fee Related
-
2018
- 2018-06-28 WO PCT/CN2018/093319 patent/WO2019001509A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106465242A (en) * | 2014-05-06 | 2017-02-22 | 高通股份有限公司 | Techniques for network selection in unlicensed frequency bands |
| WO2016074707A1 (en) * | 2014-11-12 | 2016-05-19 | Nokia Solutions And Networks Oy | Method, apparatus and system |
| WO2016136647A1 (en) * | 2015-02-25 | 2016-09-01 | 京セラ株式会社 | Network device and user terminal |
| CN106470382A (en) * | 2015-08-14 | 2017-03-01 | 中兴通讯股份有限公司 | Authority checking method, configuration information method of reseptance, device, base station and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109151816A (en) | 2019-01-04 |
| WO2019001509A1 (en) | 2019-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10187202B2 (en) | Key agreement for wireless communication | |
| US10638321B2 (en) | Wireless network connection method and apparatus, and storage medium | |
| KR102024653B1 (en) | Access Methods, Devices, and Systems for User Equipment (UE) | |
| KR101648158B1 (en) | Wireless communication using concurrent re-authentication and connection setup | |
| CN113225176B (en) | Key obtaining method and device | |
| US9088408B2 (en) | Key agreement using a key derivation key | |
| US9608971B2 (en) | Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers | |
| CN108012266B (en) | Data transmission method and related equipment | |
| US8819415B2 (en) | Method and device for authenticating personal network entity | |
| CN103188229A (en) | Method and equipment for secure content access | |
| CN110831002B (en) | Method and device for key deduction and computing storage medium | |
| CN103024735A (en) | Method and equipment for service access of card-free terminal | |
| JP7231010B2 (en) | CONTROL DEVICE, WIRELESS COMMUNICATION SYSTEM, CONTROL METHOD AND PROGRAM | |
| US8972729B2 (en) | Secure information delivery | |
| CN109151816B (en) | Network authentication method and system | |
| CN112637169B (en) | Passive NFC cloud lock encryption method | |
| CN109155913B (en) | Network connection method, and method and device for determining security node | |
| WO2019024937A1 (en) | Key negotiation method, apparatus and system | |
| CN105721403B (en) | For providing the method, equipment and system of wireless network resource | |
| CN117098111A (en) | Registration method and device of user equipment, computer readable medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200807 Termination date: 20210628 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |