WO2007022717A1 - A verifying method for ranging request and the wireless access network - Google Patents

A verifying method for ranging request and the wireless access network Download PDF

Info

Publication number
WO2007022717A1
WO2007022717A1 PCT/CN2006/002150 CN2006002150W WO2007022717A1 WO 2007022717 A1 WO2007022717 A1 WO 2007022717A1 CN 2006002150 W CN2006002150 W CN 2006002150W WO 2007022717 A1 WO2007022717 A1 WO 2007022717A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
authentication key
target base
authenticator
user terminal
Prior art date
Application number
PCT/CN2006/002150
Other languages
French (fr)
Chinese (zh)
Inventor
Jianjun Wu
Zhengfei Xiao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007022717A1 publication Critical patent/WO2007022717A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M11/00Telephonic communication systems specially adapted for combination with other electrical systems
    • H04M11/002Telephonic communication systems specially adapted for combination with other electrical systems with telemetering systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management

Definitions

  • the present invention relates to the field of communications, and in particular, to a method for verifying a ranging request and a wireless access network in the case of an Authenticator. Background technique
  • FIG. 1 shows a schematic diagram of a secure network architecture system of a wireless access network in the prior art.
  • the following network elements are mainly involved in the secure network architecture of the radio access network: MSS, BS, Authenticator, and Authentication Server.
  • the main function of the MSS in the security architecture is to initiate authentication and authentication, exchange information required to generate a root key with the Authentication Server, generate a root key, and generate data encryption for the air interface according to the root key.
  • the function of the BS in the above security architecture is to provide a security system channel for Authenticator and MSS.
  • the main function of the Authenticator in the above security architecture is to authenticate, authorize and charge the MSS.
  • Key features include: Authenticate, authorize, and bill for MSS, generate and distribute root key information to Authenti Cator , timely notification when user information changes The consequences of Authenticator and other network element user information changes.
  • data transmitted over the air interface can be securely transmitted by encryption, and management messages transmitted over the air interface can also be securely transmitted by using a Message Authentication Code (MAC) for consistency check.
  • MAC Message Authentication Code
  • HMAC Hash Message Authentication Code
  • CMAC Cipher based Message Authentication Code
  • the MSS when the MSS moves into the coverage of the target BS, after synchronizing with the target BS and obtaining the uplink and downlink parameters of the air interface, the ranging process will be performed, and the target BS is notified by sending the RNG-REQ, The MSS has successfully moved and accessed to the target BS. (In the case of handover, the MSS will communicate with the peer user through the target BS; while the MSS is in idle mode, by notifying the BS that the MSS has moved and accessed the target.
  • the paging controller is notified by the target BS that the MSS has updated the location, and the paging controller is notified to update the location information of the MSS in time, so that the MSS can correctly send the message/data through the target BS when being paged.
  • Sent to the MSS Generally, in order to ensure the consistency of the air interface management message, this message will be appended with HMAC/CMAC for the BS to perform the consistency check. Once the consistency check is passed, the process of re-authentication, authorization and authentication can be omitted. .
  • the BS performs the consistency check it needs to obtain AK. As described above, the AK needs to be regenerated on the Authenticator using the key information stored in the Authenticator and the information of the target BS. Then two things can happen:
  • the Authenticator to which the target BS belongs stores key information of the MSS.
  • the Authenticator to which the target BS belongs does not have the key information of the MSS, and the key information of the MSS is stored in the original Authenticator.
  • the MSS moves from the original BS to the target BS, synchronizes with the target BS, and receives the uplink and downlink air interface resource allocation parameters of the target BS, and then sends the RNG-REQ to the target BS, and then the HMAC information is attached;
  • the target BS sends an AK_Request to the service Authenticator to which it belongs, which includes the MSS, the identifier of the target BS, and the message body and HMAC in the ranging request.
  • the service Authenticator requests the original Authenticator to request the latter to generate the air interface key AK for the target BS, and forwards the identifier of the MSS, the target BS, and the message body and the HMAC in the ranging request to the original Authenticator;
  • the original Authenticator generates an air interface key AK for the target BS according to the identifiers of the MSS and the target BS and the stored key information of the MSS, and performs consistency check on the message body and the HMAC in the ranging request according to the AK. After the verification is passed, the AK and the corresponding AKID, the life cycle of the AK, and other key information (such as EIK) are sent to the target BS through the service Authenticator;
  • the target BS obtains an air interface key AK, and analyzes and processes the content of the RNG-REQ.
  • the AK can be used to check the received management message of the MSS containing the HMAC, and the HMAC can be added to the management message that needs to be sent to the MSS for consistency verification by the peer, and can also be used by the AK for
  • the encryption key on the data path ensures the confidentiality of the session traffic over the air interface.
  • the entire RNG-REQ message body and the HMAC are sent to the original Authenticator through the service Authenticator, and the increase of the content causes the signaling overhead in the internal interface of the network;
  • the message sent by the BS to the service Authenticator does not contain any information about the original Authenticator, which causes the service Authenticator to fail to forward the message to the original Authenticator correctly and correctly.
  • the whole process has certain irrationalities and needs to be improved. Summary of the invention
  • the invention provides a method for verifying the ranging request and a wireless access network, which solves the problem that the existing process is unreasonable and wastes the signaling overhead of the internal interface of the network.
  • the method of the invention comprises:
  • a method for verifying a ranging request includes the following steps:
  • the user terminal sends a ranging request to the target base station
  • the target base station obtains an authentication key, and performs the calibration request according to the authentication key.
  • the step of the user terminal sending a ranging request to the target base station further includes:
  • the user terminal synchronizes with the target base station, and receives an air interface resource allocation parameter that identifies the uplink and downlink of the target base station.
  • the ranging request In the step of the user terminal transmitting a ranging request to the target base station, the ranging request carries a message authentication code.
  • the message authentication code is a hash message authentication code or an encrypted message authentication code.
  • the step of the target base station acquiring the authentication key includes:
  • the target base station sends an authentication key request to the service authenticator, where the authentication key request includes the user terminal and the original authenticator location information;
  • the original authenticator interacts with the service authenticator to identify the user terminal and the target base station identification information, and generates an authentication key of the user terminal for the target base station.
  • the original authenticator location information may be the original authenticator identification information or the method described in the original base station identification information. If the original authenticator location information is the original base station identification information, the method includes The original base station identification information is searched for the original authenticator.
  • the step of the original authenticator and the service authenticator interacting with the user terminal and the target base station identification information, and generating the authentication key of the user terminal for the target base station further includes:
  • the service authenticator sends an authentication key application request to the original authenticator, where the identifier of the user terminal and the target base station is included;
  • the original authenticator according to the identity of the user terminal and the target base station, and the key letter stored by the original authenticator And generating an authentication key and related information of the user terminal for the target base station;
  • the service authenticator sends the authentication key and related information to the target base station.
  • the step of the original authenticator and the service authenticator interacting with the user terminal and the target base station identification information, and generating the authentication key of the user terminal for the target base station further includes:
  • the service authenticator sends a key application request to the original authenticator, which includes the identifier of the user terminal; the original authenticator sends the stored key information of the user terminal to the service authenticator, and the service authenticator according to the user terminal and The identifier of the target base station and the key information of the user terminal generate an authentication key and related information of the user terminal for the target base station;
  • the service authenticator sends the authentication key and related information to the target base station.
  • the target base station obtains an authentication key, and performs a face-finding step on the ranging request, and further includes:
  • the target base station sends an authentication key request to the service authenticator to which it belongs, where the authentication key request includes the identifiers of the user terminal and the paging controller;
  • the paging controller interacts with the service authenticator to identify the user terminal and the target base station identity information, and generates an authentication key of the user terminal for the target base station.
  • the target base station obtains the authentication key, and in the step of verifying the ranging request, if the service authenticator to which the target base station belongs holds the key information of the user terminal, the target base station directly uses the The authentication key information is used to verify the ranging request.
  • the target base station obtains an authentication key, and performs a verification step on the ranging request, and further includes:
  • the target base station sends an authentication key request to the service authenticator, where the authentication key request includes the user terminal information;
  • the service authenticator generates an answer key and related information of the user terminal for the target base station according to the user terminal identifier and the target base station identifier.
  • the step of obtaining the authentication key by the target base station further includes:
  • the target base station sends an authentication key request to the original authenticator, where the authentication key request includes user terminal information;
  • the original authenticator generates an authentication key for the target base station and transmits the authentication key to the target base station.
  • the authentication key related information includes an authentication key identifier, an activation period of the authentication key, and key information.
  • the method further includes the steps of:
  • the target base station constructs a ranging request response and an additional message authentication code therein and transmits it to the user terminal.
  • the method further includes the steps of:
  • the target base station uses the authentication key to check the received management message of the user terminal.
  • the method further includes the steps of:
  • An encryption key is generated by the authentication key.
  • a radio access network comprising a user terminal, an original base station for accessing the user terminal, and an original authenticator storing key information of the user terminal, for the target base station after the user terminal moves and the service connected to the target base station
  • the authenticator, and the authentication server
  • the user terminal is configured with:
  • a ranging request sending unit configured to send a ranging request to the target base station
  • the target base station is configured with:
  • An authentication key obtaining unit configured to obtain an authentication key
  • a verification unit configured to verify the ranging request.
  • the user terminal is further configured to:
  • a synchronization unit configured to synchronize with the target base station.
  • the authentication key obtaining unit further sets:
  • the authentication key request sending unit is configured to send an authentication key request to the service authenticator, where the authentication key request includes the user terminal and the original authenticator location information;
  • the original authenticator interacts with the service authenticator to identify the user terminal and the target base station identification information, and generates an authentication key of the user terminal for the target base station.
  • the service authenticator also sets: An authentication key request request sending unit, configured to send an authentication key request request to the original authenticator, where the identifier of the user terminal and the target base station is included;
  • the original authenticator also sets:
  • the authentication key and related information generating unit is configured to generate an authentication key and related information of the user terminal for the target base station according to the identifiers of the user terminal and the target base station and the key information stored by the original authenticator;
  • the authentication key and related information sending unit is configured to send the authentication key and related information to the target base station.
  • the target base station is further configured to:
  • An authentication key request sending unit configured to send an authentication key request to the original authenticator, where the authentication key request includes user terminal information
  • the original authenticator also sets:
  • An authentication key sending unit is configured to send the authentication key to the target base station.
  • the target base station is further configured to:
  • a ranging request response generating unit configured to construct a ranging request response and an additional message authentication code
  • a ranging request response sending unit configured to send the ranging request response to the user terminal.
  • the solution of the present invention proposes a consistency check for RNG-REQ and a subsequent management message consistency check scheme.
  • the improved scheme reduces the signaling overhead inside the network, and ensures that the Authenticator that saves the MSS key information effectively and correctly forwards the key application message to the target BS, and finally obtains the AK to analyze the content of the RNG-REQ and Processing, while constructing a response RNG-RSP and an attached HMAC/CMAC.
  • the AK can be used to check the received management message of the MSS containing the HMAC/CMAC, and the HMAC/CMAC can be added to the management message that needs to be sent to the MSS for consistency check by the peer, and can also be performed by the AK.
  • the confidentiality is generated for the encryption key on the data path to ensure that the session service is transmitted over the air interface.
  • 1 is a schematic diagram of a security network architecture system of a radio access network in the prior art
  • 2 is a schematic diagram of a verification process when a target BS carries a message authentication code (MAC) for a ranging request in the case of an Authenticator in the prior art
  • MAC message authentication code
  • FIG. 3 is a schematic diagram of a verification process when a MAC address is carried in a ranging request in the case of an Authenticator according to Embodiment 1 of the present invention
  • FIG. 4 is a schematic flowchart of a first scheme for generating an authentication key according to the present invention.
  • FIG. 5 is a schematic flowchart of a second scheme for generating an authentication key according to the present invention.
  • Figure 7 is a schematic flow chart of the solution 3 of the present invention.
  • FIG. 8 is a schematic structural diagram of a radio access network according to the present invention.
  • FIG. 9 is a structural diagram of a system when a radio access network acquires an authentication key from a service Authenticator according to the present invention.
  • FIG. 10 is a system structural diagram of a wireless access network according to the present invention when acquiring an authentication key to an original Authenticator. detailed description
  • the user terminal may be a mobile subscriber station (MSS) or a mobile station (MS).
  • MSS mobile subscriber station
  • MS mobile station
  • the target BS receives the ranging request (RNG-REQ) with the HMAC/CMAC sent by the MSS.
  • RNG-REQ ranging request
  • the present invention needs to notify the original Authenticator storing the MSS key information to transmit the AK and the corresponding AKID, the life cycle of the AK, and other key information (such as EIK: EAP Integrity Key) to the target BS.
  • the content of the RNG-REQ is analyzed and processed, while the response (RNG-RSP) and the additional HMAC/CMAC are constructed. Thereafter, the AK can be used to check the received management message of the MSS containing the HMAC/CMAC, and can also attach the management message to be sent to the MSS.
  • the HMAC/CMAC performs a consistency check on the peer (MSS), and the AK can also generate an encryption key for use on the data path to ensure the confidentiality of the session service over the air interface.
  • the Authenticator to which the target BS belongs stores the key information of the MSS
  • the Authenticator generates the AK of the MSS and the corresponding AKID, the life cycle of the AK, and other key information (such as EIK) according to the MSS identifier and the target BS identifier. : EAP Integrity Key ), and send them to the target BS.
  • EIK EAP Integrity Key
  • the MSS sends an RNG-REQ to the target BS, where the RNG-REQ carries a MAC.
  • the MSS After the MSS moves from the serving BS to the target BS and synchronizes with the target BS to receive the air interface resource allocation parameters of the uplink and downlink of the target BS, the MSS sends an RNG-REQ management message to the target BS, and the message is followed by the MAC information.
  • RNG-REQ management message In this embodiment, HMAC is used.
  • the target BS sends an authentication key request (AK_Request) to the service Authenticator to which it belongs, where the AK_Request includes the MSS and the target BS identification information, and the original Authenticator location information.
  • AK_Request includes the MSS and the target BS identification information, and the original Authenticator location information.
  • the target BS sends an AK_Request to the service Authenticator to which it belongs, which contains
  • the Authenticator can address the original Authenticates location information of the original Authenticates, which can be the original Authenticator identification information or the original BS identification information. If the original Authenticator location information is the original BS identity information, the original Authenticator needs to be searched by the Authenticator to which the original BS belongs according to the original BS identity information. 5303. The original Authenticator interacts with the serving Authenticator to identify the MSS and the target BS, and generates an authentication key of the MSS for the target BS.
  • the service Authenticator exchanges the MSS and the target BS identification information with the original Authenticator according to the original Authenticator location information in step S2, and generates an authentication key for the target BS.
  • the target BS processes the RNG-REQ according to the authentication key.
  • the target BS obtains the authentication key AK, and analyzes and processes the content of the R G-REQ;
  • the target BS constructs a response RNG-RSP and an additional HMAC therein.
  • the solution for generating an authentication key may be implemented by the following two solutions: As shown in FIG. 4, the solution 1 includes the following steps:
  • the service Authenticator sends an AK_Request to the original Authenticator, where the identifier of the MSS and the target BS is included;
  • the original Authenticator generates an AK and related information for the MSS for the target BS according to the identifiers of the MSS and the target BS and the key information stored by the original Authenticator.
  • the service Authenticator sends the AK and related information to the target BS.
  • Scheme 2 is shown in Figure 5 and includes the following steps:
  • the service Authenticator sends a key application request to the original Authenticator, which includes the identifier of the MSS.
  • the original Authenticator sends the stored key information of the MSS to the service Authenticator, and the service Authenticator generates the AK and related information for the MSS according to the identifiers of the MSS and the target BS and the key information of the MSS.
  • the service Authenticator sends the AK and related information to the target BS.
  • the AK related information may include an AKID, an AK life cycle, and other context information.
  • the AK can be used to check the received management message of the MSS containing the H AC, and the HMAC can be added to the management message that needs to be sent to the MSS for consistency verification by the peer, and can also be used by the AK for Encryption key on the data path to ensure that the session service is connected in the air Confidentiality of transmission on the mouth.
  • Example 2
  • the consistency check in the idle state of the MSS mobile process and in the case of the Authenticator for the RNG_REQ with the HMAC and the subsequent management message consistency check procedure are as shown in Fig. 6:
  • the paging controller That is, the original Authenticator is different from the Authenticator to which the target BS belongs, and the key information of the MSS is stored on the paging controller (ie, the original Authenticator).
  • the MSS sends an RNG-REQ to the target BS, where the RNG-REQ carries an identifier of the MAC and the paging controller (ie, the original Authenticator).
  • the MSS After the MSS moves from the serving BS to the target BS and synchronizes with the target BS to receive the uplink and downlink air interface resource allocation parameters of the target BS, the MSS sends an RNG-REQ management message to the target BS, and the message is followed by the MAC information and
  • the paging controller identifier in this embodiment, the MAC information uses HMAC.
  • the original Authenticator has the function of generating and distributing an authentication key, and is integrated with the paging controller.
  • the target BS sends an authentication key request (AK_Request) to the service Authenticator to which it belongs, where the AK_Request includes the MSS and the target BS identification information, and the location information of the paging controller (ie, the original Authenticator). ;
  • the target BS sends an AK_Request to the service Authenticator to which it belongs, including the MSS, the identity of the target BS, and the direct location information of the paging controller (ie, the original Authenticator), wherein the identifiers of the MSS and the target BS are generated to generate the MSS.
  • the air interface key AK associated with the target BS, and the direct location information of the paging controller (ie, the original Authenticator) is intended to serve the Authenticator to the paging controller (ie, the original Authenticator).
  • the location information of the paging controller ie, the original Authenticator is the original Authenticator identification information.
  • the paging controller (ie, the original Authenticator) interacts with the service Authenticator.
  • the MSS and the target BS identify the information, and generate an authentication key for the MSS for the target BS;
  • the service Authenticator is based on the paging controller in step S2 (ie, the original Authenticator) location information, interacting with the paging controller (ie, the original Authenticator) with the MSS and the target BS identity information, and generating an authentication key for the MSS for the target BS.
  • the scheme for generating the authentication key may adopt the scheme corresponding to FIG. 4 or FIG. 5.
  • the target BS processes the RNG-REQ according to the authentication key.
  • the target BS obtains the authentication key AK, analyzes and processes the content of the RNG-REQ, and notifies the paging controller of the location update message of the MSS;
  • the target BS constructs a response R G-RSP and an additional HMAC therein.
  • the target BS can obtain the authentication key by the following steps. :
  • the target BS sends an authentication key request to the original authenticator (Authenticator), where the authentication key request includes MSS information.
  • Authenticator original authenticator
  • the original Authenticator generates an authentication key for the target BS, and sends the authentication key to the target BS.
  • the radio access network of the present invention mainly includes: an MSS 10, an original BS 20 for MSS access, and key information for storing the MSS.
  • the invention is provided in the MSS with:
  • the ranging request sending unit 110 is configured to send a ranging request to the target BS 40.
  • the authentication key obtaining unit 410 is configured to obtain an authentication key.
  • the verification unit 420 is configured to verify the ranging request.
  • a ranging request response generating unit 430 configured to construct a ranging request response and an additional message authentication code therein;
  • the ranging request response sending unit 440 is configured to send the ranging request response to the MSS 10.
  • the MSS 10 is configured with:
  • the synchronization unit 120 is configured to synchronize with the target base station.
  • the specific setting method of the authentication key obtaining unit 410 may be determined according to the obtaining of the authentication key from the service Authenticator 50 or the original Authenticator 30, as follows:
  • Solution 1 Obtain an authentication key from the service Authenticator50.
  • the authentication key obtaining unit 410 further sets:
  • the first authentication key request sending unit 411 is configured to send an authentication key request to the service Authenticator 50, where the authentication key request includes location information of the MSS 10 and the original Authenticator 30;
  • the original Authenticator 30 interacts with the service Authenticator 50 to identify the MSS 10 and the target BS 40, and generates an authentication key for the MSS 10 for the target BS 40.
  • the authentication key application request sending unit 510 is configured to send an authentication key request request to the original Authenticator 30, where the identifiers of the MSS 10 and the target BS 40 are included;
  • the authentication key and related information generating unit 310 is configured to generate an authentication key and related information of the MSS 10 for the target BS 40 according to the identifiers of the MSS 10 and the target BS 40 and the key information stored by the original Authenticator 30;
  • the authentication key and related information transmitting unit 320 is configured to send the authentication key and related information to the target BS 40.
  • Option 2 Obtain an authentication key from the original Authenticator 30
  • the authentication key obtaining unit 410 is configured with:
  • the second authentication key request sending unit 412 is configured to send an authentication key request to the original Authenticator 30, where the authentication key request includes the MSS10 information;
  • the original Authenticator 30 is configured with:
  • the authentication key sending unit 330 is configured to send the authentication key to the target BS 40.
  • the solution of the present invention proposes a consistency check for RNG-REQ in the case of Authenticates: and a management message consistency check scheme thereafter.
  • the invention is applicable to both the movement of the MSS during the call and the movement of the MSS in the idle state.
  • the original Authenticator is defined as an Authenticator that stores key information capable of generating the MSS AK, and is not necessarily an Authenticator to which the original BS belongs.
  • the improved process reduces the signaling overhead inside the network, and ensures that the target BS effectively and correctly forwards the key application message to the original Authenticator, so that the target BS finally obtains the AK to analyze and process the content of the RNG-REQ.
  • the AK can be used to check the received management message of the MSS containing the HMAC/CMAC, and the HMAC/CMAC can be added to the management message that needs to be sent to the MSS for consistency check by the peer, and can also be performed by the AK.
  • the confidentiality is generated for the encryption key on the data path to ensure that the session service is transmitted over the air interface.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A verifying method for ranging request and the wireless access network said method includes: a user terminal sends the ranging request to the object base station; the object base station obtains authentication key, and verifies said ranging request according to said authentication key. The scheme of the present invention reduces the signaling spending in the network, meanwhile, assures Authenticator which stores said MSS key information, and retransmits key application to the object BS effectually and correctly.

Description

一种测距请求校脸方法及无线接入网络 技术领域  Ranging request face method and wireless access network
本发明涉及通信领域, 尤其涉及一种跨鉴权者(Authenticator )情况下对 于测距请求校验方法及一种无线接入网络。 背景技术  The present invention relates to the field of communications, and in particular, to a method for verifying a ranging request and a wireless access network in the case of an Authenticator. Background technique
随着因特网业务的蓬勃发展和无线网络的广泛应用, 已经对无线接入网 提出了越来越多的安全性要求, 除釆用目前广泛使用的设备鉴权、 用户鉴权 和服务授权等方法来提高无线通信的安全性之外, 用户终端 (MSS )与基站 ( BS ) 之间安全通道的建立, 保密信息的交换, 以及 BS和鉴权者 ( Authenticator )、 Authenticator和鉴权月良务器 ( Authentication Server )之间的 安全通道的建立, 保密信息的交换等等都是目前需要特别关注的问题。  With the rapid development of Internet services and the widespread use of wireless networks, more and more security requirements have been put forward for wireless access networks, in addition to the widely used methods of device authentication, user authentication and service authorization. In addition to improving the security of wireless communication, the establishment of a secure channel between a user terminal (MSS) and a base station (BS), exchange of confidential information, and BS and Authenticator, Authenticator, and authentication server The establishment of a secure channel between (Authenticate Server), the exchange of confidential information, etc. are all issues that require special attention at present.
图 1显示了现有技术中无线接入网的安全网络架构体系示意图。 如图 1所 示, 在无线接入网的安全网络架构中主要涉及到以下网元: MSS、 BS、 Authenticator以及 Authentication Server。 其中, MSS在所述安全架构中的主要 功能是发起认证、 鉴权, 与 Authentication Server交换产生根密钥所需的信息, 生成根密钥, 跟据根密钥产生对空中接口数据加密所需要的鉴权密钥 (AK, Authorization Key ) 以及根据 AK派生出用于加密数据及管理消息一致性检验 的其他密钥信息等; BS在上述安全架构中的功能是为 Authenticator和 MSS提供 安全体系通道, 对空中接口数据进行压缩与加密, 交换 BS和 MSS之间的保密 信息, 为 MSS提供从 BS到 Authenticator的安全通道等; Authenticator在上述安 全架构中的主要功能是为 MSS认证、 授权和计费提供代理功能, 根据 Authentication Server提供的与 MSS之间对等的根密钥信息和 BS的标识, 产生 BS和 MSS之间建立安全通道所需的 AK , 并将 A 分发到相应的 BS ; Authentication Server的主要功能包括: 为 MSS进行认证、授权和计费, 产生并 分发根密钥信息到 Authenticator , 在用户信息产生变化时及时通知 Authenticator和其他网元用户信息改变所产生的后果。 FIG. 1 shows a schematic diagram of a secure network architecture system of a wireless access network in the prior art. As shown in Figure 1, the following network elements are mainly involved in the secure network architecture of the radio access network: MSS, BS, Authenticator, and Authentication Server. The main function of the MSS in the security architecture is to initiate authentication and authentication, exchange information required to generate a root key with the Authentication Server, generate a root key, and generate data encryption for the air interface according to the root key. The authentication key (AK, Authorization Key) and other key information derived from the AK for encrypting data and managing message consistency check; the function of the BS in the above security architecture is to provide a security system channel for Authenticator and MSS. Compress and encrypt the air interface data, exchange the confidential information between the BS and the MSS, provide the MSS with a secure channel from the BS to the Authenticator, etc. The main function of the Authenticator in the above security architecture is to authenticate, authorize and charge the MSS. Providing a proxy function, according to the root key information and the identity of the BS provided by the Authentication Server and the MSS, generating an AK required to establish a secure channel between the BS and the MSS, and distributing the A to the corresponding BS; Key features include: Authenticate, authorize, and bill for MSS, generate and distribute root key information to Authenti Cator , timely notification when user information changes The consequences of Authenticator and other network element user information changes.
这样, 空中接口上传输的数据都能够通过加密实现安全传输, 而空中接 口上传输的管理消息也可以通过使用用于一致性检验的消息认证码 ( MAC, Message Authentication Code )实现安全传输。 如果采用 HASH算法, 那么该消 息认证码称为哈希消息认证码(HMAC, Hash Message Authentication Code )。 在 WiMAX系统中, 除开采用 HASH算法的消息认证码, 还可以使用基于加密 的消息认证码 ( CMAC, Cipher based Message Authentication Code)等用来进行 一致性校全。  In this way, data transmitted over the air interface can be securely transmitted by encryption, and management messages transmitted over the air interface can also be securely transmitted by using a Message Authentication Code (MAC) for consistency check. If the HASH algorithm is adopted, the message authentication code is called Hash Message Authentication Code (HMAC). In the WiMAX system, in addition to the message authentication code using the HASH algorithm, a Cipher based Message Authentication Code (CMAC) can also be used for consistency correction.
考虑上述的架构体系, 当 MSS发生移动进入目标 BS覆盖范围的时候, 在 与目标 BS同步、 获得空中接口的上下行参数以后, 将执行测距过程, 通过发 送 RNG-REQ来通知目标 BS,该 MSS已经成功移动并接入到目标 BS下, (在切 换情况下, MSS将通过目标 BS与对端用户通信; 而在 MSS处于空闲模式下, 通过通知 BS该 MSS已经移动并接入到该目标 BS下,通过目标 BS通知寻呼控制 器该 MSS已经发生了位置更新, 及时通知寻呼控制器更新 MSS的位置信息, 从而便于 MSS在被寻呼时, 能够正确地通过目标 BS将消息 /数据发送到 MSS 上) 通常为了保证空中接口管理消息的一致性, 这个消息会附加 HMAC/CMAC, 以便 BS进行一致性校验, 一旦通过一致性校验则可以省略重 新鉴权、 授权和认证的过程。 在 BS进行一致性校验时, 需要获得 AK。 如上所 述, AK需要利用在 Authenticator中存储的密钥信息和目标 BS的信息在 Authenticator上重新生成的。 那么就可能出现两种情况:  Considering the above architecture, when the MSS moves into the coverage of the target BS, after synchronizing with the target BS and obtaining the uplink and downlink parameters of the air interface, the ranging process will be performed, and the target BS is notified by sending the RNG-REQ, The MSS has successfully moved and accessed to the target BS. (In the case of handover, the MSS will communicate with the peer user through the target BS; while the MSS is in idle mode, by notifying the BS that the MSS has moved and accessed the target. Under the BS, the paging controller is notified by the target BS that the MSS has updated the location, and the paging controller is notified to update the location information of the MSS in time, so that the MSS can correctly send the message/data through the target BS when being paged. Sent to the MSS) Generally, in order to ensure the consistency of the air interface management message, this message will be appended with HMAC/CMAC for the BS to perform the consistency check. Once the consistency check is passed, the process of re-authentication, authorization and authentication can be omitted. . When the BS performs the consistency check, it needs to obtain AK. As described above, the AK needs to be regenerated on the Authenticator using the key information stored in the Authenticator and the information of the target BS. Then two things can happen:
( 1 ) 目标 BS所属的 Authenticator保存有该 MSS的密钥信息。  (1) The Authenticator to which the target BS belongs stores key information of the MSS.
( 2 ) 目标 BS所属的 Authenticator没有该 MSS的密钥信息, 该 MSS的密钥 信息保存在原 Authenticator上。  (2) The Authenticator to which the target BS belongs does not have the key information of the MSS, and the key information of the MSS is stored in the original Authenticator.
如何完成对 RNG-REQ以及其后的管理消息的一致性校验就成为一个问 题。  How to complete the consistency check of RNG-REQ and subsequent management messages becomes a problem.
现有技术中, 当 MSS在切换过程中发生了 Authenticator的变化, 目标 BS 所属的 Authenticator没有该 MSS的密钥信息时, 目标 BS按照图 2所示的流程对 R G-REQ以及其后的管理消息的一致性校验。 In the prior art, when the Authenticator changes during the handover process and the Authenticator to which the target BS belongs does not have the key information of the MSS, the target BS follows the flow shown in Figure 2. R G-REQ and subsequent consistency check of management messages.
5201、 MSS从原 BS移动到目标 BS, 与目标 BS同步、 接收识别目标 BS的 上下行的空口资源分配参数以后, 向目标 BS发送 RNG-REQ, 其后附带有 HMAC信息;  5201. The MSS moves from the original BS to the target BS, synchronizes with the target BS, and receives the uplink and downlink air interface resource allocation parameters of the target BS, and then sends the RNG-REQ to the target BS, and then the HMAC information is attached;
5202、 目标 BS向其所属的服务 Authenticator发送 AK— Request, 其中包含 了 MSS、 目标 BS的标识与测距请求中的消息体及 HMAC;  5202. The target BS sends an AK_Request to the service Authenticator to which it belongs, which includes the MSS, the identifier of the target BS, and the message body and HMAC in the ranging request.
5203、 服务 Authenticator向原 Authenticator申请要求后者为目标 BS产生空 口密钥 AK, 同时将包含了 MSS、 目标 BS的标识与测距请求中的消息体及 HMAC转发给原 Authenticator;  5203. The service Authenticator requests the original Authenticator to request the latter to generate the air interface key AK for the target BS, and forwards the identifier of the MSS, the target BS, and the message body and the HMAC in the ranging request to the original Authenticator;
5204、原 Authenticator根据 MSS和目标 BS的标识和存储的 MSS的密钥信息 为目标 BS产生空口密钥 AK, 同时根据该 AK对测距请求中的消息体及 HMAC 进行一致性校验, 只有一致性校验通过, 才将 AK和相应的 AKID, AK的生命 周期以及其它密钥信息(如 EIK )通过服务 Authenticator发送到目标 BS上; 5204. The original Authenticator generates an air interface key AK for the target BS according to the identifiers of the MSS and the target BS and the stored key information of the MSS, and performs consistency check on the message body and the HMAC in the ranging request according to the AK. After the verification is passed, the AK and the corresponding AKID, the life cycle of the AK, and other key information (such as EIK) are sent to the target BS through the service Authenticator;
5205、 目标 BS获得空口密钥 AK, 对 RNG-REQ的内容进行分析和处理;5205. The target BS obtains an air interface key AK, and analyzes and processes the content of the RNG-REQ.
5206、 构建响应 RNG-RSP和其中附加的 HMAC。 5206. Construct a response RNG-RSP and an attached HMAC.
此后利用 AK, 可以对接收到的含有 HMAC的该 MSS的管理消息进行校 验, 也能对需要发送给 MSS的管理消息附加 HMAC以便对端进行一致性校验, 还能由 AK产生用于在数据通路上的加密密钥而保证会话业务在空中接口上 传输的保密性。  Thereafter, the AK can be used to check the received management message of the MSS containing the HMAC, and the HMAC can be added to the management message that needs to be sent to the MSS for consistency verification by the peer, and can also be used by the AK for The encryption key on the data path ensures the confidentiality of the session traffic over the air interface.
现有技术中, 为了进行初次的一致性校验, 需要把整个 RNG-REQ消息体 和 HMAC都经过服务 Authenticator发送到原 Authenticator, 内容的增加导致了 网络内部接口中信令的开销; 而且在目标 BS发送给服务 Authenticator的消息 中 , 并没有任何关于原 Authenticator的信息, 导致服务 Authenticator无法将消 息有效、 正确地转发到原 Authenticator中。 整个流程存在一定的不合理性, 需 要一定地改进。 发明内容 本发明提供一种测距请求校验方法及无线接入网络, 用以解决现有技术 中存在流程不合理, 浪费网络内部接口信令开销的问题。 In the prior art, in order to perform the initial consistency check, the entire RNG-REQ message body and the HMAC are sent to the original Authenticator through the service Authenticator, and the increase of the content causes the signaling overhead in the internal interface of the network; The message sent by the BS to the service Authenticator does not contain any information about the original Authenticator, which causes the service Authenticator to fail to forward the message to the original Authenticator correctly and correctly. The whole process has certain irrationalities and needs to be improved. Summary of the invention The invention provides a method for verifying the ranging request and a wireless access network, which solves the problem that the existing process is unreasonable and wastes the signaling overhead of the internal interface of the network.
本发明方法包括:  The method of the invention comprises:
一种测距请求校验方法, 包括以下步骤:  A method for verifying a ranging request includes the following steps:
用户终端向目标基站发送测距请求;  The user terminal sends a ranging request to the target base station;
目标基站获取鉴权密钥, 并根据所述鉴权密钥对所述的测距请求进行校 验。  The target base station obtains an authentication key, and performs the calibration request according to the authentication key.
所述用户终端向目标基站发送测距请求步骤, 进一步包括:  The step of the user terminal sending a ranging request to the target base station further includes:
用户终端与目标基站同步, 并接收识别目标基站的上下行的空口资源分 配参数。  The user terminal synchronizes with the target base station, and receives an air interface resource allocation parameter that identifies the uplink and downlink of the target base station.
所述用户终端向目标基站发送测距请求步骤中, 所述的测距请求中携带 有消息认证码。  In the step of the user terminal transmitting a ranging request to the target base station, the ranging request carries a message authentication code.
所述的消息认证码, 为哈希消息认证码或者基于加密的消息认证码。 所述的目标基站获取鉴权密钥的步驟包括:  The message authentication code is a hash message authentication code or an encrypted message authentication code. The step of the target base station acquiring the authentication key includes:
目标基站向服务鉴权者发送鉴权密钥请求, 所述的鉴权密钥请求中, 包 含有用户终端以及原鉴权者位置信息;  The target base station sends an authentication key request to the service authenticator, where the authentication key request includes the user terminal and the original authenticator location information;
原鉴权者与服务鉴权者交互所述用户终端和目标基站标识信息, 并为目 标基站产生该用户终端的鉴权密钥。  The original authenticator interacts with the service authenticator to identify the user terminal and the target base station identification information, and generates an authentication key of the user terminal for the target base station.
所述的原鉴权者位置信息, 可以为原鉴权者标识信息或者原基站标识信 所述的方法, 如果所述的原鉴权者位置信息, 为原基站标识信息, 则还 包括根据所述的原基站标识信息查找所述的原鉴权者。  The original authenticator location information may be the original authenticator identification information or the method described in the original base station identification information. If the original authenticator location information is the original base station identification information, the method includes The original base station identification information is searched for the original authenticator.
所述原鉴权者与服务鉴权者交互所述用户终端和目标基站标识信息, 并 为目标基站产生该用户终端的鉴权密钥步骤, 进一步包括:  The step of the original authenticator and the service authenticator interacting with the user terminal and the target base station identification information, and generating the authentication key of the user terminal for the target base station, further includes:
服务鉴权者向原鉴权者发送鉴权密钥申请请求, 其中包含用户终端和目 标基站的标识;  The service authenticator sends an authentication key application request to the original authenticator, where the identifier of the user terminal and the target base station is included;
原鉴权者根据用户终端和目标基站的标识, 以及原鉴权者存储的密钥信 息, 为目标基站产生该用户终端的鉴权密钥及相关信息; The original authenticator according to the identity of the user terminal and the target base station, and the key letter stored by the original authenticator And generating an authentication key and related information of the user terminal for the target base station;
服务鉴权者将所述的鉴权密钥及相关信息发送至目标基站。  The service authenticator sends the authentication key and related information to the target base station.
所述原鉴权者与服务鉴权者交互所述用户终端和目标基站标识信息, 并 为目标基站产生该用户终端的鉴权密钥步骤, 进一步包括:  The step of the original authenticator and the service authenticator interacting with the user terminal and the target base station identification information, and generating the authentication key of the user terminal for the target base station, further includes:
服务鉴权者向原鉴权者发出密钥申请请求, 其中包含了用户终端的标识; 原鉴权者将存储的用户终端的密钥信息发送给服务鉴权者, 服务鉴权者 根据用户终端和目标基站的标识, 以及用户终端的密钥信息为目标基站产生 该用户终端的鉴权密钥及相关信息;  The service authenticator sends a key application request to the original authenticator, which includes the identifier of the user terminal; the original authenticator sends the stored key information of the user terminal to the service authenticator, and the service authenticator according to the user terminal and The identifier of the target base station and the key information of the user terminal generate an authentication key and related information of the user terminal for the target base station;
服务鉴权者将所述的鉴权密钥及相关信息发送至目标基站。  The service authenticator sends the authentication key and related information to the target base station.
所述目标基站获取鉴权密钥, 并对所述的测距请求进行校臉步骤, 进一 步包括:  The target base station obtains an authentication key, and performs a face-finding step on the ranging request, and further includes:
目标基站向其所属的服务鉴权者发送鉴权密钥请求, 该鉴权密钥请求中, 包含有用户终端以及寻呼控制器的标识;  The target base station sends an authentication key request to the service authenticator to which it belongs, where the authentication key request includes the identifiers of the user terminal and the paging controller;
寻呼控制器与服务鉴权者交互所述用户终端和目标基站标识信息, 并为 目标基站产生该用户终端的鉴权密钥。  The paging controller interacts with the service authenticator to identify the user terminal and the target base station identity information, and generates an authentication key of the user terminal for the target base station.
所述目标基站获取鉴权密钥, 并对所述的测距请求进行校验步骤中 , 如 果目标基站所属的服务鉴权者保存有该用户终端的密钥信息, 则目标基站直 接使用所述鉴权密钥信息, 对所述的测距请求进行校验。  The target base station obtains the authentication key, and in the step of verifying the ranging request, if the service authenticator to which the target base station belongs holds the key information of the user terminal, the target base station directly uses the The authentication key information is used to verify the ranging request.
所述目标基站获取鉴权密钥, 并对所述的测距请求进行校验步骤, 进一 步包括:  The target base station obtains an authentication key, and performs a verification step on the ranging request, and further includes:
目标基站向服务鉴权者发送鉴权密钥请求, 所述的鉴权密钥请求中, 包 含有用户终端信息;  The target base station sends an authentication key request to the service authenticator, where the authentication key request includes the user terminal information;
服务鉴权者根据所述的用户终端标识和目标基站标识 , 为目标基站产生 该用户终端的答权密钥及相关信息。  The service authenticator generates an answer key and related information of the user terminal for the target base station according to the user terminal identifier and the target base station identifier.
所述目标基站获取鉴权密钥步骤, 进一步包括:  The step of obtaining the authentication key by the target base station, further includes:
目标基站向原鉴权者发送鉴权密钥请求, 所述的鉴权密钥请求中, 包含 有用户终端信息; 原鉴权者为目标基站产生鉴权密钥,并将鉴权密钥发送到目标基站。 The target base station sends an authentication key request to the original authenticator, where the authentication key request includes user terminal information; The original authenticator generates an authentication key for the target base station and transmits the authentication key to the target base station.
所述鉴权密钥相关信息, 包括鉴权密钥标识, 鉴权密钥的生命周期以及 密钥信息。  The authentication key related information includes an authentication key identifier, an activation period of the authentication key, and key information.
所述的方法, 还包括步骤:  The method further includes the steps of:
目标基站构建测距请求响应和其中附加的消息认证码并发送给用户终 端。  The target base station constructs a ranging request response and an additional message authentication code therein and transmits it to the user terminal.
所述的方法, 还包括步骤:  The method further includes the steps of:
目标基站使用所述的鉴权密钥对接收到的该用户终端的管理消息进行校 验。  The target base station uses the authentication key to check the received management message of the user terminal.
所述的方法, 还包括步骤:  The method further includes the steps of:
由所述的鉴权密钥产生加密密钥。  An encryption key is generated by the authentication key.
一种无线接入网络, 包括用户终端, 用于用户终端接入的原基站和存储 该用户终端的密钥信息的原鉴权者, 用于用户终端移动后的目标基站和连接 目标基站的服务鉴权者, 以及鉴权服务器;  A radio access network, comprising a user terminal, an original base station for accessing the user terminal, and an original authenticator storing key information of the user terminal, for the target base station after the user terminal moves and the service connected to the target base station The authenticator, and the authentication server;
所述用户终端设置有:  The user terminal is configured with:
测距请求发送单元, 用于向目标基站发送测距请求;  a ranging request sending unit, configured to send a ranging request to the target base station;
所述目标基站设置有:  The target base station is configured with:
鉴权密钥获取单元, 用于获取鉴权密钥;  An authentication key obtaining unit, configured to obtain an authentication key;
校验单元, 用于对所述测距请求进行校验。  a verification unit, configured to verify the ranging request.
所述用户终端还设置:  The user terminal is further configured to:
同步单元, 用于与目标基站同步。  A synchronization unit, configured to synchronize with the target base station.
所述鉴权密钥获取单元还设置:  The authentication key obtaining unit further sets:
鉴权密钥请求发送单元, 用于向服务鉴权者发送鉴权密钥请求, 所述的 鉴权密钥请求中, 包含有用户终端以及原鉴权者位置信息;  The authentication key request sending unit is configured to send an authentication key request to the service authenticator, where the authentication key request includes the user terminal and the original authenticator location information;
原鉴权者与服务鉴权者交互所述用户终端和目标基站标识信息, 并为目 标基站产生该用户终端的鉴权密钥。  The original authenticator interacts with the service authenticator to identify the user terminal and the target base station identification information, and generates an authentication key of the user terminal for the target base station.
所述服务鉴权者还设置: 鉴权密钥申请请求发送单元, 用于向原鉴权者发送鉴权密钥申请请求, 其中包含用户终端和目标基站的标识; The service authenticator also sets: An authentication key request request sending unit, configured to send an authentication key request request to the original authenticator, where the identifier of the user terminal and the target base station is included;
所述原鉴权者还设置:  The original authenticator also sets:
鉴权密钥及相关信息产生单元, 用于根据用户终端和目标基站的标识, 以及原鉴权者存储的密钥信息, 为目标基站产生该用户终端的鉴权密钥及相 关信息;  The authentication key and related information generating unit is configured to generate an authentication key and related information of the user terminal for the target base station according to the identifiers of the user terminal and the target base station and the key information stored by the original authenticator;
鉴权密钥及相关信息发送单元, 用于将所述的鉴权密钥及相关信息发送 至目标基站。  The authentication key and related information sending unit is configured to send the authentication key and related information to the target base station.
所述目标基站还设置:  The target base station is further configured to:
鉴权密钥请求发送单元, 用于向原鉴权者发送鉴权密钥请求, 所述的鉴 权密钥请求中, 包含有用户终端信息;  An authentication key request sending unit, configured to send an authentication key request to the original authenticator, where the authentication key request includes user terminal information;
所述原鉴权者还设置:  The original authenticator also sets:
鉴权密钥发送单元, 用于将鉴权密钥发送到目标基站。  An authentication key sending unit is configured to send the authentication key to the target base station.
所述目标基站进一步设置:  The target base station is further configured to:
测距请求响应生成单元, 用于构建测距请求响应和附加的消息认证码; 测距请求响应发送单元, 用于将所述测距请求响应发送给用户终端。 本发明方案提出了一种对于 RNG— REQ的一致性校验以及其后的管理消 息一致性校验方案。 该改进方案减小了网络内部的信令开销, 同时保证了保 存该 MSS密钥信息的 Authenticator将密钥申请消息有效、 正确地转发给目标 BS , 最终获得 AK对 RNG-REQ 的内容进行分析和处理, 同时构建响应 RNG-RSP 和附加的 HMAC/CMAC。 此后利用 AK, 可以对接收到的含有 HMAC/CMAC的该 MSS的管理消息进行校验, 也能对需要发送给 MSS的管 理消息附加 HMAC/CMAC以便对端进行一致性校验,还能由 AK产生用于在 数据通路上的加密密钥而保证会话业务在空中接口上传输的保密性。 附图说明  a ranging request response generating unit, configured to construct a ranging request response and an additional message authentication code; and a ranging request response sending unit, configured to send the ranging request response to the user terminal. The solution of the present invention proposes a consistency check for RNG-REQ and a subsequent management message consistency check scheme. The improved scheme reduces the signaling overhead inside the network, and ensures that the Authenticator that saves the MSS key information effectively and correctly forwards the key application message to the target BS, and finally obtains the AK to analyze the content of the RNG-REQ and Processing, while constructing a response RNG-RSP and an attached HMAC/CMAC. After that, the AK can be used to check the received management message of the MSS containing the HMAC/CMAC, and the HMAC/CMAC can be added to the management message that needs to be sent to the MSS for consistency check by the peer, and can also be performed by the AK. The confidentiality is generated for the encryption key on the data path to ensure that the session service is transmitted over the air interface. DRAWINGS
图 1为现有技术中无线接入网的安全网络架构体系示意图; 图 2为现有技术中跨鉴权者(Authenticator )情况下目标 BS对于测距请 求携带消息认证码 ( MAC ) 时的校验流程示意图; 1 is a schematic diagram of a security network architecture system of a radio access network in the prior art; 2 is a schematic diagram of a verification process when a target BS carries a message authentication code (MAC) for a ranging request in the case of an Authenticator in the prior art;
图 3为本发明实施例 1跨 Authenticator情况下对于测距请求携带 MAC时 的校验流程示意图;  3 is a schematic diagram of a verification process when a MAC address is carried in a ranging request in the case of an Authenticator according to Embodiment 1 of the present invention;
图 4为本发明产生鉴权密钥的方案一的流程示意图;  4 is a schematic flowchart of a first scheme for generating an authentication key according to the present invention;
图 5为本发明产生鉴权密钥的方案二的流程示意图;  FIG. 5 is a schematic flowchart of a second scheme for generating an authentication key according to the present invention;
图 6为本发明实施例 2的流程示意图;  6 is a schematic flowchart of Embodiment 2 of the present invention;
图 7为本发明方案 3的流程示意图;  Figure 7 is a schematic flow chart of the solution 3 of the present invention;
图 8为本发明无线接入网络的结构示意图;  8 is a schematic structural diagram of a radio access network according to the present invention;
图 9为本发明无线接入网络在向服务 Authenticator获取鉴权密钥时的系 统结构图;  9 is a structural diagram of a system when a radio access network acquires an authentication key from a service Authenticator according to the present invention;
图 10为本发明无线接入网络在向原 Authenticator获取鉴权密钥时的系统 结构图。 具体实施方式  FIG. 10 is a system structural diagram of a wireless access network according to the present invention when acquiring an authentication key to an original Authenticator. detailed description
下面结合说明书附图来说明本发明的具体实施方式。  Specific embodiments of the present invention are described below in conjunction with the drawings.
本发明方案中, 用户终端可以是移动用户站 (MSS )或移动台 (MS ), 本发明下述内容中, 以 MSS为例进行说明。  In the solution of the present invention, the user terminal may be a mobile subscriber station (MSS) or a mobile station (MS). In the following content of the present invention, the MSS is taken as an example for description.
在 MSS移动进入目标 BS覆盖范围的时候, 将接入点从原来的目标 BS 变成目标 BS的过程中, 目标 BS在接收到该 MSS发出的带 HMAC/CMAC的 测距请求(RNG-REQ )的时候, 如果没有与该 MSS和目标 BS标识相关的 AK时, 会导致无法对该 RNG-REQ进行一致性校验。 在这种情况下, 本发明 需要通知存储该 MSS密钥信息的原 Authenticator将 AK和相应的 AKID, AK 的生命周期以及其它密钥信息(如 EIK: EAP Integrity Key )等发送到目标 BS 上, 对 RNG-REQ的内容进行分析和处理, 同时构建响应 (RNG-RSP )和附 加的 HMAC/CMAC。此后利用 AK,可以对接收到的含有 HMAC/CMAC的该 MSS 的管理消息进行校验, 也能对需要发送给 MSS 的管理消息附加 HMAC/CMAC以便对端 (MSS)进行一致性校验, 还能由 AK产生用于在数据 通路上的加密密钥而保证会话业务在空中接口上传输的保密性。 In the process of changing the access point from the original target BS to the target BS when the MSS moves into the coverage of the target BS, the target BS receives the ranging request (RNG-REQ) with the HMAC/CMAC sent by the MSS. When there is no AK associated with the MSS and the target BS identity, the RNG-REQ cannot be checked for consistency. In this case, the present invention needs to notify the original Authenticator storing the MSS key information to transmit the AK and the corresponding AKID, the life cycle of the AK, and other key information (such as EIK: EAP Integrity Key) to the target BS. The content of the RNG-REQ is analyzed and processed, while the response (RNG-RSP) and the additional HMAC/CMAC are constructed. Thereafter, the AK can be used to check the received management message of the MSS containing the HMAC/CMAC, and can also attach the management message to be sent to the MSS. The HMAC/CMAC performs a consistency check on the peer (MSS), and the AK can also generate an encryption key for use on the data path to ensure the confidentiality of the session service over the air interface.
如果目标 BS所属的 Authenticator上保存有该 MSS的密钥信息, 那么所 述 Authenticator就根据 MSS标识和目标 BS标识产生该 MSS的 AK和相应的 AKID, AK的生命周期以及其它密钥信息(如 EIK: EAP Integrity Key ), 并 将它们发送到目标 BS 上。 这种情况下对应的实施例 1 和 2 中的服务 Authenticator和原 Authenticator之间的消息交互将省略。 实施例 1:  If the Authenticator to which the target BS belongs stores the key information of the MSS, the Authenticator generates the AK of the MSS and the corresponding AKID, the life cycle of the AK, and other key information (such as EIK) according to the MSS identifier and the target BS identifier. : EAP Integrity Key ), and send them to the target BS. In this case, the message interaction between the service Authenticator and the original Authenticator in the corresponding embodiments 1 and 2 will be omitted. Example 1:
MSS移动过程中发生切换和跨 Authenticator情况下对于 RNGJ EQ带 Switching occurs during MSS move and cross Authenticator case for RNGJ EQ band
HMAC时的一致性校验以及其后的管理消息一致性校验流程如图 3所示:The consistency check of HMAC and the subsequent consistency check process of management messages are shown in Figure 3:
5301、 MSS向目标 BS发送 RNG-REQ, 所述的 RNG-REQ中, 携带有 MAC; 5301. The MSS sends an RNG-REQ to the target BS, where the RNG-REQ carries a MAC.
当 MSS从服务 BS移动到目标 BS,并与目标 BS同步、接收识别目标 BS 的上下行的空口资源分配参数以后, MSS要向目标 BS发送 RNG-REQ管理 消息, 该消息后附带有 MAC信息, 本实施例中采用 HMAC;。  After the MSS moves from the serving BS to the target BS and synchronizes with the target BS to receive the air interface resource allocation parameters of the uplink and downlink of the target BS, the MSS sends an RNG-REQ management message to the target BS, and the message is followed by the MAC information. In this embodiment, HMAC is used.
5302、 目标 BS 向其所属的服务 Authenticator 发送鉴权密钥请求 ( AK— Request ), 该 AK— Request中, 包含有 MSS和目标 BS标识信息, 以及 原 Authenticator位置信息;  5302. The target BS sends an authentication key request (AK_Request) to the service Authenticator to which it belongs, where the AK_Request includes the MSS and the target BS identification information, and the original Authenticator location information.
目标 BS向其所属的服务 Authenticator发送 AK_Request, 在其中包含了 The target BS sends an AK_Request to the service Authenticator to which it belongs, which contains
MSS、 目标 BS的标识与原 Authenticator的直接 /间接位置信息, 其中 MSS和 目标 BS 的标识是为了产生与 MSS 和目标 BS相关的空口密钥 AK, 而原 Authenticator 的直接 /间接位置信息是为了服务 Authenticator可以寻址到原 Authenticates 该原 Authenticator位置信息 , 可以为原 Authenticator标识信息 或者原 BS标识信息。 如果该原 Authenticator位置信息, 为原 BS标识信息, 则还需要根据所述的原 BS标识信息通过原 BS所属的 Authenticator查找所述 的原 Authenticator。 5303、 原 Authenticator与服务 Authenticator交互所述 MSS和目标 BS标 识信息, 并为目标 BS产生该 MSS的鉴权密钥; MSS, the identity of the target BS and the direct/indirect location information of the original Authenticator, wherein the identifiers of the MSS and the target BS are for generating an air interface key AK related to the MSS and the target BS, and the direct/indirect location information of the original Authenticator is for serving The Authenticator can address the original Authenticates location information of the original Authenticates, which can be the original Authenticator identification information or the original BS identification information. If the original Authenticator location information is the original BS identity information, the original Authenticator needs to be searched by the Authenticator to which the original BS belongs according to the original BS identity information. 5303. The original Authenticator interacts with the serving Authenticator to identify the MSS and the target BS, and generates an authentication key of the MSS for the target BS.
本步驟中,服务 Authenticator根据步驟 S2中的原 Authenticator位置信息, 与原 Authenticator交互所述 MSS和目标 BS标识信息, 并为目标 BS产生鉴 权密钥。  In this step, the service Authenticator exchanges the MSS and the target BS identification information with the original Authenticator according to the original Authenticator location information in step S2, and generates an authentication key for the target BS.
5304、 目标 BS根据所述的鉴权密钥, 对 RNG-REQ进行处理。  5304. The target BS processes the RNG-REQ according to the authentication key.
目标 BS获得鉴权密钥 AK, 对 R G-REQ的内容进行分析和处理; The target BS obtains the authentication key AK, and analyzes and processes the content of the R G-REQ;
5305、 目标 BS构建响应 RNG-RSP和其中附加的 HMAC。 5305. The target BS constructs a response RNG-RSP and an additional HMAC therein.
上述方案中, 该产生鉴权密钥的方案, 可以采用如下两种方案完成: 方案一如图 4所示, 包括以下步骤:  In the foregoing solution, the solution for generating an authentication key may be implemented by the following two solutions: As shown in FIG. 4, the solution 1 includes the following steps:
S401、 服务 Authenticator向原 Authenticator发送 AK— Request, 其中包含 MSS和目标 BS的标识;  S401. The service Authenticator sends an AK_Request to the original Authenticator, where the identifier of the MSS and the target BS is included;
S402、原 Authenticator根据 MSS和目标 BS的标识,以及原 Authenticator 存储的密钥信息, 为目标 BS产生针对该 MSS的 AK及相关信息;  S402. The original Authenticator generates an AK and related information for the MSS for the target BS according to the identifiers of the MSS and the target BS and the key information stored by the original Authenticator.
S403、 服务 Authenticator将所述的 AK及相关信息发送至目标 BS。  S403. The service Authenticator sends the AK and related information to the target BS.
方案二如图 5所示, 包括以下步骤:  Scheme 2 is shown in Figure 5 and includes the following steps:
S501、 服务 Authenticator向原 Authenticator发出密钥申请清求, 其中包 含了 MSS的标识;  S501. The service Authenticator sends a key application request to the original Authenticator, which includes the identifier of the MSS.
S502、 原 Authenticator 将存储的 MSS 的密钥信息发送给服务 Authenticator, 服务 Authenticator根据 MSS和目标 BS的标识, 以及 MSS的 密钥信息为目标 BS产生针对该 MSS的 AK及相关信息;  S502: The original Authenticator sends the stored key information of the MSS to the service Authenticator, and the service Authenticator generates the AK and related information for the MSS according to the identifiers of the MSS and the target BS and the key information of the MSS.
S503、 服务 Authenticator将所述的 AK及相关信息发送至目标 BS。  S503. The service Authenticator sends the AK and related information to the target BS.
上述内容中, 该 AK相关信息, 可以包括 AKID, AK的生命周期以及其 它上下文信息等。  In the above content, the AK related information may include an AKID, an AK life cycle, and other context information.
此后利用 AK,可以对接收到的含有 H AC的该 MSS的管理消息进行校 验, 也能对需要发送给 MSS的管理消息附加 HMAC以便对端进行一致性校 验, 还能由 AK产生用于在数据通路上的加密密钥而保证会话业务在空中接 口上传输的保密性。 实施例 2: Thereafter, the AK can be used to check the received management message of the MSS containing the H AC, and the HMAC can be added to the management message that needs to be sent to the MSS for consistency verification by the peer, and can also be used by the AK for Encryption key on the data path to ensure that the session service is connected in the air Confidentiality of transmission on the mouth. Example 2:
MSS移动过程中处于空闲状态且跨 Authenticator情况下对于 RNG_REQ 带 HMAC时的一致性校验以及其后的管理消息一致性校验流程如图 6所示: 在这种情况下,寻呼控制器(即原 Authenticator )和目标 BS所属的 Authenticator 不一样, 而 MSS的密钥信息是存储在寻呼控制器(即原 Authenticator )上的。  The consistency check in the idle state of the MSS mobile process and in the case of the Authenticator for the RNG_REQ with the HMAC and the subsequent management message consistency check procedure are as shown in Fig. 6: In this case, the paging controller ( That is, the original Authenticator is different from the Authenticator to which the target BS belongs, and the key information of the MSS is stored on the paging controller (ie, the original Authenticator).
5601、 MSS向目标 BS发送 RNG-REQ, 所述的 RNG-REQ中, 携带有 MAC和寻呼控制器(即原 Authenticator ) 的标识;  5601. The MSS sends an RNG-REQ to the target BS, where the RNG-REQ carries an identifier of the MAC and the paging controller (ie, the original Authenticator).
当 MSS从服务 BS移动到目标 BS,并与目标 BS同步、接收识别目标 BS 的上下行的空口资源分配参数以后, MSS要向目标 BS发送 RNG-REQ管理 消息, 该消息后附带有 MAC信息和寻呼控制器标识, 本实施例中该 MAC信 息采用 HMAC。  After the MSS moves from the serving BS to the target BS and synchronizes with the target BS to receive the uplink and downlink air interface resource allocation parameters of the target BS, the MSS sends an RNG-REQ management message to the target BS, and the message is followed by the MAC information and The paging controller identifier, in this embodiment, the MAC information uses HMAC.
该步骤中, 该原 Authenticator拥有产生和分发鉴权密钥的功能, 并且与 寻呼控制器设置为一体。  In this step, the original Authenticator has the function of generating and distributing an authentication key, and is integrated with the paging controller.
5602、 目标 BS 向其所属的服务 Authenticator 发送鉴权密钥请求 ( AK— Request ), 该 AK— Request中, 包含有 MSS和目标 BS标识信息, 以及 寻呼控制器(即原 Authenticator ) 的位置信息;  5602. The target BS sends an authentication key request (AK_Request) to the service Authenticator to which it belongs, where the AK_Request includes the MSS and the target BS identification information, and the location information of the paging controller (ie, the original Authenticator). ;
目标 BS向其所属的服务 Authenticator发送 AK— Request, 在其中包含了 MSS、 目标 BS的标识与寻呼控制器(即原 Authenticator ) 的直接位置信息, 其中 MSS和目标 BS的标识是为了产生与 MSS和目标 BS相关的空口密钥 AK , 而寻呼控制器 (即原 Authenticator ) 的直接位置信息是为了服务 Authenticator可以寻址到寻呼控制器(即原 Authenticator )。该寻呼控制器(即 原 Authenticator )位置信息, 为原 Authenticator标识信息。  The target BS sends an AK_Request to the service Authenticator to which it belongs, including the MSS, the identity of the target BS, and the direct location information of the paging controller (ie, the original Authenticator), wherein the identifiers of the MSS and the target BS are generated to generate the MSS. The air interface key AK associated with the target BS, and the direct location information of the paging controller (ie, the original Authenticator) is intended to serve the Authenticator to the paging controller (ie, the original Authenticator). The location information of the paging controller (ie, the original Authenticator) is the original Authenticator identification information.
S603、 寻呼控制器(即原 Authenticator )与服务 Authenticator交互所述 S603. The paging controller (ie, the original Authenticator) interacts with the service Authenticator.
MSS和目标 BS标识信息, 并为目标 BS产生该 MSS的鉴权密钥; The MSS and the target BS identify the information, and generate an authentication key for the MSS for the target BS;
本步骤中, 服务 Authenticator根据步骤 S2 中的寻呼控制器 (即原 Authenticator )位置信息, 与寻呼控制器(即原 Authenticator )交互所述 MSS 和目标 BS标识信息, 并为目标 BS产生针对该 MSS的鉴权密钥。 In this step, the service Authenticator is based on the paging controller in step S2 (ie, the original Authenticator) location information, interacting with the paging controller (ie, the original Authenticator) with the MSS and the target BS identity information, and generating an authentication key for the MSS for the target BS.
该产生鉴权密钥的方案, 可以采用图 4或者图 5所对应的方案。  The scheme for generating the authentication key may adopt the scheme corresponding to FIG. 4 or FIG. 5.
5604、 目标 BS根据所述的鉴权密钥, 对 RNG-REQ进行处理。  5604. The target BS processes the RNG-REQ according to the authentication key.
目标 BS获得鉴权密钥 AK, 对 RNG-REQ的内容进行分析和处理, 通知 寻呼控制器该 MSS的位置更新消息;  The target BS obtains the authentication key AK, analyzes and processes the content of the RNG-REQ, and notifies the paging controller of the location update message of the MSS;
5605、 目标 BS构建响应 R G-RSP和其中附加的 HMAC。  5605. The target BS constructs a response R G-RSP and an additional HMAC therein.
实施例 3:  Example 3:
如果允许目标 BS直接访问原 Authenticator申请 AK且目标 BS获得了原 鉴权者的网络标识, 那么即使在跨 Authenticator的情况下, 如图 7所示, 目 标 BS也可以通过以下步骤获得鉴权密钥:  If the target BS is allowed to directly access the original Authenticator application AK and the target BS obtains the network identity of the original authenticator, even in the case of crossing the Authenticator, as shown in FIG. 7, the target BS can obtain the authentication key by the following steps. :
5701、 目标 BS向原鉴权者(Authenticator )发送鉴权密钥请求, 所述的 鉴权密钥请求中, 包含有 MSS信息;  5701. The target BS sends an authentication key request to the original authenticator (Authenticator), where the authentication key request includes MSS information.
5702、 原 Authenticator为目标 BS产生鉴权密钥,并将鉴权密钥发送到目 标 BS。  5702. The original Authenticator generates an authentication key for the target BS, and sends the authentication key to the target BS.
如图 8所示, 是本发明无线接入网络的结构示意图, 从图中可见, 本发 明的无线接入网络主要包括: MSS10,用于 MSS接入的原 BS20和存储该 MSS 的密钥信息的原 Authenticator30, 用于 MSS移动后的目标 BS40和连接目标 BS的月艮务 Authenticator50 , 以及 Authentication Server60;  As shown in FIG. 8, it is a schematic structural diagram of a radio access network according to the present invention. As can be seen from the figure, the radio access network of the present invention mainly includes: an MSS 10, an original BS 20 for MSS access, and key information for storing the MSS. The original Authenticator 30, the target BS 40 after the MSS is moved and the Authenticator 50 connected to the target BS, and the Authentication Server 60;
本发明在 MSS设置有:  The invention is provided in the MSS with:
测距请求发送单元 110, 用于向目标 BS40发送测距请求;  The ranging request sending unit 110 is configured to send a ranging request to the target BS 40.
在目标 BS40设置有:  In the target BS40 settings are:
鉴权密钥获取单元 410, 用于获取鉴权密钥;  The authentication key obtaining unit 410 is configured to obtain an authentication key.
校验单元 420, 用于对所述测距请求进行校验。  The verification unit 420 is configured to verify the ranging request.
测距请求响应生成单元 430,用于构建测距请求响应和其中附加的消息认 证码;  a ranging request response generating unit 430, configured to construct a ranging request response and an additional message authentication code therein;
测距请求响应发送单元 440, 用于将所述测距请求响应发送给 MSS10。 所述 MSS10设置有: The ranging request response sending unit 440 is configured to send the ranging request response to the MSS 10. The MSS 10 is configured with:
同步单元 120, 用于与目标基站同步。  The synchronization unit 120 is configured to synchronize with the target base station.
上述方案中, 鉴权密钥获取单元 410 的具体设置方法, 可以依据从服务 Authenticator50或者原 Authenticator30获取鉴权密钥而定, 具体如下:  In the foregoing solution, the specific setting method of the authentication key obtaining unit 410 may be determined according to the obtaining of the authentication key from the service Authenticator 50 or the original Authenticator 30, as follows:
方案一: 向服务 Authenticator50获取鉴权密钥。  Solution 1: Obtain an authentication key from the service Authenticator50.
如图 9所示, 在鉴权密钥获取单元 410进一步设置:  As shown in FIG. 9, the authentication key obtaining unit 410 further sets:
第一鉴权密钥请求发送单元 411 ,用于向服务 Authenticator50发送鉴权密 钥请求, 所述的鉴权密钥请求中, 包含有 MSS10以及原 Authenticator30的位 置信息;  The first authentication key request sending unit 411 is configured to send an authentication key request to the service Authenticator 50, where the authentication key request includes location information of the MSS 10 and the original Authenticator 30;
原 Authenticator30与服务 Authenticator50交互所述 MSS10和目标 BS40 标识信息, 并为目标 BS40产生该 MSS10的鉴权密钥。  The original Authenticator 30 interacts with the service Authenticator 50 to identify the MSS 10 and the target BS 40, and generates an authentication key for the MSS 10 for the target BS 40.
该方案下, 服务 Authenticator50设置有:  Under this scheme, the service Authenticator50 settings are:
鉴权密钥申请请求发送单元 510,用于向原 Authenticator30发送鉴权密钥 申请倚求, 其中包含 MSS10和目标 BS40的标识;  The authentication key application request sending unit 510 is configured to send an authentication key request request to the original Authenticator 30, where the identifiers of the MSS 10 and the target BS 40 are included;
在所述原 Authenticator30设置有:  In the original Authenticator 30 settings are:
鉴权密钥及相关信息产生单元 310, 用于根据 MSS10和目标 BS40的标 识, 以及原 Authenticator30存储的密钥信息, 为目标 BS40产生该 MSS10的 鉴权密钥及相关信息;  The authentication key and related information generating unit 310 is configured to generate an authentication key and related information of the MSS 10 for the target BS 40 according to the identifiers of the MSS 10 and the target BS 40 and the key information stored by the original Authenticator 30;
鉴权密钥及相关信息发送单元 320,用于将所述的鉴权密钥及相关信息发 送至目标 BS40。 方案二: 向原 Authenticator30获取鉴权密钥  The authentication key and related information transmitting unit 320 is configured to send the authentication key and related information to the target BS 40. Option 2: Obtain an authentication key from the original Authenticator 30
当服务 BS可以直接向原 Authenticator30获取鉴权密钥时,如图 10所示, 所述鉴权密钥获取单元 410设置有:  When the serving BS can directly obtain the authentication key from the original Authenticator 30, as shown in FIG. 10, the authentication key obtaining unit 410 is configured with:
第二鉴权密钥请求发送单元 412,用于向原 Authenticator30发送鉴权密钥 请求, 所述的鉴权密钥请求中, 包含有 MSS10信息;  The second authentication key request sending unit 412 is configured to send an authentication key request to the original Authenticator 30, where the authentication key request includes the MSS10 information;
所述原 Authenticator30设置有: 鉴权密钥发送单元 330, 用于将鉴权密钥发送到目标 BS40。 The original Authenticator 30 is configured with: The authentication key sending unit 330 is configured to send the authentication key to the target BS 40.
本发明方案提出了一种跨 Authenticates:情况下对于 RNG— REQ的一致性 校验以及其后的管理消息一致性校验方案。 该发明既适用于 MSS在通话进行 中的移动情况, 又适用于 MSS 在空闲状态下的移动情况。 在本发明中, 原 Authenticator定义为存储能产生该 MSS AK的密钥信息的 Authenticator, 不一 定是原 BS所属的 Authenticator。 该改进流程减小了网络内部的信令开销, 同 时保证了目标 BS将密钥申请消息有效、正确地转发到原 Authenticator中,从 而使目标 BS最终获得 AK对 RNG-REQ的内容进行分析和处理, 同时构建响 应 RNG-RSP和其中附加的 HMAC/CMAC。此后利用 AK,可以对接收到的含 有 HMAC/CMAC的该 MSS的管理消息进行校验,也能对需要发送给 MSS的 管理消息附加 HMAC/CMAC以便对端进行一致性校验,还能由 AK产生用于 在数据通路上的加密密钥而保证会话业务在空中接口上传输的保密性。  The solution of the present invention proposes a consistency check for RNG-REQ in the case of Authenticates: and a management message consistency check scheme thereafter. The invention is applicable to both the movement of the MSS during the call and the movement of the MSS in the idle state. In the present invention, the original Authenticator is defined as an Authenticator that stores key information capable of generating the MSS AK, and is not necessarily an Authenticator to which the original BS belongs. The improved process reduces the signaling overhead inside the network, and ensures that the target BS effectively and correctly forwards the key application message to the original Authenticator, so that the target BS finally obtains the AK to analyze and process the content of the RNG-REQ. At the same time, construct a response RNG-RSP and an attached HMAC/CMAC. After that, the AK can be used to check the received management message of the MSS containing the HMAC/CMAC, and the HMAC/CMAC can be added to the management message that needs to be sent to the MSS for consistency check by the peer, and can also be performed by the AK. The confidentiality is generated for the encryption key on the data path to ensure that the session service is transmitted over the air interface.
显然, 本领域的技术人员可以对本发明进行各种改动和变型而不脱离本 发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发明权利要 求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在内。  It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of the inventions

Claims

权 利 要 求 Rights request
1、 一种测距请求校验方法, 其特征在于, 包括以下步骤: A method for verifying a ranging request, comprising the steps of:
用户终端向目标基站发送测距请求;  The user terminal sends a ranging request to the target base station;
目标基站获取鉴权密钥, 并根据所述鉴权密钥对所述的测距请求进行校 验。  The target base station obtains an authentication key, and performs the calibration request according to the authentication key.
2、 如权利要求 1所述的方法, 其特征在于, 所述用户终端向目标基站发 送测距请求步骤, 进一步包括:  The method according to claim 1, wherein the step of the user terminal transmitting a ranging request to the target base station further includes:
用户终端与目标基站同步, 并接收识別目标基站的上下行的空口资源分 配参数。  The user terminal synchronizes with the target base station, and receives an air interface resource allocation parameter that identifies the uplink and downlink of the target base station.
3、 如权利要求 1所述的方法, 其特征在于, 所述用户终端向目标基站发 送测距请求步骤中, 所述的测距请求中携带有消息认证码。  The method according to claim 1, wherein in the step of the user terminal transmitting a ranging request to the target base station, the ranging request carries a message authentication code.
4、 如权利要求 3所述的方法, 其特征在于, 所述的消息认证码, 为哈希 消息认证码或者基于加密的消息认证码。  The method according to claim 3, wherein the message authentication code is a hash message authentication code or an encrypted message authentication code.
5、 如权利要求 1所述的方法, 其特征在于, 所述的目标基站获取鉴权密 钥的步驟包括:  The method according to claim 1, wherein the step of obtaining, by the target base station, the authentication key comprises:
目标基站向服务鉴权者发送鉴权密钥请求, 所述的鉴权密钥请求中, 包 含有用户终端以及原鉴权者位置信息;  The target base station sends an authentication key request to the service authenticator, where the authentication key request includes the user terminal and the original authenticator location information;
原鉴权者与服务鉴权者交互所述用户终端和目标基站标识信息, 并为目 标基站产生该用户终端的鉴权密钥。  The original authenticator interacts with the service authenticator to identify the user terminal and the target base station identification information, and generates an authentication key of the user terminal for the target base station.
6、 如权利要求 5所述的方法, 其特征在于, 所述的原鉴权者位置信息, 可以为原鉴权者标识信息或者原基站标识信息。  The method according to claim 5, wherein the original authenticator location information may be original authenticator identification information or original base station identification information.
7、 如权利要求 6所述的方法, 其特征在于, 如果所述的原鉴权者位置信 息, 为原基站标识信息, 则还包括根据所述的原基站标识信息查找所述的原 鉴权者。  The method according to claim 6, wherein if the original authenticator location information is original base station identification information, the method further includes searching for the original authentication according to the original base station identification information. By.
8、 如权利要求 5所述的方法, 其特征在于, 所述原鉴权者与服务鉴权者 交互所述用户终端和目标基站标识信息, 并为目标基站产生该用户终端的鉴 权密钥步骤, 进一步包括: The method according to claim 5, wherein the original authenticator interacts with the service authenticator to identify the user terminal and the target base station, and generates a reference for the target terminal for the target terminal. The weight key step further includes:
服务鉴权者向原鉴权者发送鉴权密钥申请请求, 其中包含用户终端和目 标基站的标识;  The service authenticator sends an authentication key application request to the original authenticator, where the identifier of the user terminal and the target base station is included;
原鉴权者根据用户终端和目标基站的标识, 以及原鉴权者存储的密钥信 息, 为目标基站产生该用户终端的鉴权密钥及相关信息;  The original authenticator generates an authentication key and related information of the user terminal for the target base station according to the identifiers of the user terminal and the target base station and the key information stored by the original authenticator;
服务鉴权者将所述的鉴权密钥及相关信息发送至目标基站。  The service authenticator sends the authentication key and related information to the target base station.
9、 如权利要求 5所述的方法, 其特征在于, 所述原鉴权者与服务鉴权者 交互所述用户终端和目标基站标识信息, 并为目标基站产生该用户终端的鉴 权密钥步骤, 进一步包括:  The method according to claim 5, wherein the original authenticator interacts with the service authenticator to identify the user terminal and the target base station, and generates an authentication key of the user terminal for the target base station. The steps further include:
服务鉴权者向原鉴权者发出密钥申请请求, 其中包含了用户终端的标识; 原鉴权者将存储的用户终端的密钥信息发送给服务鉴权者, 服务鉴权者 根据用户终端和目标基站的标识, 以及用户终端的密钥信息为目标基站产生 该用户终端的鉴权密钥及相关信息;  The service authenticator sends a key application request to the original authenticator, which includes the identifier of the user terminal; the original authenticator sends the stored key information of the user terminal to the service authenticator, and the service authenticator according to the user terminal and The identifier of the target base station and the key information of the user terminal generate an authentication key and related information of the user terminal for the target base station;
服务鉴权者将所述的鉴权密钥及相关信息发送至目.标基站。  The service authenticator sends the authentication key and related information to the target base station.
10、 如权利要求 1 所述的方法, 其特征在于, 所述目标基站获取鉴权密 钥, 并对所述的测距请求进行校验步骤, 进一步包括:  The method of claim 1, wherein the step of obtaining the authentication key by the target base station and performing the verification step on the ranging request further includes:
目标基站向其所属的服务鉴权者发送鉴权密钥请求, 该鉴权密钥请求中, 包含有用户终端以及寻呼控制器的标识;  The target base station sends an authentication key request to the service authenticator to which it belongs, where the authentication key request includes the identifiers of the user terminal and the paging controller;
寻呼控制器与服务鉴权者交互所述用户终端和目标基站标识信息, 并为 目标基站产生该用户终端的鉴权密钥。  The paging controller interacts with the service authenticator to identify the user terminal and the target base station identity information, and generates an authentication key of the user terminal for the target base station.
11、 如权利要求 1 所述的方法, 其特征在于, 所述目标基站获取鉴权密 钥, 并对所述的测距请求进行校验步驟中, 如果目标基站所属的服务鉴权者 保存有该用户终端的密钥信息, 则目标基站直接使用所述鉴权密钥信息, 对 所述的测距请求进行校验。  The method according to claim 1, wherein the target base station acquires an authentication key, and in the step of verifying the ranging request, if the service authenticator to which the target base station belongs is saved The key information of the user terminal is used by the target base station to directly verify the ranging request by using the authentication key information.
12、 如权利要求 11所述的方法, 其特征在于, 所述目标基站获取鉴权密 钥, 并对所述的测距请求进行校验步骤, 进一步包括:  The method according to claim 11, wherein the step of obtaining the authentication key by the target base station and performing the checking step on the ranging request further includes:
目标基站向服务鉴权者发送鉴权密钥请求, 所述的鉴权密钥请求中, 包 含有用户终端信息; The target base station sends an authentication key request to the service authenticator, where the authentication key request is in the package Containing user terminal information;
服务鉴权者根据所述的用户终端标识和目标基站标识, 为目标基站产生 该用户终端的鉴权密钥及相关信息。  The service authenticator generates an authentication key and related information of the user terminal for the target base station according to the user terminal identifier and the target base station identifier.
13、 如权利要求 1 所述的方法, 其特征在于, 所述目标基站获取鉴权密 钥步骤, 进一步包括:  The method of claim 1, wherein the step of acquiring the authentication key by the target base station further includes:
目标基站向原鉴权者发送鉴权密钥请求, 所述的鉴权密钥请求中, 包含 有用户终端信息;  The target base station sends an authentication key request to the original authenticator, where the authentication key request includes user terminal information;
原鉴权者为目标基站产生鉴权密钥,并将鉴权密钥发送到目标基站。  The original authenticator generates an authentication key for the target base station and transmits the authentication key to the target base station.
14、 如权利要求 8、 9、 11或 13所述的方法, 其特征在于, 所述鉴权密 钥相关信息, 包括鉴权密钥标识, 鉴权密钥的生命周期以及密钥信息。  The method according to claim 8, 9, 11 or 13, wherein the authentication key related information comprises an authentication key identifier, an activation period of the authentication key, and key information.
15、 如权利要求 1所述的方法, 其特 ί正在于, 还包括步骤:  15. The method of claim 1 further comprising the steps of:
目标基站构建测距请求响应和其中附加的消息认证码并发送给用户终 端。  The target base station constructs a ranging request response and an additional message authentication code therein and transmits it to the user terminal.
16、 如权利要求 1所述的方法, 其特征在于, 还包括步驟:  16. The method of claim 1 further comprising the steps of:
目标基站使用所述的鉴权密钥对接收到的该用户终端的管理消息进行校 验。  The target base station uses the authentication key to check the received management message of the user terminal.
17、 如权利要求 1所述的方法, 其特征在于, 还包括步驟:  17. The method of claim 1 further comprising the steps of:
由所述的鉴权密钥产生加密密钥。  An encryption key is generated by the authentication key.
18、 一种无线接入网络, 包括用户终端, 用于用户终端接入的原基站和 存储该用户终端的密钥信息的原鉴权者, 用于用户终端移动后的目标基站和 连接目标基站的服务鉴权者, 以及鉴权服务器; 其特征在于,  18. A radio access network, comprising: a user terminal, an original base station for accessing the user terminal, and an original authenticator storing key information of the user terminal, and the target base station and the connected target base station after the user terminal moves Service authenticator, and authentication server;
所述用户终端设置有:  The user terminal is configured with:
测距请求发送单元, 用于向目标基站发送测距请求;  a ranging request sending unit, configured to send a ranging request to the target base station;
所述目标基站设置有:  The target base station is configured with:
鉴权密钥获取单元, 用于获取鉴权密钥;  An authentication key obtaining unit, configured to obtain an authentication key;
校验单元, 用于对所述测距请求进行校验。  a verification unit, configured to verify the ranging request.
19、 如权利要求 18所述的无线接入网络, 其特征在于, 所述用户终端还设置: 19. The wireless access network of claim 18, wherein The user terminal is further configured to:
同步单元, 用于与目标基站同步。  A synchronization unit, configured to synchronize with the target base station.
20、 如权利要求 18所述的无线接入网络, 其特征在于,  20. The wireless access network of claim 18, wherein
所述鉴权密钥获取单元还设置:  The authentication key obtaining unit further sets:
鉴权密钥请求发送单元, 用于向服务鉴权者发送鉴权密钥请求, 所述的 鉴权密钥请求中, 包含有用户终端以及原鉴权者位置信息;  The authentication key request sending unit is configured to send an authentication key request to the service authenticator, where the authentication key request includes the user terminal and the original authenticator location information;
原鉴权者与服务鉴权者交互所述用户终端和目标基站标识信息, 并为目 标基站产生该用户终端的鉴权密钥。  The original authenticator interacts with the service authenticator to identify the user terminal and the target base station identification information, and generates an authentication key of the user terminal for the target base station.
21、 如权利要求 20所述的无线接入网络, 其特征在于,  21. The wireless access network of claim 20, wherein
所述服务鉴权者还设置:  The service authenticator also sets:
鉴权密钥申请请求发送单元, 用于向原鉴权者发送鉴权密钥申请请求, 其中包含用户终端和目标基站的标识;  An authentication key request request sending unit, configured to send an authentication key request request to the original authenticator, where the identifier of the user terminal and the target base station is included;
所述原鉴权者还设置:  The original authenticator also sets:
鉴权密钥及相关信息产生单元, 用于根据用户终端和目标基站的标识, 以及原鉴权者存储的密钥信息, 为目标基站产生该用户终端的鉴权密钥及相 关信息;  The authentication key and related information generating unit is configured to generate an authentication key and related information of the user terminal for the target base station according to the identifiers of the user terminal and the target base station and the key information stored by the original authenticator;
鉴权密钥及相关信息发送单元, 用于将所述的鉴权密钥及相关信息发送 至目标基站。  The authentication key and related information sending unit is configured to send the authentication key and related information to the target base station.
22、 如权利要求 18所述的无线接入网络, 其特征在于,  22. The wireless access network of claim 18, wherein
所述目标基站还设置:  The target base station is further configured to:
鉴权密钥请求发送单元, 用于向原鉴权者发送鉴权密钥请求, 所述的鉴 权密钥请求中, 包含有用户终端信息;  An authentication key request sending unit, configured to send an authentication key request to the original authenticator, where the authentication key request includes user terminal information;
所述原鉴权者还设置:  The original authenticator also sets:
鉴权密钥发送单元, 用于将鉴权密钥发送到目标基站。  An authentication key sending unit is configured to send the authentication key to the target base station.
23、 如权利要求 18所述的无线接入网络, 其特征在于,  23. The wireless access network of claim 18, wherein
所述目标基站进一步设置:  The target base station is further configured to:
测距请求响应生成单元, 用于构建测距请求响应和附加的消息认证码; 测距请求响应发送单元, 用于将所述测距请求响应发送给用户终端。 a ranging request response generating unit, configured to construct a ranging request response and an additional message authentication code; The ranging request response sending unit is configured to send the ranging request response to the user terminal.
PCT/CN2006/002150 2005-08-23 2006-08-23 A verifying method for ranging request and the wireless access network WO2007022717A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510093287.8 2005-08-23
CN200510093287 2005-08-23

Publications (1)

Publication Number Publication Date
WO2007022717A1 true WO2007022717A1 (en) 2007-03-01

Family

ID=37771235

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002150 WO2007022717A1 (en) 2005-08-23 2006-08-23 A verifying method for ranging request and the wireless access network

Country Status (1)

Country Link
WO (1) WO2007022717A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1263407A (en) * 1999-02-11 2000-08-16 深圳市华为技术有限公司 Remote communication method based on digital enhancement type wireless communication protocol
CN1522077A (en) * 2003-02-09 2004-08-18 深圳市中兴通讯股份有限公司 Method for implementing synchronization and distance finding in wireless communication system and implementing apparatus thereof
WO2004080102A1 (en) * 2003-03-08 2004-09-16 Samsung Electronics Co., Ltd Handoff system using an initial ranging scheme in a broadband wireless access communication system and method for controlling the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1263407A (en) * 1999-02-11 2000-08-16 深圳市华为技术有限公司 Remote communication method based on digital enhancement type wireless communication protocol
CN1522077A (en) * 2003-02-09 2004-08-18 深圳市中兴通讯股份有限公司 Method for implementing synchronization and distance finding in wireless communication system and implementing apparatus thereof
WO2004080102A1 (en) * 2003-03-08 2004-09-16 Samsung Electronics Co., Ltd Handoff system using an initial ranging scheme in a broadband wireless access communication system and method for controlling the same

Similar Documents

Publication Publication Date Title
EP2421292B1 (en) Method and device for establishing security mechanism of air interface link
KR100704675B1 (en) authentication method and key generating method in wireless portable internet system
JP4804983B2 (en) Wireless terminal, authentication device, and program
KR100764153B1 (en) Method and apparatus for detecting counterfeiting of portable subscriber station in portable internet system
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
CN101583083B (en) Implementation method of real-time data service and real-time data service system
US20090240944A1 (en) Generation method and update method of authorization key for mobile communication
US20120017088A1 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
EP3453149B1 (en) Secure signaling before performing an authentication and key agreement
CN102106111A (en) Method of deriving and updating traffic encryption key
EP3469823A1 (en) Unified authentication for heterogeneous networks
WO2008006306A1 (en) Method and device for deriving local interface key
CN101616410A (en) A kind of cut-in method of cellular mobile communication networks and system
WO2009094942A1 (en) Method and communication network system for establishing security conjunction
WO2009030164A1 (en) A method, system and device for preventing the degradation attack while terminal is moving
EP2702741A1 (en) Authenticating a device in a network
WO2013185735A2 (en) Encryption realization method and system
US20120163597A1 (en) Method for implementing local routing of traffic, base station and system
CN108353279B (en) Authentication method and authentication system
US8572384B2 (en) Method and apparatus for updating an authorization key in a communication system
WO2010127539A1 (en) Method and system for authenticating accessing to stream media service
KR20110073750A (en) Apparatus and method for network reentry of mobile statiom in wireless communication system
CN109561431B (en) WLAN access control system and method based on multi-password identity authentication
WO2010028603A1 (en) Key generation method and system when a tracking area is updated
WO2022134089A1 (en) Method and apparatus for generating security context, and computer-readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06775468

Country of ref document: EP

Kind code of ref document: A1