WO2014113920A1

WO2014113920A1 - Method and network device for security authentication of mobile communication system

Info

Publication number: WO2014113920A1
Application number: PCT/CN2013/070839
Authority: WO
Inventors: 陈璟; 靳维生
Original assignee: 华为技术有限公司
Priority date: 2013-01-22
Filing date: 2013-01-22
Publication date: 2014-07-31
Also published as: CN104937990B; CN104937990A

Abstract

Disclosed are a method and a network device for security authentication of a mobile communication system. The method for security authentication of a mobile communication system comprises: after receiving a request for an authentication vector sent by an SGSN, an HSS identifying that an LTE UE accesses a 2G or 3G network, wherein the request for an authentication vector is sent to the SGSN after the SGSN receives a UMTS attach request message sent by a network element of an access network; the HSS generating a special authentication vector after identifying that the LTE UE accesses a 2G or 3G network; and the HSS sending the special authentication vector to the SGSN, so that the SGSN, the network element of the access network, and the LTE UE complete security authentication. The disclosed method and network device for security authentication of a mobile communication system enable an LTE UE to use a 2G/3G network.

Description

Mobile communication system security method and network device

Technical field

Embodiments of the present invention relate to the field of communications, and in particular, to a method and a network device for secure authentication of a mobile communication system.

BACKGROUND OF THE INVENTION Long Term Evolution (Long Term Evolution) is a system organization evolution (System Architecture Evolution, "SAE") is a standard organization 3rd Generation Partnership Project (3rd Generation Partnership Project) A new mobile communication system for "3GPP". Such a network will be an existing Wideband Code Division Multiple Access (WCDMA) network, Time Division-Synchronous Code Division Multiple Access (Time Division-Synchronous Code Division Multiple Access) "TD-SCDMA") The next evolution direction of 3G networks such as network and Code Division Multiple Access 2000 ("CDMA Division"). Currently in some countries, commercial deployments of LTE/SAE networks are in operation. Security is an indispensable feature of the commercial operation of mobile communication systems. Authentication is an important feature in security features. The Universal Mobile Telecommunication System (UMTS) network and the LTE/SAE network have developed an Authentication and Key Agreement ("AKA") mechanism to perform UE and network. Two-way authentication. The two-way authentication mechanism of the UMTS network is called UMTS AKA, and the two-way authentication mechanism of the LTE/SAE network is called an Evolved Packet System ("EPS") AKA. In some special scenarios, there is a case where an LTE user equipment (User Equipment, called "UE") accesses a 2G/3G core network through an LTE access network. Since the 2G/3G core network can only obtain UMTS AV from the HSS, the LTE UE refuses to use the UMTS AV for authentication when accessing through the LTE network. Therefore, the LTE UE cannot access the 2G/3G core network through the LTE access network. . Summary of the invention

In view of this, the embodiments of the present invention provide a method and a network device for secure authentication of a mobile communication system, which enable the LTE UE to complete the secure authentication and access the 2G/3G network. The first aspect provides a security authentication method for a mobile communication system, including: after the home subscriber server HSS receives the request for the authentication vector sent by the GPRS service support node SGSN, the HSS identifies that the LTE UE accesses the 2G or 3G network, The request for the authentication vector is sent by the SGSN to the SGSN after receiving the UMTS attach request attach request message sent by the access network element;

The HSS recognizes that after the LTE UE accesses the 2G or 3G network, the HSS generates a special authentication vector;

The HSS sends the special authentication vector to the SGSN, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

In a first possible implementation, the UMTS attach request message is obtained by the access network element converting the attach request attach message, and the attach request message is sent by the LTE UE.

In a second possible implementation manner, in combination with the first aspect or the first possible implementation manner of the first aspect, the SGSN, the access network element, and the LTE UE completing the security authentication include: sending, by the SGSN The UMTS AKA authentication challenge is performed to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and then sends the LTE UE to the LTE UE, and the LTE UE performs verification and generates according to the LTE AKA authentication challenge. After the RES and the key K _ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

In a third possible implementation manner, in combination with the first aspect or the first to second possible implementation manners of the first aspect,

The special authentication vector includes XRES, CK, and IK;

And the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access. The network element, the access network element generates K _ASME according to the CK and or IK, and the access network element and the LTE UE share the K _ASME .

In a fourth possible implementation manner, in combination with the third possible implementation manner of the first aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

In a fifth possible implementation, in combination with the first aspect or the first to the fourth possible implementation manners of the first aspect, the HSS identifies that the LTE UE accesses the 2G or 3G network, and the HSS includes: a list including identification information of an LTE UE that accesses a 2G/3G network;

The HSS learns that the identifier information of the LTE UE is included in the list according to the identifier information in the list, and the HSS identifies that the LTE UE accesses the 2G or 3G network.

In a sixth possible implementation, in combination with the first aspect or the first to the fifth possible implementation manners of the first aspect, the generating, by the HSS, the special authentication vector includes:

The HSS adds indication information to the request for the authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector;

The HSS generates EPS AV for the LTE UE;

The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

In a seventh possible implementation manner, the sixth possible implementation manner of the first aspect, the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K _ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

In an eighth possible implementation, in combination with the third to the seventh possible implementation manners of the foregoing aspect, the access network element generating the K _ASME according to the CK and or the 包括 includes: The access network element generates the base according to the CK and or IK according to the generation rule K _ASME =CKIIIK

KASME.

In a second aspect, a method for secure authentication of a mobile communication system is provided, including:

The SGSN receives the UMTS attach request message, and the UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE; the SGSN receives the sent by the access network element After the UMTS attach request message, the SGSN sends a request for the authentication vector to the HSS, so that the HSS receives the request of the SGSN and identifies that the LTE UE accesses the 2G or 3G network, so that the HSS generates the special authentication vector;

After receiving the special authentication vector from the HSS, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element, and the LTE UE complete security authentication.

In a first possible implementation, the SGSN, the access network element, and the LTE UE complete the security authentication, including:

After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K _ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

In a second possible implementation manner, in combination with the second aspect or the first possible implementation manner of the second aspect, the special authentication vector includes XRES, CK, and IK;

And the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K _ASME , the access network element and the The LTE UE shares the K _ASME .

In a third possible implementation manner, the second possible implementation manner of the second aspect, the SGSN comparing whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

In a fourth possible implementation, in combination with the second aspect or any one of the first to third possible implementation manners of the second aspect, the HSS receives the request of the SGSN and identifies the LTE UE. Access to 2G or 3G networks includes:

The HSS is provided with a list including identification information of LTE UEs accessing the 2G/3G network;

In a fifth possible implementation, in combination with the second aspect or the first to fourth possible implementation manners of the second aspect, the generating, by the HSS, the special authentication vector after receiving the request of the SGSN includes:

The HSS generates EPS AV for the LTE UE;

In a sixth possible implementation, in combination with the fifth possible implementation of the second aspect,

The HSS converts the EPS AV into the UMTS AV format including:

In a seventh possible implementation, combining any of the second to sixth aspects of the second aspect The implementation manner, the access network element generating the K _ASME according to the CK and or IK includes: the access network element is generated according to the CK and or IK according to the generation rule K _ASME =CKIIIK

KASME.

In a third aspect, a method for secure authentication of a mobile communication system is provided, including:

The access network element converts the attach request message from the LTE UE into a UMTS attach request message;

The access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the HSS, and the HSS receives the request of the SGSN to identify that the LTE UE accesses the 2G or 3G network. In order for the HSS to generate a special authentication vector;

The access network element receives the UMTS AKA authentication challenge sent by the SGSN, and the UMTS AKA authentication challenge is sent after the SGSN receives the special authentication vector sent by the HSS;

The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

In a first possible implementation, the accessing the network element, the SGSN, and the LTE UE to complete the security authentication includes:

After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K _{ASME are} generated;

The access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

In a second possible implementation manner, in combination with the third aspect or the first possible implementation manner of the third aspect, the special authentication vector includes XRES, CK, and IK;

The LTE AKA authentication response including the RES is converted into a UMTS AKA authentication response including the RES, where the access network element, the SGSN, and the LTE UE further perform security authentication, the access network element: The network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. Network access network element;

The access network element generates K _ASME according to the CK and or IK, the access network element and the LTE UE A total of KASME °

In a third possible implementation manner, in combination with the second possible implementation manner of the third aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

In a fourth possible implementation, in combination with the third aspect or the first to the third possible implementation manners of the third aspect, the HSS receives the request of the SGSN and identifies that the LTE UE accesses the 2G. Or 3G networks include:

In a fifth possible implementation, in combination with the third aspect or the first to the fourth possible implementation manners of the third aspect, the generating, by the HSS, the special authentication vector includes:

The HSS adds indication information to the request for the authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector; the HSS generates EPS AV for the LTE UE;

In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the third aspect, the HSS converting the EPS AV into the UMTS AV format includes:

In a seventh possible implementation, in combination with the second to the sixth possible implementation manners of the third aspect, the access network element generating the K _ASME according to the CK and or the 包括 includes:

The access network element generates the base according to the CK and or IK according to the generation rule K _ASME =CKIIIK KASME.

In a fourth aspect, an HSS is provided, including: a receiving module, an identifying module, a processing module, and a sending module;

The receiving module is configured to receive a request for an authentication vector sent by the SGSN, where the request for the authentication vector is sent by the SGSN to the SGSN after receiving the UMTS attach request message sent by the access network element, where the identifying module is used to Receiving the request for the authentication vector, the receiving module identifies that the LTE UE accesses the 2G or 3G network;

The processing module is configured to generate a special authentication vector after the identification module identifies that the LTE UE accesses the 2G or 3G network;

The sending module is configured to send the special authentication vector to the SGSN, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

In a first possible implementation, the UMTS attach request message is obtained by the access network element converting the attach request message, and the attach request message is sent by the LTE UE.

In a second possible implementation, in combination with the fourth aspect or the first possible implementation manner of the fourth aspect, the SGSN, the access network element, and the LTE UE completing the security authentication include: sending, by the SGSN The UMTS AKA authentication challenge is performed to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and then sends the LTE UE to the LTE UE, and the LTE UE performs verification and generates according to the LTE AKA authentication challenge. After the RES and the key K _ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

In a third possible implementation, in combination with the fourth aspect or the first to the second possible implementation manner of the fourth aspect, the special authentication vector includes XRES, CK, and IK;

In a fourth possible implementation manner, the third possible implementation manner of the fourth aspect, the SGSN comparing whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

In a fifth possible implementation, in combination with the fourth or fourth possible implementation of the fourth aspect, the HSS further includes a storage module, where the storage module is configured to store a list, the list Including identification information of an LTE UE that accesses a 2G/3G network;

The identification module, according to the identification information in the list, knows that the identifier information of the LTE UE is included in the list, and the HSS identifies that the LTE UE accesses the 2G or 3G network.

In a sixth possible implementation, the processing module is configured to identify, by the identification module, that the LTE UE accesses the 2G or the fourth aspect, or the first to the fifth possible implementation manner of the fourth aspect, Generating special authentication vectors after the 3G network includes:

The processing module is configured to add indication information to the request for the authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector; the processing module is configured to generate an EPS AV for the LTE UE;

The processing module is configured to convert the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

In a seventh possible implementation manner, the sixth possible implementation manner of the fourth aspect, the processing module is configured to convert the EPS AV into the UMTS AV format, including:

The processing module is configured to use RAND in the EPS AV as the RAND of the UMTS AV, and the processing module is configured to use the AUTN in the EPS AV as the AUTN of the UMTS AV, and the processing module is used to use the XRES in the EPS AV As the XRES of the UMTS AV, the processing module is configured to split the K _ASME in the EPS AV into two parts, respectively, as the CK and the IK of the UMTS AV.

In an eighth possible implementation, combining any of the third to seventh aspects of the fourth aspect In an implementation manner, the access network element generates a K _ASME according to the CK and or IK, including:

The access network element generates the base according to the CK and or IK according to the generation rule K _ASME =CKIIIK

KASME.

In a fifth aspect, an SGSN is provided, including: a receiving module; a sending module;

The receiving module is configured to receive a UMTS attach request message sent by an access network element, where the

The UMTS attach request is obtained by converting, by the access network element, the attach request message sent by the LTE UE;

The sending module is configured to send a request for an authentication vector to the HSS after the receiving module receives the UMTS attach request message, so that the HSS receives the request and identifies that the LTE UE accesses the 2G or 3G network, and thus The HSS generates the special authentication vector;

The receiving module is further configured to receive the special authentication vector from the HSS, where the sending module is further configured to send a UMTS AKA authentication challenge to the access network element after the receiving module receives the special authentication vector, so that the SGSN The access network element and the LTE UE complete the security authentication.

In a second possible implementation manner, in combination with the fifth aspect or the first possible implementation manner of the fifth aspect, the SGSN further includes a processing module;

The special authentication vector contains XRES, CK, IK;

The further completing the security authentication for the access network element, the SGSN, and the LTE UE includes: the access network element converting the LTE AKA authentication response into a UMTS AKA authentication response and transmitting the UMTS AKA authentication response to the receiving Module, the processing module is used to compare the RES and Whether the XRES is the same. When the comparison result is the same, the sending module sends the CK and or IK to the access network element, and the access network element generates the K _ASME according to the CK and or IK. CK and or IK are sent by the sending module, and the access network element and the LTE UE share the K _ASME .

In a third possible implementation manner, the second possible implementation manner of the fifth aspect, the processing module is configured to compare whether the RES and the XRES are the same, and further includes: when the comparison result is different, the suspension is performed. safety certificate.

In a fourth possible implementation, in combination with the fifth aspect or any one of the first to third possible implementation manners of the fifth aspect, the HSS is configured to identify that the LTE UE accesses the 2G after receiving the request. Or 3G networks include:

In a fifth possible implementation, in combination with the first to fourth possible implementation manners of the fifth aspect or the fifth aspect, the generating, by the HSS, the special authentication vector includes:

The HSS adds indication information to the request for the authentication vector, the indication information is used to indicate that the HSS generates the special authentication vector; the HSS generates EPS AV for the LTE UE;

In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the fifth aspect,

The HSS converts the EPS AV into the UMTS AV format including:

In a seventh possible implementation, combining any of the second to sixth aspects of the fifth aspect The implementation manner, the access network element generating the K _ASME according to the CK and or IK includes: the access network element is generated according to the CK and or IK according to the generation rule K _ASME =CKIIIK

KASME.

A sixth aspect provides an access network element, including: a receiving module, a processing module, and a sending module;

The receiving module is configured to receive an attach request message from an LTE UE; the processing module is configured to convert the attach request message into a UMTS attach request message;

The sending module is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the HSS, and after receiving the request of the SGSN, the HSS identifies that the LTE UE accesses the 2G or 3G network, and further The receiving module is further configured to receive a UMTS AKA authentication challenge sent by the SGSN, where the UMTS AKA authentication challenge is sent after the SGSN receives the special authentication vector sent by the HSS;

The processing module is further configured to convert the UMTS AKA authentication challenge into an LTE AKA authentication challenge, where the sending module is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE are The UE completes the security certification.

In a first possible implementation manner, the security authentication of the access network element, the SGSN, and the LTE UE is performed by:

The receiving module is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.

In a second possible implementation manner, in combination with the sixth aspect or the first possible implementation manner of the sixth aspect, the special authentication vector includes XRES, CK, and IK;

The processing module is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module further comprises: the processing module further configured to: Also used to send the UMTS AKA authentication response containing the RES to the SGSN, so that the SGSN compares the RES and the XRES Similarly, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;

The processing module is further configured to generate a K _ASME according to the CK and or IK, the access network element and the LTE UE being the KASME.

In a third possible implementation manner, in combination with the second possible implementation manner of the sixth aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

In a fourth possible implementation manner, in combination with the first to third possible implementation manners of the sixth aspect or the sixth aspect, the HSS receives the request of the SGSN and identifies that the LTE UE accesses the 2G. Or 3G networks include:

In a fifth possible implementation, in combination with the first to fourth possible implementation manners of the sixth aspect or the sixth aspect, the generating, by the HSS, the special authentication vector includes:

The HSS generates EPS AV for the LTE UE;

In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the sixth aspect, the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS K _{ASME in} the EPS AV (256bits) Split into two parts, respectively as the CK and the IK of the UMTS AV.

In a seventh possible implementation, in combination with the second to the sixth possible implementation manners of the sixth aspect, the processing module is further configured to generate the according to the CK and or IK according to the generation rule K _ASME =CKIIIK K _ASME .

Through the above scheme, the HSS identifies that the LTE UE accesses the 2G/3G network, and the HSS generates a special authentication vector, and the LTE UE accesses the 2G/3G network to complete the security authentication through the SGSN and the access network element, so that the LTE UE can use the 2G. /3G core network resources. DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in view of the drawings.

1 is a schematic flowchart of an authentication method of a mobile communication system according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of an authentication method of a mobile communication system according to another embodiment of the present invention;

3 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention;

4 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention;

FIG. 5 is a schematic block diagram of a home subscriber server according to an embodiment of the present invention; FIG.

6 is a schematic block diagram of a GPRS service support node according to an embodiment of the present invention;

7 is a schematic block diagram of an access network element according to an embodiment of the present invention;

FIG. 8 is a schematic block diagram of a home subscriber server according to another embodiment of the present invention; FIG.

9 is a schematic block diagram of a GPRS service support node according to another embodiment of the present invention; and FIG. 10 is a schematic block diagram of an access network element according to another embodiment of the present invention. detailed description

BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, rather than all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.

It should be understood that the technical solution of the embodiments of the present invention can be applied to various 2G or 3G communication systems, for example: Global System of Mobile communication ("GSM") system, code division multiple access (Code Division Multiple) Access, called "CDMA" system, Wideband Code Division Multiple Access ("WCDMA") system, General Packet Radio Service (General Packet Radio Service) Universal Mobile Telecommunication System (UMT), Worldwide Interoperability for Microwave Access ("Wireless") communication system, etc.

The access network element in the embodiment of the present invention is an enhanced access network element for supporting the LTE UE to access the 2G/3G core network. In all the embodiments of the present invention, the access network element may have the following functions: The function of the LTE eNB, the LTE UE may access the 2G/3G core network through the access network element without modification, and the LTE UE considers that The LTE network is being accessed, instead of the 2G/3G core network; the access network element in the embodiment of the present invention can also implement the function of a Mobility Management Entity (called "ΜΜΕ"). Such as the security protection function of the non-access stratum ("Non-Access Stratum").

1 shows a schematic flow diagram of a method 100 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. As shown in FIG. 1, the method 100 includes:

S110. After receiving the request for the authentication vector sent by the SGSN, the HSS identifies that the HSS is

The LTE UE accesses the 2G or 3G network, and the request for the authentication vector is received by the SGSN. Sending the UMTS attach request message sent by the network element to the SGSN;

SI 20, the HSS recognizes that after the LTE UE accesses the 2G or 3G network, the HSS generates a special authentication vector;

In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G core network, after the HSS recognizes that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the SGSN, the SGSN, The access network element and the LTE UE complete the security authentication to enable the LTE UE to access the 2G or 3G network, so that the LTE UE can use the 2G or 3G core network resources.

Optionally, the UMTS attach request message is obtained by the access network element converting the attach request message, and the attach request message is sent by the LTE UE.

Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element authenticates the UMTS AKA. After the challenge is converted into an LTE AKA authentication challenge, and sent to the LTE UE, after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K _ASME , the LTE UE sends an LTE AKA authentication response including the RES to the LTE AKA authentication challenge. Accessing the network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

Optionally, the special authentication vector includes XRES, CK, and IK;

Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K _ASME according to the CK and or IK, the access network element and the

The LTE UE shares the K _ASME .

Optionally, the SGSN compares whether the RES and the XRES are the same, and includes, when the comparison is If the results are different, the safety certification is suspended.

Optionally, the HSS identification is that the LTE UE accesses the 2G or 3G network, including:

Optionally, the HSS generates a special authentication vector including:

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

Optionally, the access network element generates the K _ASME according to the CK and or the 包括:

The access network element generates the K _A SME according to the CK and or IK according to the generation rule K _ASME =CKIIIK.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the HSS identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. There is no need to modify the LTE UE, so that the LTE UE can complete the secure authentication access to the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

2 shows an illustration of a method 200 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. Intentional flow chart. 2 and its description of the disclosed method may be based on the embodiment of the present invention and the method disclosed in FIG. 1 based on an embodiment of the present invention. As shown in FIG. 2, the method 200 includes:

S210, the SGSN receives the UMTS attach request message, where the UMTS attach request is that the access network element converts the attach request message sent by the LTE UE, and S220, the SGSN receives the access network element by the access network. After the UMTS attach request message is sent, the SGSN sends a request for the authentication vector to the HSS, so that the HSS receives the request of the SGSN and identifies that the LTE UE accesses the 2G or 3G network, so that the HSS generates the special Authentication vector

S230. After receiving the special authentication vector from the HSS, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

In the embodiment of the present invention, after the scenario in which the LTE UE accesses the 2G or 3G network is identified by the HSS, the HSS generates a special authentication vector, so that the SGSN, the access network element, and the LTE UE complete the security authentication, and the implementation does not require the LTE UE. Under the condition that the LTE UE can perform security authentication, the LTE UE can access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K _ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.

Optionally, the special authentication vector includes XRES, CK, and IK;

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, the SGSN comparing the RES with the XRES Whether the same is true, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates K _ASME according to the CK and or IK, the access network element The K _{ASME is} shared with the LTE UE.

Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

Optionally, the method for the HSS to receive the request of the SGSN is that the LTE UE accesses the 2G or 3G network, including:

Optionally, the special authentication vector is generated after the HSS receives the request from the SGSN, including:

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

KASME. In the embodiment of the present invention, the message sent by the LTE UE is converted into a message suitable for the 2G or 3G network by the access network element, and the HSS identifies that the LTE UE accesses the 2G or 3G network through the access network element. After the scenario, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. There is no need to modify the LTE UE, and the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

3 shows a schematic flow diagram of a method 300 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. The method disclosed in Figure 3 and its description may be based on the embodiments of Figures 1 through 2 of the present invention and the methods disclosed in Figures 1 through 2 of the present invention. As shown in FIG. 3, the method 300 includes:

S310. The access network element converts an attach request message from the LTE UE into a UMTS attach request message.

S320, the access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the HSS, and the HSS receives the request of the SGSN and identifies that the LTE UE accesses the 2G or 3G. Network, in order for the HSS to generate a special authentication vector;

S330. The access network element receives the UMTS AKA authentication challenge sent by the SGSN, where the UMTS

The AKA authentication challenge is sent after the SGSN receives the special authentication vector sent by the HSS;

S340. The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

In the embodiment of the present invention, the information sent by the LTE UE is converted to be applicable to the network element of the access network.

The information of the 2G or 3G network system is identified by the HSS as the LTE UE accessing the 2G or 3G network. The HSS generates a special authentication vector to enable the access network element, the SGSN, and the LTE UE to complete the security authentication. The UE can complete the secure authentication access to the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Optionally, the accessing the network element, the SGSN, and the LTE UE to complete the security authentication includes: generating, by the LTE UE, the RES and the key K _ASME after verifying the LTE AKA authentication challenge; The access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

Optionally, the special authentication vector includes XRES, CK, and IK;

Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:

The access network element converts the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, and the access network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN Comparing whether the RES and the XRES are the same, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;

The access network element generates K _ASME according to the CK and or IK, and the access network element and the LTE UE jointly have the KASME °

Optionally, after receiving the request of the SGSN, the HSS identifies that the LTE UE accesses the 2G or 3G network, including:

Optionally, the further generating the special authentication vector for the HSS comprises:

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format including: The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K _ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

The access network element generates the KASME according to the CK and or IK according to the generation rule K _ASME =CKIIIK.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message suitable for the 2G or 3G network by the access network element, and the HSS identifies that the LTE UE accesses the 2G or 3G network through the access network element. After the scenario, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. There is no need to modify the LTE UE, so that the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

4 shows a schematic flow diagram of a method 400 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. FIG. 1 to FIG. 3 and the method disclosed in FIG. 3 and FIG. 3 based on the embodiment of the present invention, and the method disclosed in FIG. 4 and FIG. . As shown in FIG. 4, the method 400 includes:

Optionally, the LTE UE accesses the 2G/3G core network through the access network element, and an RRC connection is established between the LTE UE and the access network element.

The LTE UE sends an attach request message to the access network element, and the access network element converts the attach request message received from the LTE UE into a UMTS attach request message identifiable by the SGSN of the 2G/3G core network in the UMTS system. The network access NE sends the converted UMTS attach request message to the SGSN.

The SGSN sends a request for an authentication vector to the HSS. .

Optionally, the HSS identifies that the LTE UE accesses the 2G/3G network, and includes:

Optionally, the HSS is equipped with a list including LTE UEs accessing the 2G/3G network Identification information;

The HSS generates the special authentication vector, including:

Optionally, the HSS generates EPS AV for the LTE UE;

further,

The HSS sets the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;

HSS generates RAND, AUTN, CK, IK and XRES;

The HSS derives KASME based on CK and IK. The deduction rule can be K _ASME =KDF ( CK, IK ) and KDF is the key derivation function;

EPS AV consists of K _ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.

Optionally, the HSS converts the EPS AV into a UMTS AV format such that the EPS AV can be sent to the SGSN through an existing UMTS authentication response. The method for converting EPS AV into UMTS AV format includes: RAND, AUTN and XRES in EPS AV are used as RAND, AUTN and XRES of UMTS AV, and K _ASME (256bits) in EPS AV is split into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). Alternatively, K _ASME (256 bits) may also be split unevenly, and the ratio of the CK to the IK may be different. After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.

The HSS transmits the special authentication vector to the SGSN;

The SGSN performs a UMTS AKA authentication procedure based on the special authentication vector received from the HSS. The SGSN sends a UMTS AKA authentication challenge to the access network element, the UMTS AKA authentication challenge Contains RAND and AUTNo

The access network element converts the received UMTS AKA authentication challenge into an LTE AKA authentication challenge. The RAND and AUTN in the UMTS AKA authentication challenge are sent to the LTE UE in the LTE AKA authentication challenge.

The LTE UE verifies the AUTN. Further, since the value of the 0th bit of the AMF in the AUTN is

1 , so the LTE UE will pass the check of AMF. The LTE UE generates the RES and the key K _ASME .

The LTE UE sends an LTE AKA authentication response to the access network element, and the LTE AKA authentication response includes the RES.

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response, and sends the RES in the LTE AKA authentication response to the SGSN in the UMTS AKA authentication response.

The SGSN compares whether the RES and the XRES are the same.

Optionally, if the comparison result is that the RES is different from the XRES, then the security authentication is suspended;

Optionally, if the comparison result is that the RES and the XRES are the same, the SGSN initiates a security mode process, in which CK and or IK are sent to the access network element.

Optionally, the access network element generates K _ASME according to CK and or IK. Optionally, the access network element generates K _ASME according to CK and or IK. The generation rule is K _ASME =CKIIIK, and "II" indicates concatenation, that is, IK is added after CK.

The access network element and the LTE UE share the key K _ASME .

Optionally, the LTE NAS SMC process and the LTE AS SMC process are performed between the access network element and the LTE UE to establish an LTE air interface security.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message suitable for the 2G or 3G network by the access network element, and the HSS identifies that the LTE UE accesses the 2G or 3G network through the access network element. After the scenario, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources. . FIG. 5 shows a schematic block diagram of a home subscriber server 500 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 5 and its description of the disclosed apparatus may be based on the embodiments of the present invention, FIGS. 1 through 4, and the methods disclosed in FIGS. 1 through 4 of the present invention. As shown in Figure 5, the home subscriber server HSS500 includes: a receiving module 510, an identification module 520, a processing module 530, a sending module 540;

The receiving module 510 is configured to receive a request for the authentication vector sent by the SGSN, where the request for the authentication vector is sent by the SGSN to the SGSN after receiving the UMTS attach request message sent by the access network element, where the After the receiving module 510 receives the request for the authentication vector, it is identified that the LTE UE accesses the 2G or 3G network;

The processing module 530 is configured to generate a special authentication vector after the identification module 520 identifies that the LTE UE accesses the 2G or 3G network;

The sending module 540 is configured to send the special authentication vector to the SGSN, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G core network, after the HSS recognizes that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the SGSN, the SGSN, The access network element and the LTE UE complete the security authentication, so that the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Optionally, the security authentication is performed by the SGSN, the access network element, and the LTE UE, including:

The SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE UE, where the LTE UE performs the LTE AKA authentication challenge. After the RES and the key K _{ASME are} verified and generated, the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication. . Optionally, the special authentication vector includes XRES, CK, and IK;

The access network element converts the LTE ΑΚΑ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, where the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, The SGSN sends the CK and or IK to the access network element, and the access network element generates K _ASME according to the CK and or IK, and the access network element and the LTE UE share the K _ASME .

Optionally, the HSS further includes a storage module 550, where the storage module 550 is configured to store a list, where the list includes identifier information of the LTE UE that accesses the 2G/3G network;

Optionally, the identifying module 520 learns that the identifier information of the LTE UE is included in the list according to the identifier information in the list, and the HSS identifies that the LTE UE accesses the 2G or 3G network.

Optionally, the processing module 530 is configured to: after the identifying module 520 identifies that the LTE UE accesses the 2G or 3G network, generating a special authentication vector, including:

The processing module 530 is configured to add indication information to the request for requesting the authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector;

The processing module 530 is configured to generate an EPS AV for the LTE UE;

further,

The processing module 530 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;

The processing module 530 is configured to generate RAND, AUTN, CK, IK, and XRES;

The processing module 530 is configured to derive KASME according to CK and IK, and the derivation rule may be K _ASME =KDF ( CK, IK ), and KDF is a key derivation function; EPS AV consists of K _ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.

Optionally, the processing module 530 is configured to convert the EPS AV into a UMTS AV format, so that the method of the AV format includes: using RAND, AUTN, and XRES in the EPS AV as the RAND, AUTN, and XRES of the UMTS AV, and the EPS K _ASME (256bits) in AV is split into two parts, which are CK (128bits) and IK (128bits) of UMTS AV. After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.

Optionally, the access network element generates the K _ASME according to the CK and or IK, including:

The access network element in accordance with the generation rule K _ASME = CKIIIK, which generates based on the K _ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message suitable for the 2G or 3G network by the access network element, and the HSS identifies that the LTE UE accesses the 2G or 3G network through the access network element. After the scenario, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. There is no need to modify the LTE UE, so that the LTE UE can complete the secure authentication access to the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Figure 6 shows a schematic block diagram of a GPRS service support node 600 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 6 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention may also be based on the embodiment of the present invention and FIG. 5 and FIG. Revealed device. As shown in Figure 6, the GPRS service support node SGSN600 includes: a receiving module 610; a sending module 620;

The receiving module 610 is configured to receive a UMTS attach request message sent by an access network element, where the UMTS attach request is obtained by converting, by the access network element, an attach request message sent by the LTE UE;

The sending module 620 is configured to receive the UMTS attach request in the receiving module 610. After receiving the request, the request for the authentication vector is sent to the HSS, so that the HSS receives the request and identifies that the LTE UE accesses the 2G or 3G network, so that the HSS generates the special authentication vector; the receiving module 610 is further configured to receive The special authentication vector from the HSS, the sending module 620 is further configured to send a UMTS AKA authentication challenge to the access network element after the receiving module 610 receives the special authentication vector, so that the SGSN, the access network The network element and the LTE UE complete the security authentication.

In the embodiment of the present invention, after the scenario in which the LTE UE accesses the 2G or 3G core network is identified by the HSS, the HSS generates a special authentication vector, so that the SGSN, the access network element, and the LTE UE complete the security authentication, and the implementation does not need to be performed. Under the condition that the LTE UE is modified, the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Optionally, the SGSN further includes a processing module 630;

Optionally, the special authentication vector includes XRES, CK, and IK;

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiving module 610, where the processing module 630 is configured to compare whether the RES and the XRES are the same, when the comparison is performed. When the result is the same, the sending module 620 sends the CK and or IK to the access network element, and the access network element generates K _ASME according to the CK and or IK, and the CK and or IK are sent by the sending module 620. Sending, the access network element and the LTE UE share the KASME. Optionally, the processing module 630 compares whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.

Optionally,

After the HSS receives the request, it is identified that the LTE UE accesses the 2G or 3G network includes: the HSS is equipped with a list, and the list includes the identifier information of the LTE UE accessing the 2G/3G network;

The HSS learns that the identifier information of the LTE UE is included in the list according to the identifier information in the list, and the HSS identifies that the LTE UE accesses the 2G or 3G network. Optionally, the generating the special authentication vector by the HSS includes:

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message suitable for the 2G or 3G network by the access network element, and the HSS identifies that the LTE UE accesses the 2G or 3G network through the access network element. After the scenario, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. No modification to the LTE UE is required, so that the LTE UE can complete The security authentication accesses the 2G or 3G network, so that the LTE UE uses 2G or 3G core network resources.

FIG. 7 shows a schematic block diagram of an access network element 700 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 7 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 6 and The apparatus disclosed in Figures 5-6. As shown in FIG. 7, the access network element 700 includes: a receiving module 710, a processing module 720, and a sending module 730;

The receiving module 710 is configured to receive an attach request message from an LTE UE; the processing module 720 is configured to convert the attach request message into a UMTS attach request message;

The sending module 730 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the HSS, and the HSS receives the request of the SGSN to identify that the LTE UE accesses the 2G or 3G network. In order for the HSS to generate a special authentication vector;

The receiving module 710 is further configured to receive the UMTS AKA authentication challenge sent by the SGSN, where the UMTS AKA authentication challenge is sent after the SGSN receives the special authentication vector sent by the HSS; the processing module 720 is further configured to authenticate the UMTS AKA. The challenge is converted into an LTE AKA authentication challenge, and the sending module 730 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

In the embodiment of the present invention, the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the scene that the LTE UE accesses the 2G or 3G network is identified by the HSS, and is generated by the HSS. The special authentication vector enables the access network element, the SGSN, and the LTE UE to complete the security authentication, so that the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K _ASME ;

The receiving module 710 is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication. Optionally, the special authentication vector includes XRES, CK, and IK;

The processing module 720 is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module 730 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element.

The processing module 720 is further configured to generate a K _ASME according to the CK and or IK, where the access network element and the LTE UE share the K _ASME .

Optionally,

After receiving the request from the SGSN, the HSS identifies that the LTE UE accesses the 2G or 3G network, including:

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format including: The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K _ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

Alternatively, the processing module 720 is further used for generating rules according to K _ASME = CKIIIK, which generates based on the K _ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.

Figure 8 shows a schematic block diagram of a home subscriber server 800 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 8 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention, and FIG. 5 to FIG. 7 based on the embodiment of the present invention and based on The apparatus disclosed in Figures 5 to 7 of the embodiment of the present invention. As shown in FIG. 8, the home subscriber server HSS800 includes: a receiver 810, a first processor 820, a second processor 830, and a transmitter 840;

The receiver 810 is configured to receive a request for an authentication vector sent by the SGSN, where the request for the authentication vector is sent by the SGSN to the SGSN after receiving the UMTS attach request message sent by the access network element, the first processor The 820 is configured to: after the receiver 810 receives the request for the authentication vector, identify that the LTE UE accesses the 2G or 3G network;

The second processor 830 is configured to generate a special authentication vector after the first processor 820 recognizes that the LTE UE accesses the 2G or 3G network;

The transmitter 840 is configured to send the special authentication vector to the SGSN, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G core network, in the HSS After the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE accesses the 2G or 3G. Network, so that LTE UEs can use 2G or 3G core network resources.

The SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE UE, where the LTE UE performs the LTE AKA authentication challenge. After the RES and the key K _{ASME are} verified and generated, the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication. .

Optionally, the special authentication vector includes XRES, CK, and IK;

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K _ASME according to the CK and or IK, and the access network element and the LTE UE share the K _ASME .

Optionally, the HSS further includes a memory 850, where the memory 850 is configured to store a list, where the list includes identifier information of the LTE UE that accesses the 2G/3G network;

Optionally, the first processor 820 is located in the identifier information in the list, and the identifier information of the LTE UE is included in the list, and the HSS identifies that the LTE UE accesses the 2G or 3G. The internet.

Optionally, the generating, by the second processor 830, the special authentication vector after the first processor 820 identifies that the LTE UE accesses the 2G or 3G network includes:

The second processor 830 is configured to add indication information to the request for the authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector;

The second processor 830 is configured to generate EPS AV for the LTE UE;

further,

The second processor 830 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;

The second processor 830 is configured to generate RAND, AUTN, CK, IK and XRES;

The second processor 830 is configured to derive KASME according to CK and IK, and the derivation rule may be K _ASME =KDF ( CK, IK ), and KDF is a key derivation function;

Optionally, the second processor 830 is configured to convert the EPS AV into a UMTS AV format, so that the EPS AV can be sent to the SGSN through an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K _ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.

In the embodiment of the present invention, the message sent by the LTE UE is converted to be applicable to the network element of the access network.

The message of the 2G or 3G network is recognized by the HSS. The LTE UE accesses the 2G or 3G through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources.

Figure 9 shows a schematic block diagram of a GPRS service support node 900 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 9 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention, FIG. 5 and FIG. Revealed device. As shown in FIG. 9, the GPRS service supporting node SGSN900 includes: a receiver 910; a transmitter 920;

The receiver 910 is configured to receive a UMTS attach request message sent by an access network element, where the UMTS attach request is obtained by converting, by the access network element, an attach request message sent by the LTE UE;

The transmitter 920 is configured to send a request for an authentication vector to the HSS after the receiver 910 receives the UMTS attach request message, so that the HSS receives the request and identifies that the LTE UE accesses the 2G or 3G network, and further So that the HSS generates the special authentication vector;

The receiver 910 is further configured to receive the special authentication vector from the HSS, where the transmitter 920 is further configured to send a UMTS AKA authentication challenge to the access network element after the receiver 910 receives the special authentication vector. So that the SGSN, the access network element, and the LTE UE complete the security authentication.

Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K _ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security recognition Certificate.

Optionally, the SGSN further includes a processor 930;

Optionally, the special authentication vector includes XRES, CK, and IK;

The access network element converts the LTE ΑΚΑ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiver 910, the processor 930 is configured to compare whether the RES and the XRES are the same, when the comparison When the result is the same, the transmitter 920 sends the CK and or IK to the access network element, and the access network element generates the K _ASME according to the CK and or IK, and the CK and or IK are sent by the The 920 is sent, and the access network element and the LTE UE share the K _ASME .

Optionally, the comparing, by the processor 930, whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

Optionally,

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS The AUTN in the EPS AV is used as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS splits the K _ASME in the EPS AV into two parts, respectively as the UMTS AV of the CK and the IK.

KASME.

FIG. 10 shows a schematic block diagram of an access network element 1000 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 10 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 9 and The apparatus disclosed in Figures 5-9. As shown in FIG. 10, the access network element 1000 includes: a receiver 1010, a processor 1020, and a transmitter 1030.

The receiver 1010 is configured to receive an attach request message from an LTE UE, where the processor 1020 is configured to convert the attach request message into a UMTS attach request message.

The transmitter 1030 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the HSS, and the HSS receives the request of the SGSN to identify that the LTE UE accesses the 2G or 3G network. The receiver 1010 is further configured to receive a UMTS AKA authentication challenge sent by the SGSN, where the UMTS AKA authentication challenge is sent after the SGSN receives the special authentication vector sent by the HSS; The 1020 is further configured to convert the UMTS AKA authentication challenge into an LTE AKA authentication challenge, where the transmitter 1030 is further configured to send the LTE AKA authentication challenge to the LTE UE, where the access network element, the SGSN, and the LTE UE are used. Complete safety certification. In the embodiment of the present invention, the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the scene that the LTE UE accesses the 2G or 3G network is identified by the HSS, and is generated by the HSS. The special authentication vector enables the access network element, the SGSN, and the LTE UE to perform security authentication, so that the LTE UE can use the existing 2G or 3G core network.

The receiver 1010 is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.

Optionally, the special authentication vector includes XRES, CK, and IK;

The processor 1020 is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the transmitter 1030 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element.

The processor 1020 is further configured to generate a K _ASME according to the CK and or IK, and the access network element and the LTE UE share the K _ASME .

Optionally,

The HSS learns that the identifier information of the LTE UE is included in the identifier information in the list. In the list, the HSS recognizes that the LTE UE accesses the 2G or 3G network.

The HSS generates EPS AV for the LTE UE;

Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K _ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

Alternatively, the processor 1020 is further used for generating rules according to K _ASME = CKIIIK, which generates based on the K _ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.

The message of the 2G or 3G network is identified by the HSS. After the LTE UE accesses the 2G or 3G core network through the access network element, the HSS generates a special authentication vector, and completes the LTE UE through the access network element and the SGSN. Security certification between the network and the network. The LTE UE does not need to be modified, so that the LTE UE can complete the security authentication to access the 2G or 3G network, so that the LTE UE uses the 2G or 3G core network resources. Through the description of the above embodiments, it will be apparent to those skilled in the art that the present invention can be implemented in hardware, firmware implementation, or a combination thereof. When implemented in software, the functions described above may be stored in or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a computer. Take this as an example but Not limited to: Computer readable media may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage media or other magnetic storage device, or can be used to carry or store desired program code in the form of an instruction or data structure. And any other medium that can be accessed by a computer. Also. Any connection may suitably be a computer readable medium. For example, if the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable , fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media. As used in the present invention, a disk and a disc include a compact disc (CD), a laser disc, a compact disc, a digital versatile disc (DVD), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media. In summary, the above description is only a preferred embodiment of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

Rights request

1. A security authentication method for a mobile communication system, characterized by including:

After the home user server HSS receives the request for the authentication vector sent by the GPRS service support node SGSN, the HSS identifies that the LTE UE is accessing the 2G or 3G network. The request for the authentication vector is sent by the SGSN after receiving the access network The UMTS attach request message sent by the network element is then sent to the SGSN;

After the HSS identifies that the LTE UE is accessing the 2G or 3G network, the HSS generates a special authentication vector;

The HSS sends the special authentication vector to the SGSN, so that the SGSN, the access network element and the LTE UE complete security authentication.

2. The method according to claim 1, wherein the UMTS attach request message is obtained by converting the attach request message by the access network element, and the attach request message is sent by the LTE UE.

3. The method according to claim 1 or 2, wherein the step of enabling the SGSN, the access network element and the LTE UE to complete security authentication includes: the network element challenges the UMTS AKA authentication After being converted into an LTE AKA authentication challenge and sent to the sum key _KASME , the LTE UE sends the LTE AKA authentication response containing the RES to the access network element, so that the access network element , the SGSN and the LTE UE further complete security authentication.

4. The method according to any one of claims 1 to 3, characterized in that,

The special authentication vector contains XRES, CK, and IK;

The steps for the access network element, the SGSN and the LTE UE to further complete security authentication include:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response. The UMTS AKA authentication response should be sent to the SGSN. The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. The access network element generates _KASME according to the CK and or IK, and the access network element and the LTE UE share the _KASME .

5. The method according to claim 4, wherein the SGSN comparing whether the RES and the XRES are the same also includes, when the comparison result is not the same, suspending security authentication.

6. The method according to any one of claims 1 to 5, characterized in that the HSS identification is that the LTE UE accesses the 2G or 3G network including:

The HSS is equipped with a list, and the list includes identification information of LTE UEs accessing the 2G/3G network;

The HSS learns that the identification information of the LTE UE is included in the list according to the identification information in the list, and then the HSS identifies that the LTE UE accesses the 2G or 3G network.

7. The method according to any one of claims 1 to 6, characterized in that the HSS generating a special authentication vector includes:

The HSS adds indication information to the request for an authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector;

The HSS generates EPS AV for the LTE UE;

The HSS converts the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.

8. The method according to claim 7, wherein the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The UMTS AV XRES, the HSS will The _KASME in the EPS AV is split into two parts, which are respectively used as the CK and the IK of the UMTS AV.

9. The method according to any one of claims 4 to 8, characterized in that, the access network element generating _KASME according to the CK and or IK includes:

The access network element generates the KASME O according to the generation rule _KASME =CKIIIK according to the CK and or IK

10. A security authentication method for a mobile communication system, characterized by including:

The SGSN receives the UMTS attach request message sent by the access network element, and the UMTS attach request message is obtained by converting the attach request message sent by the LTE UE by the access network element;

After the SGSN receives the UMTS attach request message sent by the access network element, the SGSN sends a request for an authentication vector to the HSS, so that the HSS can identify it after receiving the request from the SGSN. The LTE UE accesses the 2G or 3G network, so that the HSS generates the special authentication vector;

After receiving the special authentication vector from the HSS, the SGSN sends UMTS

The AKA authentication challenge is given to the access network element so that the SGSN, the access network element and the LTE UE complete security authentication.

11. The method according to claim 10, wherein the step of enabling the SGSN, the access network element and the LTE UE to complete security authentication includes:

After the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and verifies it and generates the RES and key K _ASME , the LTE UE sends the LTE AKA authentication response containing the RES to the access network element. Access network element, so that the access network element, the SGSN and the LTE UE further complete security authentication.

12. The method according to claim 10 or 11, characterized in that,

The special authentication vector includes XRES, CK, and IK; The steps for the access network element, the SGSN and the LTE UE to further complete security authentication include:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN. The SGSN compares the RES and the XRES to see whether they are the same. When the comparison results are the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates _KASME according to the CK and or IK. The access network The network element and the LTE UE share the _KASME .

13. The method according to claim 12, wherein the SGSN comparing whether the RES and the XRES are the same also includes, when the comparison result is not the same, suspending the security authentication.

14. The method according to any one of claims 10 to 12, characterized in that, enabling the HSS to identify that the LTE UE accesses the 2G or 3G network after receiving the request from the SGSN includes:

15. The method according to any one of claims 10 to 14, wherein the step of generating the special authentication vector after the HSS receives the request from the SGSN includes:

The HSS generates EPS AV for the LTE UE;

16. The method according to claim 15, wherein the HSS converting the EPS AV into the UMTS AV format includes: The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the _KASME in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.

17. The method according to any one of claims 12 to 16, characterized in that, the access network element generating K _ASME based on the CK and or IK includes:

18. A security authentication method for a mobile communication system, characterized by including:

The access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for an authentication vector to the HSS. After receiving the request from the SGSN, the HSS identifies that it is the LTE UE. Access the 2G or 3G network so that the HSS can generate a special authentication vector;

The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends it to the LTE UE, so that the access network element, the SGSN and the LTE UE complete security authentication.

19. The method according to claim 18, wherein the step of completing security authentication for the access network element, the SGSN and the LTE UE includes:

The LTE UE generates a RES and a key K _ASME after verifying the LTE AKA authentication challenge; the access network element receives the LTE AKA authentication sent by the LTE UE and includes the RES. authentication response, so that the access network element, the SGSN and the LTE UE further complete security authentication.

20. The method according to claim 18 or 19, characterized in that,

The special authentication vector includes XRES, CK and IK;

The steps for the access network element, the SGSN and the LTE UE to further complete the security authentication include:

The access network element converts the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, and the access network element sends the UMTS AKA authentication response including the RES to The SGSN is configured to compare whether the RES and the XRES are the same, and when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;

The access network element generates _KASME based on the CK and or IK, and the access network element and the LTE UE share the _KASME .

21. The method according to claim 20, wherein the SGSN comparing whether the RES and the XRES are the same also includes, when the comparison result is not the same, suspending the security authentication.

22. The method according to any one of claims 18 to 21, characterized in that, after the HSS receives the request from the SGSN, identifying that the LTE UE accesses the 2G or 3G network includes: the HSS Equipped with a list, the list includes identification information of LTE UEs accessing the 2G/3G network;

23. The method according to any one of claims 18 to 22, wherein the step of generating a special authentication vector by the HSS includes:

The HSS adds indication information to the request for authentication vector, and the indication information is used to Instruct the HSS to generate the special authentication vector; The HSS generates EPS AV for the LTE UE;

24. The method according to claim 23, wherein the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the _KASME in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.

25. The method according to any one of claims 20 to 24, wherein the access network element generating K _ASME based on the CK and or IK includes:

The access network element generates the _KASME according to the generation rule _KASME =CKIIIK according to the CK and or IK.

26. An HSS, characterized by including: a receiving module, an identification module, a processing module, and a sending module;

The receiving module is configured to receive a request for an authentication vector sent by the SGSN. The request for an authentication vector is sent to the SGSN by the SGSN after receiving the UMTS attach request message sent by the access network element. The identification module is configured to identify that the LTE UE is accessing the 2G or 3G network after the receiving module receives the request for an authentication vector;

The processing module is used to generate a special authentication vector after the identification module identifies that the LTE UE accesses the 2G or 3G network;

The sending module is used to send the special authentication vector to the SGSN, so that the SGSN, the access network element and the LTE UE complete security authentication.

27. The HSS according to claim 26, wherein the UMTS attach request The message is obtained by converting the attach request message by the access network element, and the attach request message is sent by the LTE UE.

28. The HSS according to claim 26 or 27, wherein the step of enabling the SGSN, the access network element and the LTE UE to complete security authentication includes: the network element challenges the UMTS AKA authentication After being converted into an LTE AKA authentication challenge and sent to the sum key K _ASME , the LTE UE sends the LTE AKA authentication response containing the RES to the access network element, so that the access network element , the SGSN and the LTE UE further complete security authentication.

29. The HSS according to any one of claims 26 to 28, characterized in that,

The special authentication vector contains XRES, CK, and IK;

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN. The SGSN compares the RES and the XRES to see whether they are the same. When the comparison results are the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates _KASME according to the CK and or IK, and the access network The network element and the LTE UE share the _KASME .

30. The HSS according to claim 29, characterized in that the SGSN compares the

Whether the RES and the XRES are the same also includes: when the comparison result is not the same, the security authentication is suspended.

31. The HSS according to any one of claims 26 to 30, characterized in that, the HSS further includes a storage module, the storage module is used to store a list, the list includes access to the 2G/3G network Identification information of LTE UE;

The identification module obtains the identification information of the LTE UE according to the identification information in the list. If the identification information is included in the list, the HSS identifies that the LTE UE is accessing the 2G or 3G network.

32. The HSS according to any one of claims 26 to 31, wherein the processing module is configured to generate a special authentication vector after the identification module identifies that the LTE UE accesses the 2G or 3G network, including:

The processing module is configured to add indication information to the request for an authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector; the processing module is configured to generate EPS AV for the LTE UE;

The processing module is used to convert the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.

33. The HSS according to claim 32, characterized in that the processing module used to convert the EPS AV into the UMTS AV format includes:

The processing module is used to use the RAND in the EPS AV as the RAND of the UMTS AV, the processing module is used to use the AUTN in the EPS AV as the AUTN of the UMTS AV, and the processing module is used to The XRES in the EPS AV is used as the XRES of the UMTS AV, and the processing module is used to split the _KASME in the EPS AV into two parts, which are respectively used as the CK and the UMTS AV. IK.

34. The HSS according to any one of claims 29 to 33, wherein the access network element generating _KASME according to the CK and or IK includes:

35. A SGSN, characterized in that it includes: a receiving module; a sending module;

The receiving module is used to receive the UMTS attach request message sent by the access network element. The UMTS attach request is obtained by converting the attach request message sent by the LTE UE by the access network element;

The sending module is configured to receive the UMTS attach request message in the receiving module Then, send a request for an authentication vector to the HSS, so that the HSS recognizes that the LTE UE is accessing the 2G or 3G network after receiving the request, and then the HSS generates the special authentication vector;

The receiving module is also configured to receive the special authentication vector from the HSS. The sending module is also configured to send a UMTS AKA authentication challenge to the access after the receiving module receives the special authentication vector. network element, so that the SGSN, the access network element and the LTE UE complete security authentication.

36. The SGSN according to claim 35, wherein the step of enabling the SGSN, the access network element and the LTE UE to complete security authentication includes:

37. The SGSN according to claim 35 or 36, characterized in that the SGSN further includes a processing module;

The special authentication vector includes XRES, CK, and IK;

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiving module. The processing module is used to compare whether the RES and the XRES are the same, when the comparison results are the same, the sending module sends the CK and or IK to the access network element, and the access network element generates _KASME according to the CK and or IK, The CK and or IK are sent by the sending module, and the access network element and the LTE UE share the _KASME .

38. The SGSN according to claim 37, characterized in that the processing module is used to compare Comparing whether the RES and the XRES are the same also includes: when the comparison result is not the same, suspending the security authentication.

39. The SGSN according to any one of claims 47 to 50, wherein the step of enabling the HSS to identify that the LTE UE is accessing the 2G or 3G network after receiving the request includes: the HSS is equipped with A list, the list includes identification information of LTE UEs accessing the 2G/3G network;

40. The SGSN according to any one of claims 35 to 39, wherein the step of generating the special authentication vector by the HSS includes:

The HSS adds indication information to the request for an authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector; the HSS generates EPS AV for the LTE UE;

41. The SGSN according to claim 40, wherein the HSS converting the EPS AV into the UMTS AV format includes:

42. The SGSN according to any one of claims 37 to 41, wherein the access network element generating _KASME according to the CK and or IK includes:

The access network element is generated according to the generation rule _KASME =CKIIIK according to the CK and or IK. into the KASME O

43. An access network element, characterized in that it includes: a receiving module, a processing module, and a sending module;

The receiving module is used to receive the attach request message from the LTE UE; the processing module is used to convert the attach request message into a UMTS attach request message;

The sending module is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for an authentication vector to the HSS. After receiving the request from the SGSN, the HSS identifies that the LTE UE is connected. Enter the 2G or 3G network, so that the HSS can generate a special authentication vector;

The receiving module is also used to receive the UMTS AKA authentication challenge sent by the SGSN. The UMTS AKA authentication challenge is sent after the SGSN receives the special authentication vector sent by the HSS;

The processing module is also used to convert the UMTS AKA authentication challenge into an LTE AKA authentication UE, so that the access network element, the SGSN and the LTE UE complete security authentication.

44. The access network element according to claim 43, wherein the step of enabling the access network element, the SGSN and the LTE UE to complete security authentication includes:

The LTE UE generates RES and key K _ASME after verifying the LTE AKA authentication challenge; the receiving module is used to receive the LTE AKA authentication response containing the RES sent by the LTE UE, so that the access network The SGSN and the LTE UE further complete security authentication.

45. The access network element according to claim 43 or 44, characterized in that,

The special authentication vector includes XRES, CK and IK;

The processing module is also used to convert the LTE AKA authentication response containing the RES into The UMTS AKA authentication response of the RES, the sending module is also configured to send the UMTS AKA authentication response containing the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same, when When the comparison results are the same, the SGSN sends the CK and or IK to the access network element;

The processing module is also configured to generate _KASME according to the CK and or IK, and the access network element and the LTE UE share the _KASME .

46. The access network element according to claim 45, wherein the SGSN comparing whether the RES and the XRES are the same also includes, when the comparison result is not the same, suspending security authentication.

47. The access network element according to any one of claims 43 to 46, characterized in that, after receiving the request from the SGSN, the HSS identifies that the LTE UE accesses 2G or 3G network including:

48. The access network element according to any one of claims 43 to 47, wherein the step of generating a special authentication vector for the HSS includes:

The HSS generates EPS AV for the LTE UE;

49. The access network element according to claim 48, wherein the HSS converting the EPS AV into the UMTS AV format includes: The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the _KASME (256 bits) in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.

50. The access network element according to any one of claims 45 to 49, characterized in that the processing module is further configured to generate the K according to the generation rule _KASME =CKIIIK according to the CK and or IK _ASME .