WO2016086355A1 - Authentication method within wireless communication network, related apparatus and system - Google Patents

Authentication method within wireless communication network, related apparatus and system Download PDF

Info

Publication number
WO2016086355A1
WO2016086355A1 PCT/CN2014/092787 CN2014092787W WO2016086355A1 WO 2016086355 A1 WO2016086355 A1 WO 2016086355A1 CN 2014092787 W CN2014092787 W CN 2014092787W WO 2016086355 A1 WO2016086355 A1 WO 2016086355A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network
user equipment
request message
vector
Prior art date
Application number
PCT/CN2014/092787
Other languages
French (fr)
Chinese (zh)
Inventor
崇卫微
吴晓波
吕阳明
陈璟
席国宝
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/092787 priority Critical patent/WO2016086355A1/en
Priority to CN201480083832.2A priority patent/CN107005842B/en
Publication of WO2016086355A1 publication Critical patent/WO2016086355A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an authentication method, related device, and system in a wireless communication network.
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • the UE triggers the authentication process by initiating a registration request, a service request, or a handover request to the network.
  • authentication is a one-way process, and the network needs to verify the legitimacy of the UE; in the third generation (Third Generation, 3G) network or Long Term Evolution (Long Term Evolution, In the LTE network, in addition to verifying the legitimacy of the UE, the UE also needs to verify the validity of the network, that is, perform network authentication.
  • 3G Third Generation
  • LTE Long Term Evolution
  • the authentication process is performed in a domain-by-domain manner, that is, a packet switching (PS) domain and a circuit switching (CS) domain respectively perform an authentication process, and a PS domain authentication is performed by a mobility management entity ( The Mobility Management Entity (MME) or the General Packet Radio Service (GPRS) Service Support Node (SGSN) is initiated.
  • MME Mobility Management Entity
  • GPRS General Packet Radio Service
  • SGSN General Packet Radio Service
  • the CS domain authentication is initiated by the Mobile Switching Center (MSC).
  • MSC Mobile Switching Center
  • the UE needs to Network authentication is performed on the PS domain and the CS domain, respectively.
  • the MSC/SGSN sends an authentication request carrying the authentication vector to the UE. Message.
  • the UE first determines the validity of the network according to the authentication request message. If the network is legal, it verifies whether the network is synchronized with the network. If the synchronization is successful, the UE successfully authenticates the network, and the UE returns a response message to the network, and the MSC/SGSN according to the UE. The response message sent by the UE verifies the validity of the UE. If the synchronization fails, the UE will reply to the MSC/SGSN with an authentication failure message carrying the cause value, and the MSC/SGSN will send an authentication request message to the UE again.
  • the UE may fail to perform network authentication on the CS domain; or
  • the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process saves the unused authentication vector, which may cause the UE to fail the network authentication for the CS domain.
  • the MSC/SGSN/MME receives the authentication failure message sent by the UE twice, the authentication process is terminated, and an authentication rejection message is sent to the UE. Once the UE receives the authentication rejection message, it will not be able to initiate the service normally until it restarts, which has a serious impact on the user.
  • the embodiments of the present invention provide an authentication method, a related device, and a system in a wireless communication network, which can solve the problem of authentication failure in the prior art.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
  • the core network device that stores the unused authentication vector for the user equipment sends a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to be the user equipment. Generating an authentication vector;
  • the core network device sends a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector, where the user equipment saves An unused authentication vector indicates that the unused authentication vector is associated with the user equipment or the unused authentication vector is generated for the user equipment.
  • the method further includes: after the user equipment accesses the first network where the core network device is located, the core network device determines that the user equipment is a user equipment that is accessed from the second network to the first network;
  • the network standard of the first network is different from the network standard of the second network.
  • the first network is a 3G network
  • the second network is an LTE network, a 2G network, a 5G network, or a 4.5G network.
  • the first network is an LTE network
  • the second network is a 5G network or a 4.5G network.
  • the core network device that saves an unused authentication vector for the user equipment Before the authentication device sends the first authentication data request message, the method further includes:
  • the core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment; Receiving, by the network device, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the unused authentication a weight vector; the core network device sends a second authentication request message to the user equipment, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
  • the authentication device Receiving, by the authentication device, a first authentication data request message sent by the core network device that is saved by the user equipment with an unused authentication vector, where the first authentication data request message is used to request the authentication device to be the user
  • the device generates an authentication vector, and the authentication device generates a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes the authentication device as the user a first authentication vector generated by the device; the authentication device returns the first authentication data response message to the core network device.
  • the authenticating device before the authenticating device receives the first authentication data request message sent by the core network device that the user device stores the unused authentication vector, the method also includes:
  • the authentication device Receiving, by the authentication device, a second authentication data request message sent by the core network device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment;
  • the authentication device generates a second authentication data response message according to the second authentication data request message, where
  • the authentication data response message includes a second authentication vector generated by the authentication device for the user equipment and the unused authentication vector; the authentication device returns the second to the core network device Authentication data response message.
  • an embodiment of the present invention provides a core network device, where the core network device includes:
  • a storage unit configured to save an unused authentication vector for the user equipment
  • An acquiring unit configured to send, by the storage unit, the first authentication data request message to the authentication device, where the storage unit saves the unused authentication vector, the first authentication The data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive a first authentication data response message returned by the authentication device according to the authentication data request message, the first The weight data response message includes a first authentication vector;
  • a sending unit configured to send a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  • the core network device further includes:
  • a determining unit configured to determine, after the user equipment accesses the first network where the core network device is located, the user equipment is a user equipment that is accessed from the second network to the first network;
  • the network system of the first network is different from the network system of the second network.
  • the acquiring unit is specifically configured to determine, in the determining unit, that the user equipment is accessed from the second network to the first network. After the user equipment, the first authentication data request message is sent to the authentication device.
  • the first network is a 3G network
  • the second network is an LTE network, a 2G network, or a 5G network.
  • a 4.5G network or the first network is an LTE network, and the second network is a 5G network or a 4.5G network.
  • the acquiring unit is further configured to send the first authentication data request to the authentication device Before the message, the second authentication data request message is sent to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive the authentication. And the second authentication data response message returned by the device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the unused authentication vector; Also used to send the first authentication data request message to the authentication device before the obtaining unit sends the first authentication data request message to the user The device sends a second authentication request message, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • the embodiment of the present invention further provides an authentication device, where the authentication device includes a receiving unit, configured to receive first authentication data sent by a core network device that stores an unused authentication vector for the user equipment. a request message, the first authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and the processing unit is configured to generate a first template according to the first authentication data request message And a first data authentication message, the first authentication data response message includes a first authentication vector generated for the user equipment, and a sending unit, configured to return the first authentication data response message to the core network device.
  • the authentication device includes a receiving unit, configured to receive first authentication data sent by a core network device that stores an unused authentication vector for the user equipment.
  • a request message the first authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment
  • the processing unit is configured to generate a first template according to the first authentication data request message
  • a first data authentication message the first authentication data response message includes a first authentication vector generated for the user equipment, and
  • the receiving unit is further configured to: before receiving the first authentication data request message, receive a second authentication data request message sent by the core network device.
  • the processing unit is further configured to: according to the second authentication data request message, the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, to generate a second a weight data response message, the authentication data response message includes a second authentication vector generated for the user equipment and the unused authentication vector; the sending unit is further configured to return to the core network device The second authentication data response message is described.
  • the embodiment of the present invention further provides an authentication system, including the core network device and any of the fourth aspect or the fourth aspect, which may be implemented in any one of the third aspect or the third aspect.
  • an authentication system including the core network device and any of the fourth aspect or the fourth aspect, which may be implemented in any one of the third aspect or the third aspect. The implementation of the authentication network device described.
  • the embodiment of the present invention further provides an authentication method in a wireless communication network, where the method includes: after the user equipment accesses from the 3G network to the long term evolution LTE network, the mobility management entity MME of the LTE network Obtaining an unused authentication vector saved by the general packet radio system GPRS service supporting node SGSN of the 3G network for the user equipment;
  • the MME deletes or discards the unused authentication vector, so that after the user equipment re-accesses from the LTE network to the 3G network, the MME cannot send the unused authentication vector Give the SGSN.
  • the mobility management entity MME of the LTE network acquires an unused packet saved by the GPRS service support node SGSN of the 3G network for the user equipment
  • the weight vector includes:
  • the first SGSN of the LTE network receives the first forward relocation request message, and the first forward relocation request message includes the unused authentication vector.
  • the method further includes :
  • the MME After the user equipment re-accesses the LTE network to the 3G network, the MME receives the SGSN to send a second context request message, and returns a second context response message to the SGSN, where the second The context response message does not include the unused authentication vector;
  • the MME sends a second forward relocation request message to the SGSN, where the second forward relocation request message is not The unused authentication vector is included.
  • an embodiment of the present invention provides a mobility management entity MME, including:
  • an acquiring unit configured to acquire, after the UE accesses the LTE network from the 3G network, an unused authentication vector saved by the SGSN of the 3G network for the UE.
  • the acquiring unit may receive, by using a context request message sent by the SGSN of the 3G network, a first context response message returned by the SGSN, where the first context response message includes the unused authentication vector;
  • the acquiring unit may receive, by the first SGSN of the 3G network, a first forward relocation request message, where the first forward relocation request message includes the unused authentication vector;
  • a processing unit configured to delete or discard the unused authentication vector, so that the MME cannot use the unused authentication vector after the UE re-accesses from the LTE network to the 3G network Sent to the SGSN.
  • the acquiring unit is further configured to: after the user equipment re-accesses the LTE network to the 3G network, receive the SGSN to send a second context. Requesting a message and returning a second context response message to the SGSN, the second context response message not including the unused authentication vector; or, at the user equipment from the LTE After the network re-accesses to the 3G network, a second forward relocation request message is sent to the SGSN, where the second forward relocation request message does not include the unused authentication vector.
  • an embodiment of the present invention provides a core network device, including a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the core network device is configured to perform an authentication method in the wireless communication network according to the first aspect or any one of the possible implementation manners of the first aspect.
  • an embodiment of the present invention provides an authentication device, where the processor includes a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the authentication device is configured to perform an authentication method in a wireless communication network according to any of the possible implementations of the second aspect or the second aspect.
  • An embodiment of the present invention provides an authentication method in a wireless communication network. Before the core network device sends an authentication request message to the UE, even if the core network device saves an unused authentication vector for the UE, And acquiring, by the authentication device, a first authentication vector, and sending, by using the random number and the authentication token in the first authentication vector, an authentication request message to the UE, to start the UE and the core network. Network authentication process between devices. The above method ensures that each time the CS domain/PS domain network authentication is performed, the authentication device obtains the first authentication vector for authentication, instead of using the unused authentication vector saved by the core network device.
  • FIG. 1 is an authentication method in a wireless communication network according to an embodiment of the present invention
  • 3 is another authentication method in a wireless communication network according to an embodiment of the present invention.
  • FIG. 5 is another authentication method in a wireless communication network according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a core network device according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic diagram of an authentication device according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an authentication system according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of an authentication device in a wireless communication network according to an embodiment of the present invention.
  • the embodiments of the present invention provide a method, a related device, and a system for authenticating in a wireless communication network, which can solve the problem of authentication failure caused by synchronization failure in the prior art.
  • the UE needs to verify whether it is synchronized with the network. If it is not synchronized, the authentication process fails.
  • the UE needs to obtain a sequence number (SQN) from the authentication vector sent by the core network device (MME/MSC/SGSN), and detect whether the sequence number satisfies a series of detection conditions, where Including whether the sequence (SEQ) included in the verification sequence number satisfies SEQ MS - SEQ ⁇ L, where L is usually set by the operator, L may be 32, and SEQ MS is a sequence of the maximum sequence number currently stored by the UE itself.
  • the SQN generated by the authentication device is usually expressed in binary, consisting of two parts, SEQ and IND.
  • the authentication device stores a difference (DIF) value for each user equipment in its own database, and the DIF value of each user equipment is different, and the DIF value of the user equipment is represented.
  • the SEQ value generated for the user equipment and the global counter (Golbal Counter) GLC The difference in value, thus the SEQ generated for the same UE, is only related to the value of the global counter GLC.
  • the inventor has found that in the prior art, since the UE does not completely separate the synchronization detection of the PS domain and the CS domain, once the PS domain authentication is inserted before the CS domain authentication, and the CS domain authentication process is initiated, the MSC is in the MSC. If the unused authentication vector is saved, the UE may fail to perform network authentication on the CS domain; or the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process is initiated. The unused authentication vector is saved, which may cause the UE to perform network authentication failure on the PS domain.
  • the MSC may obtain multiple authentications from the authentication device before the core network device initiates the first CS domain authentication.
  • the authentication vectors AV C11 and AV C12 after performing the first CS domain authentication, the unused authentication vector AV C12 is still stored in the MSC; and then, due to the change of the radio access type of the UE, etc., it may be required
  • the PS domain authentication and the second CS domain authentication are initiated for the UE, and the PS domain authentication may be before the second CS domain authentication.
  • the core network device utilizes the unused authentication vector AV C12 acquired during the first CS domain network authentication saved by itself during the second CS domain authentication, if the authentication device generates AV P and AV The time of C12 is very different, so that SEQ MS - SEQ is not less than L, and the detection condition cannot be satisfied, resulting in synchronization failure, thereby causing authentication failure.
  • the core network device when the authentication fails due to the synchronization failure, the core network device usually receives an authentication failure message carrying the cause value sent by the UE, and the reason value is that the synchronization fails, and the core network device passes the The data authentication request message of the synchronization failure indication is sent to the authentication device to trigger the resynchronization process, wherein the data authentication request message carrying the synchronization failure indication further includes the information of the sequence SEQ MS1 of the largest sequence number stored in the UE when the synchronization fails. . Different from the data authentication request message that does not carry the synchronization failure indication message, the authentication device generates a sequence SEQ according to the DIF value of the UE acquired by the identity identifier of the UE.
  • the resynchronization sequence SEQ sy is almost equal to SEQ MS1 .
  • the UE performs network authentication again on the CS domain, in the UE.
  • the authentication failure may be caused again.
  • the suspension of the rights process causes the UE to fail to initiate a service normally until it is restarted.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, which enables a core network device (MSC/SGSN/MME) to acquire a new one from an authentication device before initiating an authentication request to the UE.
  • a core network device MSC/SGSN/MME
  • the authorization vector even if the core network device saves the unused authentication vector, uses the acquired new authentication vector for authentication, ensuring that each time the CS domain/PS domain network authentication is performed
  • the SEQ included in the authentication vector is newly generated by the authentication device, and even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, The synchronization success is ensured, and the problem of authentication failure caused by the synchronization failure in the prior art is solved, and the UE disconnection may be avoided due to the authentication failure.
  • the embodiment of the present invention further provides an authentication method in a wireless communication network, which enables the authentication device to use the sequence SEQ MS of the largest sequence number stored in the UE when the core network device triggers the resynchronization process due to synchronization failure.
  • the resynchronization sequence SEQ sy is generated, and the DIF value of the UE is directly obtained according to the identity identifier of the UE, just according to the authentication data request message that does not carry the synchronization failure indication, according to the DIF value of the UE and the value of the current global counter GLC ( That is, the time at which the resynchronization SEQ is generated) to generate the resynchronization sequence SEQ sy such that the resynchronization sequence SEQ sy is not equal to (or approximately equal to) SEQ MS1 , ensuring that the core network device is utilizing the authentication vector containing the resynchronization sequence SEQ sy
  • the authentication succeeds when the authentication is performed, so as to avoid the problem that the UE cannot initiate the service normally until
  • the core network device may be an MSC, an SGSN, or an MME
  • the authentication device may be an HLR, a Home Subscriber Server (HSS), an AUC, or a Home Environment (HE). ).
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
  • S101 The core network device that saves the unused authentication vector for the UE sends a first authentication data request message (authentication data request), where the first authentication data request message is used to request the authentication.
  • the device generates an authentication vector for the UE.
  • the core network device of the target network When the radio access type (RAT) of the UE changes, the core network device of the target network initiates an authentication process for the UE from one network to another.
  • the authentication process may be PS.
  • the network authentication process of the domain may also be the network authentication process of the CS domain.
  • CSFB Circuit Switched Fallback
  • the core network device of the 2G or 3G network may send an authentication to the UE. Request a message to initiate a network authentication process for the CS domain or the PS domain.
  • the core network device may send a first authentication data request message to the authentication device to request to obtain an authentication vector.
  • the core network device may request the authentication device to generate an authentication for the UE, whether or not the UE maintains an unused authentication vector for the UE.
  • Vector, and using the generated authentication vector to initiate network authentication of the CS domain or the PS domain to avoid synchronization failure that may occur when the core network device in the prior art initiates network authentication by using an unused authentication vector saved by itself. The problem of authentication failure has ensured the success of network authentication as much as possible.
  • the authentication device may receive a location in which the UE stores an unused authentication vector.
  • the first authentication data request message sent by the core network device according to the first authentication data request message, generating a first authentication data response message, where the first authentication data response message includes the authentication device
  • the first authentication vector generated by the UE returns the first authentication data response message to the core network device.
  • an unused authentication vector is saved for the UE, that is, the unused authentication vector is generated for the UE, or the unused authentication vector and The UE is related.
  • S102 The core network device receives a first authentication data response message (authentication data response) returned by the authentication device according to the first authentication data request message, where the first authentication data response message carries the first Authentication vector.
  • the core network device sends a first authentication request message (authentication request) to the UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  • the first authentication vector may include a random number (RAND), an authentication token (AUTN), an expected response (XRES), an integrity key (IK), and an encryption. Key (cipher key, CK).
  • the core network device may send a first authentication request message by using a random number and an authentication token in the first authentication vector, to start the UE and the The authentication process between the core network devices.
  • the UE may determine an SQN according to the random number and the authentication token, that is, determine SEQ (including SEQ in SQN), so that synchronization detection between the UE and the network may be completed by using SQN (SEQ) or other The authentication process.
  • the first authentication vector obtained by the core network device to the authentication device may be one or more.
  • the multiple first authentication vectors constitute a reference.
  • the first authentication request message may include an authentication token and a random number in one of the plurality of first authentication vectors.
  • the core network device may impose a large burden on the authentication device if the authentication device obtains the authentication vector before the authentication process is initiated.
  • the authentication failure problem caused by the synchronization failure basically occurs in the authentication process after the UE switches from the LTE network to the 3G network, or occurs after the UE switches from the 2G network to the 3G network.
  • the method of the present invention can be used only for the above scenario, and the step 101 can be specifically: After the UE accesses the 3G network, the core network device of the 3G network sends a first authentication data request message to the authentication device. At this time, the core network device stores an unused authentication vector for the UE. .
  • the core network devices in steps 102 and 103 refer to the core network devices of the 3G network.
  • the method may also be performed only for the scenario that the UE performs the network authentication after the UE is switched from the second network to the first network.
  • the method may further include the step S100:
  • the core network device determines that the UE is a UE that accesses the first network from the second network.
  • the core network devices in steps S101 to S103 all refer to the core network devices located in the first network.
  • the network standard of the first network is different from the network standard of the second network, where the first network may be a 3G network, and the second network may be an LTE network or a 2G network; or The first network may be an LTE network, and the second network may be a 5G/4.5G network.
  • S100 is: after the UE accesses the 3G network, the core network device of the 3G network determines that the UE is connected from the LTE network. The UE entering the 3G network determines that the UE is a UE from an LTE network. The method ensures that the core network device obtains the first authentication to the authentication device even if the core network device stores an unused authentication vector when the UE is accessed from the LTE network to the 3G network. The vector uses the first authentication vector to initiate the network authentication process.
  • the core network device may also have multiple modes when determining that the UE is a UE accessing the LTE network to the 3G network.
  • the core network device may determine, according to the CS domain Non-Access Stratum (CS domain NAS) message sent by the UE or the paging response message of the UE in the called scenario, whether the UE is For the CSFB user, if it is determined that it is a CSFB user, that is, the UE is determined to be a UE accessing the LTE network to the 3G network, the CS domain NAS message may be a connection management service request message or a location update request message, etc.
  • the core network device may be an MSC; or,
  • the core network device may determine, according to the PS domain Non-Access Stratum (PS domain NAS) message sent by the UE, whether the UE is a UE that accesses the LTE network to the 3G network.
  • PS domain NAS Non-Access Stratum
  • the routing area update (RAU) request message may be used to determine that the UE is a UE that is accessed from the LTE network to the 3G network, where the core is
  • the network device can be an SGSN; or,
  • the function of the base station may be enhanced, so that the base station can determine whether the UE is a CSFB user by analyzing whether the UE includes the CSFB indication information in the Radio Resource Control (RRC) connection request message sent by the UE.
  • RRC Radio Resource Control
  • the UE sends a notification message to the core network device, and the core network device may determine, according to the notification message, that the UE is a UE that accesses the LTE network to the 3G network.
  • the core network device may be an MSC or an SGSN; or
  • the core network device may determine whether the UE is connected to the UE of the 3G network from the LTE network by determining whether the SGS interface is associated with the MME, and if the SGS interface is associated, determining The UE is a UE that accesses the LTE network to the 3G network, and the core network device may be an MSC.
  • the unused authentication vector saved in the core network device may be acquired before the core network device initiates the last authentication process, as shown in FIG. 2, before step S101.
  • the method may further include:
  • the core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the UE.
  • the authentication device may receive a second authentication data request message sent by the core network device, and generate a second authentication data response message according to the second authentication data request message, where the authentication data is generated.
  • the response message includes a second authentication vector and the unused authentication vector, and returns the second authentication data response message to the core network device.
  • the core network device receives a second authentication data response message that is returned by the authentication device according to the second authentication data request message, where the second authentication data response message includes the authentication device The second authentication vector generated by the UE and the unused authentication vector.
  • the core network device sends a second authentication request message to the UE, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • the second authentication vector generated for the UE and the unused authentication vector are obtained from the authentication device.
  • the second authentication vector is used, and the unused authentication vector is also saved in the core network device.
  • the subsequent core network device needs to send the first authentication.
  • the first authentication vector generated for the UE is obtained by using the re-authentication device to avoid the unused use of the core network device saved in the prior art.
  • the authentication vector initiates network authentication the authentication failure may be caused by the synchronization failure, and the success of the network authentication is guaranteed as much as possible.
  • the embodiment of the present invention provides a network authentication method, which can be applied to a scenario in which PS domain authentication is inserted between two CS domain authentications.
  • the scenario may be that the UE located in the LTE network initiates a joint attach procedure, and is registered on the MME of the LTE network and the MSC of the 3G network.
  • the MSC initiates an authentication process for the UE, that is, initiates a first CS domain authentication process.
  • the UE resides on the LTE network.
  • the UE may access the 3G network from the LTE network due to reasons such as CSFB, and may provide CS domain services by the originally registered MSC, the SGSN and the MSC in the 3G network may respectively
  • the UE initiates the PS domain authentication process and the second CS domain authentication process, and the method can ensure that the authentication is successful in the foregoing authentication process.
  • the method may include:
  • S301 The UE located in the LTE network initiates a joint attach procedure, and is registered on the MME of the LTE network and the MSC of the 3G network.
  • an SGs interface association is established between the MME and the MSC corresponding to the UE.
  • the UE sends an attach request message to the MME, where the attach request message includes an attach type cell, where the attach type cell is used to notify the MME that the UE requests a joint evolved packet system (evolved packet) System, EPS) Attachment or International Mobile Subscriber Identity (IMSI) attachment.
  • the MME After receiving the attach request message, the MME performs an EPS attach procedure, and then the MME selects an MSC according to the configuration information and/or the budget algorithm, and sends a location update request message to the MSC to enable the UE to register.
  • the SGs interface between the MME and the MSC enters an association state, that is, an SGs interface association corresponding to the UE is established between the two.
  • the MSC sends a second authentication data request message to the authentication device, where the second authentication data request message includes an identity of the UE, and the second authentication data request message is used.
  • the authentication device is requested to generate an authentication vector for the UE.
  • the MSC or MME may be triggered to initiate an authentication process.
  • the MSC may obtain an authentication vector by using a second authentication data request message before initiating the authentication process.
  • the identity of the UE may be an IMSI.
  • the number of authentication vectors requested to be acquired may be specified. In order to save network resource expenditure, multiple authentication vectors may be acquired each time, that is, an authentication vector required for subsequent authentication is reserved.
  • the second authentication data request message may include indication information, where the indication information is used to indicate that the number of authentication vectors requested to be acquired is 3.
  • the authentication device returns a second authentication data response message to the MSC, where the second authentication data response message includes an authentication vector AV21, AV22, and AV23 generated for the UE.
  • Each of the authentication vectors returned by the authentication device may include a random number RAND, an authentication token AUTN, a desired response XRES, an integrity key IK, and an encryption key CK.
  • the anonymous key AK may be first obtained from the random number RAND, and the SQN is obtained from the authentication token AUTN for synchronization detection by using the anonymous key AK and the correlation algorithm. That is to verify whether the SQN is in the correct range.
  • the MSC sends a second authentication request message to the UE, where the second authentication request message includes RAND21 and AUTN21 in the authentication vector AV21.
  • S305 The UE performs CS domain authentication on the 3G network according to the second authentication request message, and after the authentication succeeds, returns a second authentication response message (authentication response) to the MSC.
  • the UE may first verify the validity of the network by using RAND21 and AUTN21. If the network is legal, the synchronization sequence number SQN21 is obtained from the AUTN 21 by using the AK21 and related algorithm obtained from the RAND21, wherein the SQN21 includes the parameter SEQ21.
  • S306 The UE accesses the 3G network from the LTE network.
  • the UE may access the 3G network from the LTE network and may provide CS domain services for it by the originally registered MSC.
  • the LTE network may not support the voice service, and when the UE needs to make a voice call, the CSFB is dropped back to the 3G network to initiate the CS voice service; for example, the UE may be abnormal due to the LTE network.
  • the 3G network is accessed by means of handover or network reselection.
  • S307 The UE sends an RAU request message to the SGSN of the 3G network.
  • the UE may send a RAU request message to the SGSN of the 3G network for requesting registration to the PS domain of the 3G network, so as to be able to perform PS domain service.
  • the SGSN sends a third authentication data request message to the authentication device, where the third authentication data request message includes an identity identifier of the UE, and the third authentication data request message is used to request the location
  • the authentication device generates an authentication vector for the UE.
  • the SGSN may need to initiate an authentication process, that is, PS domain authentication, and thus, before the authentication, the authentication vector may be obtained through the third authentication data request message.
  • the authentication device returns a third authentication data response message to the SGSN, where the third authentication data response message includes an authentication vector AV31, AV32, and AV33 generated for the UE.
  • the authentication device For example, assuming that the third authentication data request message is sent after the second authentication data request message is transmitted for 5 s, the authentication device generates a time difference between the AV31/AV32/AV33 and the generated AV21/AV22/AV23.
  • the SGSN sends a third authentication request message to the UE, where the third authentication request message includes RAND31 and AUTN32 in the authentication vector AV31.
  • S311 The UE performs PS domain authentication on the 3G network according to the third authentication request message. After the authentication succeeds, a third authentication response message is returned to the SGSN.
  • the process that the SGSN obtains the authentication vector and initiates the authentication process for the PS domain may also be performed by the MME.
  • the UE is still located in the LTE network.
  • the MME obtains an authentication vector and initiates an authentication process for the PS domain.
  • the UE may switch from the LTE network to the 3G network, and the MSC of the 3G network performs the acquisition of the authentication vector and the following steps. CS domain authentication process.
  • S312 The UE sends an access request message or a service request message to the MSC to obtain a CS domain service of the 3G network.
  • the UE may send an access request message or a service request message, such as a location update request message and a connection management service request message, to obtain the CS domain service of the 3G network.
  • a service request message such as a location update request message and a connection management service request message
  • the MSC determines, according to the access request message or the service request message, whether the UE is a UE that accesses the LTE network to the 3G network.
  • the MSC After determining that the UE is a UE that accesses the LTE network to the 3G network, the MSC sends a first authentication data request message to the authentication device, where the first authentication data request message includes the UE. An identifier, the first authentication data request message is used to request the authentication device to generate an authentication vector for the UE.
  • the authentication device returns a first authentication data response message to the MSC, where the first The authentication data response message contains an authentication vector AV11 generated for the UE.
  • the time difference between the authentication device generating the AV31/AV32/AV33 and generating the AV11 is about 0.5s.
  • the MSC may also obtain multiple authentication vectors from the authentication device, and the first authentication data response message may also include multiple authentication vectors.
  • the MSC sends a first authentication request message to the UE, where the first authentication request message includes RAND11 and AUTN11 in the authentication vector AV11.
  • S317 The UE performs CS domain authentication on the 3G network according to the first authentication request message, and after the authentication succeeds, returns a first authentication response message to the MSC.
  • the SGSN of the 3G network may transmit an authentication vector to the MME of the LTE network, when the UE is again from the LTE network.
  • the MME may send an authentication vector to the SGSN of the 3G network, so that the SGSN may use the authentication vector to send an authentication during the authentication process.
  • the request message is not obtained by acquiring the newly generated authentication vector of the authentication device, resulting in failure of authentication.
  • the embodiment of the present invention provides an authentication method in a wireless communication network.
  • the first SGSN of the 3G network does not save the UE as the UE.
  • An unused authentication vector is sent to the MME of the LTE network, so that after the UE re-accesses the 3G network from the LTE network, the MME cannot send the saved authentication vector to
  • the second SGSN of the 3G network the first SGSN may be the same or different, and the method provided by the embodiment of the present invention may be used to prevent an unused authentication vector from being saved in the SGSN, thereby ensuring that the SGSN initiates the authentication each time.
  • the authentication device obtains the authentication vector, which solves the problem of the prior art.
  • the method may include:
  • the first SGSN of the 3G network receives a context request message sent by the MME of the LTE network.
  • the context request message is used to request to acquire information of the UE.
  • S401 The first SGSN that saves an unused authentication vector sends a first context response message to the MME, where the first context response message does not include the unused authentication vector.
  • the unused authentication vector may be a 3G authentication vector (3G AV).
  • the unused authentication vector is not sent to the MME, so that when the UE is subsequently After re-accessing the LTE network to the 3G network, the MME is also unable to send the unused authentication vector to the SGSN in the 3G network, thereby avoiding saving the unused authentication vector in the SGSN, thereby ensuring The SGSN obtains a new authentication vector before each initiation of the authentication process, which solves the problem of authentication failure in the prior art.
  • the steps S400-S401 may be replaced by:
  • the first SGSN of the 3G network sends a first forward relocation request message to the MME of the LTE network; wherein the first When the SGSN sends the first pre-relocation request message, the UE saves an unused authentication vector, and the first forward relocation request message does not include the unused authentication vector.
  • the first forward relocation request message is used to notify the MME of information about the UE, such as an identity and a context of the UE.
  • the forward relocation request message does not include the unused 3G authentication vector.
  • the method may further include:
  • the first SGSN may be the same as or different from the second SGSN.
  • the unused authentication vector is not included in the MME by step S400-S401 or step S401'.
  • the second SGSN receives a second context response message returned by the MME, where the The second context response message does not contain the unused authentication vector.
  • steps S402-S403 may be replaced by:
  • S403 ′ after the UE re-accesses the LTE network to the 3G network, the second SGSN of the 3G network receives a second forward relocation request message sent by the MME, where the second front The relocation request message does not contain the unused authentication vector.
  • the second forward relocation request message is used to notify the second SGSN of the information of the UE, such as the identity and context of the UE.
  • the second SGSN sends an authentication data request message to the authentication device.
  • the second SGSN may initiate an authentication process, and the authentication is initiated because the unused authentication vector is not saved in the second SGSN. Before the process, the second SGSN will request the authentication device to obtain an authentication vector.
  • the second SGSN receives an authentication data response message returned by the authentication device, where the authentication data response message includes an authentication vector.
  • the authentication vector contains a random number and an authentication token, or may also include a desired response, an integrity key, and an encryption key.
  • the second SGSN sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector included in the authentication data response message.
  • the first SGSN of the 3G network does not send the unused authentication vector saved by itself to the MME of the LTE network, so that the After the UE re-accesses from the LTE network to the 3G network, the MME is also unable to send the unused authentication vector to the second SGSN in the 3G network, to avoid saving the unused in the second SGSN.
  • the authentication vector so that the second SGSN needs to obtain the newly generated authentication vector from the authentication device before sending the authentication request message to the UE, which solves the problem of authentication failure in the prior art.
  • An embodiment of the present invention provides an authentication method in a wireless communication network. After the UE accesses the LTE network from the 3G network, the MME of the LTE network acquires the SGSN of the 3G network and saves the SGSN of the 3G network. Unused authentication vector, the MME deletes or discards the unused An authentication vector, such that after the UE re-accesses the 3G network from the LTE network, the MME cannot send the unused authentication vector to the SGSN.
  • the method provided by the embodiment of the present invention can prevent the unused authentication vector from being saved in the SGSN, thereby ensuring that the SGSN obtains a new authentication vector before each initiation of the authentication process, thereby solving the problem of the prior art. Specifically, as described in FIG. 5, the method may include:
  • S500 A context request message sent by the MME of the LTE network to the first SGSN of the 3G network after the UE accesses the LTE network from the 3G network.
  • the MME receives a first context response message returned by the first SGSN, where the first context response message includes an unused authentication vector saved by the first SGSN for the UE.
  • the unused authentication vector may be a 3G authentication vector.
  • the steps S500-S501 may be replaced by:
  • step S501 ′ after the UE accesses the LTE network from the 3G network, the MME of the LTE network receives a first forward relocation request message sent by the first SGSN of the 3G network, where the first When the SGSN sends the pre-relocation request message, the UE stores an unused authentication vector, and the first forward relocation request message includes an unused authentication vector saved by the first SGSN.
  • step S501' reference may be made to step S401'.
  • the MME After the UE re-accesses the 3G network from the LTE network, the MME receives a second context request message sent by the second SGSN.
  • S503 The second context response message returned by the MME to the second SGSN, where the second context response message does not include the unused authentication vector.
  • step S500-S501 is configured to save the unused authentication vector in the MME, different from the prior art, the second context response message sent by the MME that stores the unused authentication vector does not The unused authentication vector is included.
  • the unused one is not used.
  • the right device obtains the authentication vector and solves the problem of authentication failure in the prior art.
  • steps S502-S503 may be replaced by:
  • S503 ′ After the UE re-accesses the LTE network to the 3G network, the MME sends a second forward relocation request message to the second SGSN of the 3G network, where the second forwarding The relocation request message does not contain the unused authentication vector.
  • step S501 ′ is configured to save the unused authentication vector in the MME, different from the prior art, the second forward relocation request message sent by the MME that saves the unused authentication vector is used. Does not contain the unused authentication vector.
  • the MME may delete or discard the unused authentication vector, so as to be sent to the second SGSN.
  • the unused forwarding vector is not included in the sent second forward relocation request message or the second context response message.
  • the MME may not delete the unused authentication vector, but only send the unused authentication vector to the second SGSN.
  • the method may further include:
  • S504 The second SGSN sends an authentication data request message to the authentication device.
  • the second SGSN may initiate an authentication process, and if the second SGSN does not store an unused authentication vector, the authentication is initiated. Before the rights flow, the second SGSN may request the authentication device to acquire a newly generated authentication vector.
  • the second SGSN receives an authentication data response message returned by the authentication device, where the authentication data response message includes an authentication vector.
  • the second SGSN sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector included in the authentication data response message.
  • the unused metric is not used even if an unused authentication vector is stored in the MME of the LTE network. Transmitting a weight vector to the second SGSN of the 3G network, avoiding saving the unused authentication vector in the second SGSN, so that the second SGSN needs to send an authentication request message to the UE
  • the newly generated authentication vector is obtained from the authentication device, which solves the problem of authentication failure in the prior art.
  • the embodiment of the present invention provides a core network device 60.
  • the core network device may be a mobile switching center MSC or a core network device of a SGSN or a 5G network, where the core
  • the network device may include a storage unit 601, an obtaining unit 602, and a sending unit 603;
  • the storage unit 601 is configured to save an unused authentication vector for the UE.
  • the obtaining unit 602 is configured to send a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to generate an authentication vector for the UE. Receiving, by the authentication device, a first authentication data response message returned according to the authentication data request message, where the first authentication data response message includes a first authentication vector generated by the authentication device for the UE .
  • the obtaining unit 602 may send, before the sending unit 603 sends a first authentication request message to the UE, the storage unit 601, if the UE saves the unused authentication vector,
  • the authentication device sends the first authentication data request message, where the first authentication data request message may further include an identifier of the UE, so that the core network device is configured according to the identity of the UE.
  • the UE generates a first authentication vector.
  • the sending unit 603 is configured to send a first authentication request message to the UE UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  • the core network device may impose a large burden on the authentication device if the authentication device obtains the authentication vector before the authentication process is initiated. In practical applications, certain scenes can be protected by pointers.
  • the core network device may further include:
  • a determining unit 604 configured to determine, after the UE accesses the first network where the core network device is located, that the UE is a UE that is accessed from the second network to the first network; 602 may send the first authentication data request message to the authentication device after the determining unit 604 determines that the UE is accessing the UE of the first network from the second network.
  • the first network may be a 3G network
  • the second network may be a long term evolution LTE network
  • the determining unit 604 is specifically configured to determine that the UE is a UE that accesses the LTE network to the 3G network.
  • the method ensures that the core network device obtains the first authentication to the authentication device even if the core network device stores an unused authentication vector when the UE is accessed from the LTE network to the 3G network.
  • the vector uses the first authentication vector to initiate the network authentication process.
  • the determining unit 604 determines that the UE is accessing from the LTE network to the 3G network. There are also many ways to use the UE.
  • the determining unit 604 may determine, according to the CS domain NAS message sent by the UE or the paging response message of the UE in the called scenario, whether the UE is a CSFB user, and if it is determined to be a CSFB user, determine the UE.
  • the CS domain NAS message may be a connection management service request message or a location update request message, etc., where the core network device may be an MSC; or, the determining The unit 604 may determine, according to the PS domain NAS message sent by the UE, whether the UE is a UE that accesses the LTE network to the 3G network, for example, may determine, according to the RAU request message, that the UE is accessed from an LTE network.
  • the core network device may be an SGSN, or the determining unit 604 may determine, according to the notification message sent by the base station, that the UE is a UE that accesses the LTE network to the 3G network.
  • the notification message is a message sent by the base station to the core network device after determining that the UE is a circuit switched fallback CSFB user, and the core network device may be an MSC or an SGSN; or,
  • the determining unit 604 may determine, by determining whether the SGS interface is associated between the core network device and the MME, that the UE is an UE that is accessed from the LTE network to the 3G network, and if there is an SGS interface association, And determining that the UE is a UE that accesses the LTE network to the 3G network, where the core network device may be an MSC.
  • the unused authentication vector saved in the storage unit 601 may be acquired before the core network device initiates the last authentication process, and the acquiring unit 602 is further configured to And before the sending, by the right device, the first authentication data request message, sending a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate a template for the UE a weight vector, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the authentication device generated by the authentication device for the UE a second authentication vector and the unused authentication vector; the sending unit 603 is further configured to send the second to the UE before the acquiring unit 602 sends the first authentication data request message to the authentication device An authentication request message, the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • the acquiring unit 602 may send the first authentication data request message to the authentication device if the storage unit 601 saves an unused authentication vector for the UE.
  • the sending unit 603 may send a first authentication request message to the UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector, so that the core network device Even if an unused authentication vector is saved, the first authentication vector is used for authentication, which avoids synchronization that may occur when the core network device in the prior art initiates network authentication by using an unused authentication vector saved by itself.
  • the failure of authentication caused by failure has ensured the success of network authentication as much as possible.
  • the embodiment of the present invention further provides an authentication device.
  • the authentication device may be a home environment HE, a home location register HLR, a home subscriber server HSS, or an authentication center.
  • AUC the authentication device includes a receiving unit 701, a processing unit 702, and a sending unit 703;
  • the receiving unit 701 is configured to receive a first authentication data request message sent by a core network device that stores an unused authentication vector, where the first authentication data request message is used to request the authentication device to be Said UE generates an authentication vector;
  • the processing unit 702 is configured to generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes a first authentication vector generated for the UE;
  • the sending unit 703 is configured to return the first authentication data response message to the core network device.
  • the receiving unit 701 is further configured to: before receiving the first authentication data request message, receive a second authentication data request message sent by the core network device, where the second authentication data request message is And the processing unit 702 is further configured to generate a second authentication data response message according to the second authentication data request message, where the second authentication is generated.
  • the weight data response message includes a second authentication vector generated for the UE and the unused authentication vector; the sending unit 703 is further configured to return the second authentication data response message to the core network device. .
  • the authentication device may receive the first authentication data request message sent by the core network device that the UE saves the unused authentication vector, and is the core that holds the unused authentication vector.
  • the network device returns a first authentication data response message, where the first authentication data response message includes a first authentication vector generated for the UE, so that the core network device uses the unused authentication vector even if it is saved.
  • the first authentication vector is used for authentication, so that the core network device in the prior art is saved by itself.
  • the unused authentication vector initiates network authentication, the authentication failure caused by the synchronization failure may be caused, and the success of the network authentication is guaranteed as much as possible.
  • an embodiment of the present invention further provides an authentication system 80, including a core network device 60 and an authentication device 70.
  • an authentication system 80 including a core network device 60 and an authentication device 70.
  • the authentication system may further include a user equipment 801;
  • the core network device may be configured to send a first authentication data request message to the authentication device, where the user equipment saves an unused authentication vector, the first authentication data request message And configured to request the authentication device to generate an authentication vector for the user equipment;
  • the authentication device may be configured to receive the first authentication data request message, and generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes Determining, by the authentication device, a first authentication vector generated by the user equipment, and returning the first authentication data response message to the core network device.
  • the core network device may be further configured to receive the first authentication data response message, and send a first authentication request message to the user equipment, where the first authentication request message includes random in the first authentication vector Number and authentication token;
  • the user equipment may receive the first authentication request message, and perform authentication by using a random number and an authentication token in the first authentication vector included in the first authentication request message.
  • an embodiment of the present invention further provides an authentication device in a wireless communication system, where the authentication device may include:
  • the processor 901, the memory 902, and the communication interface 905 are connected by a bus 904 and complete communication with each other.
  • Processor 901 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.
  • the memory 902 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • Memory 902 is used by computer to execute instructions 903.
  • the computer execution instructions 903 may include program code.
  • the processor 901 runs the computer execution instruction 903, and may perform the method flow of the authentication method in the wireless communication system according to the method embodiment corresponding to any one of FIG. 1 to FIG. 3 or FIG.
  • the authentication device may be a core network device or an authentication device.
  • the embodiment of the present invention further provides a computer readable medium, including a computer executing instruction, when the processor of the computer executes the computer execution instruction, the computer performs the method embodiment corresponding to any one of FIG. 1 to FIG.
  • a computer readable medium including a computer executing instruction, when the processor of the computer executes the computer execution instruction, the computer performs the method embodiment corresponding to any one of FIG. 1 to FIG.
  • the LTE network mentioned in the present invention includes an LTE A network, and may subsequently have an LTE version.
  • the first, second, third, fourth, fifth, etc. in the embodiments of the present invention are only used to distinguish different indication information, messages, or other objects, and do not represent sequential relationships.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division, and the actual implementation may have another
  • the manner of division, such as multiple units or components, may be combined or integrated into another system, or some features may be omitted or not performed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are an authentication method within a wireless communication network, a related apparatus and a system. A core network device saving an unused authentication vector for a user equipment may send a first authentication data request message to an authentication device, the first authentication data request message being used for requesting the authentication device to generate an authentication vector for the user equipment, a first authentication data response message of the authentication device is received, the first authentication data response message carrying a first authentication vector generated by the authentication device for the user equipment, and the first authentication vector is used to initiate an authentication process for the user equipment. The present invention ensures that each time CS domain / PS domain authentication is performed, a sequence included in the authentication vector is newly generated by the authentication device. Successful synchronisation is ensured even if PS domain authentication is inserted before CS domain authentication or CS domain authentication is inserted before PS domain authentication, solving the problem in the prior art of authentication failure caused by synchronisation failure.

Description

一种无线通信网络中的鉴权方法、相关装置及系统Authentication method, related device and system in wireless communication network 技术领域Technical field
本发明涉及通信技术领域,具体涉及一种无线通信网络中的鉴权方法、相关装置及系统。The present invention relates to the field of communications technologies, and in particular, to an authentication method, related device, and system in a wireless communication network.
背景技术Background technique
鉴权是移动网络安全性管理的一部分,用来实现移动网络的保密性、数据完整性。在当前的移动通信网络中,只有有效的用户设备(User Equipment,UE)才有权得到服务,而验证UE是否有效,需要通过鉴权过程来完成。UE在向网络发起注册请求、业务请求或切换请求等都会触发鉴权流程。在第二代(Second Generation,2G)网络系统中,鉴权是个单向过程,网络需要对UE合法性进行验证;而在第三代(Third Generation,3G)网络或长期演进(Long Term Evolution,LTE)网络中,除了网络需验证UE的合法性外,UE也需要对网络的合法性进行验证,即进行网络鉴权。Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks. In the current mobile communication network, only a valid user equipment (User Equipment, UE) is entitled to receive the service, and verifying whether the UE is valid needs to be completed through an authentication process. The UE triggers the authentication process by initiating a registration request, a service request, or a handover request to the network. In the second generation (Second Generation, 2G) network system, authentication is a one-way process, and the network needs to verify the legitimacy of the UE; in the third generation (Third Generation, 3G) network or Long Term Evolution (Long Term Evolution, In the LTE network, in addition to verifying the legitimacy of the UE, the UE also needs to verify the validity of the network, that is, perform network authentication.
需要注意的是,鉴权流程是分域进行的,即分组交换(Packet Switched,PS)域和电路交换(Circuit Switched,CS)域分别进行鉴权流程,PS域鉴权由移动性管理实体(Mobility Management Entity,MME)或者通用分组无线系统(General Packet Radio Service,GPRS)业务支持节点(Serving GPRSSupport Node,SGSN)发起,CS域鉴权由移动交换中心(Mobile Switching Center,MSC)发起,UE需要分别对PS域和CS域进行网络鉴权。以3G的鉴权过程为例,MSC/SGSN从归属位置寄存器(home location register,HLR)或者鉴权中心(authentication center,AUC)获取鉴权向量后,向UE发送携带鉴权向量的鉴权请求消息。UE根据鉴权请求消息,首先判断网络的合法性,若网络合法,再验证自身与网络是否同步,如果同步,则说明UE对网络验证成功,UE向网络回复响应消息,MSC/SGSN再根据UE发来的响应消息验证UE的合法性;若不同步即同步失败,则UE会向MSC/SGSN回复携带原因值的鉴权失败消息,MSC/SGSN将再次向UE发送鉴权请求消息。It should be noted that the authentication process is performed in a domain-by-domain manner, that is, a packet switching (PS) domain and a circuit switching (CS) domain respectively perform an authentication process, and a PS domain authentication is performed by a mobility management entity ( The Mobility Management Entity (MME) or the General Packet Radio Service (GPRS) Service Support Node (SGSN) is initiated. The CS domain authentication is initiated by the Mobile Switching Center (MSC). The UE needs to Network authentication is performed on the PS domain and the CS domain, respectively. Taking the 3G authentication process as an example, after obtaining the authentication vector from the home location register (HLR) or the authentication center (AUC), the MSC/SGSN sends an authentication request carrying the authentication vector to the UE. Message. The UE first determines the validity of the network according to the authentication request message. If the network is legal, it verifies whether the network is synchronized with the network. If the synchronization is successful, the UE successfully authenticates the network, and the UE returns a response message to the network, and the MSC/SGSN according to the UE. The response message sent by the UE verifies the validity of the UE. If the synchronization fails, the UE will reply to the MSC/SGSN with an authentication failure message carrying the cause value, and the MSC/SGSN will send an authentication request message to the UE again.
在现有技术中,MSC/SGSN/MME向HLR/AUC获取鉴权向量时,一般 都会索取多个鉴权向量,以节省网络开支减轻HLR/AUC的负担。并且,由于大多数UE的通用移动通信系统用户标识模块(Universal Mobile Telecommunications System Subscriber Identity Module,USIM)不支持分域同步检测,从而UE对PS域和CS域网络的同步检测并没有完全分开。一旦在CS域鉴权之前插入了一次PS域鉴权,且发起该CS域鉴权流程的MSC中保存有未使用的鉴权向量,可能导致UE对该CS域进行的网络鉴权失败;或者在PS域鉴权之前插入了一次CS域鉴权,且发起该PS域鉴权流程的MME/SGSN中保存有未使用的鉴权向量,可能导致UE对该CS域进行的网络鉴权失败。In the prior art, when the MSC/SGSN/MME obtains an authentication vector from the HLR/AUC, Multiple authentication vectors are requested to save network expenses and reduce the burden on HLR/AUC. Moreover, since the Universal Mobile Telecommunications System Subscriber Identity Module (USIM) of most UEs does not support the domain synchronization detection, the UE does not completely separate the synchronization detection of the PS domain and the CS domain network. Once the PS domain authentication is inserted before the CS domain authentication, and the unused authentication vector is stored in the MSC that initiates the CS domain authentication process, the UE may fail to perform network authentication on the CS domain; or The CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process saves the unused authentication vector, which may cause the UE to fail the network authentication for the CS domain.
此外,如果MSC/SGSN/MME连续两次收到UE发送的鉴权失败消息,则终止鉴权过程,并向UE发送鉴权拒绝消息。UE一旦受到鉴权拒绝消息,将无法正常发起业务直至重新启动,给用户带来了严重的影响。In addition, if the MSC/SGSN/MME receives the authentication failure message sent by the UE twice, the authentication process is terminated, and an authentication rejection message is sent to the UE. Once the UE receives the authentication rejection message, it will not be able to initiate the service normally until it restarts, which has a serious impact on the user.
发明内容Summary of the invention
针对现有技术的上述问题,本发明实施例提供了一种无线通信网络中的鉴权方法、相关装置及系统,能够解决现有技术中鉴权失败的问题。For the above problems in the prior art, the embodiments of the present invention provide an authentication method, a related device, and a system in a wireless communication network, which can solve the problem of authentication failure in the prior art.
第一方面,本发明实施例提供了一种无线通信网络中的鉴权方法,该方法包括:In a first aspect, an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
为用户设备保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;The core network device that stores the unused authentication vector for the user equipment sends a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to be the user equipment. Generating an authentication vector;
所述核心网设备接收所述鉴权设备根据所述第一鉴权数据请求消息返回的第一鉴权数据响应消息,所述第一鉴权数据响应消息携带第一鉴权向量;Receiving, by the core network device, the first authentication data response message returned by the authentication device according to the first authentication data request message, where the first authentication data response message carries a first authentication vector;
所述核心网设备向所述用户设备发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌;其中,为用户设备保存有未使用的鉴权向量表明该未使用的鉴权向量与所述用户设备关联或者该未使用的鉴权向量是为所述用户设备生成的。The core network device sends a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector, where the user equipment saves An unused authentication vector indicates that the unused authentication vector is associated with the user equipment or the unused authentication vector is generated for the user equipment.
结合第一方面,在第一种可能的实现方式中,所述为用户设备保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息之前,所述 方法还包括:所述用户设备接入所述核心网设备所位于的第一网络之后,所述核心网设备确定所述用户设备是从第二网络接入到所述第一网络的用户设备;其中,所述第一网络的网络制式与所述第二网络的网络制式不同。With reference to the first aspect, in a first possible implementation, before the core network device that saves an unused authentication vector by the user equipment sends the first authentication data request message to the authentication device, The method further includes: after the user equipment accesses the first network where the core network device is located, the core network device determines that the user equipment is a user equipment that is accessed from the second network to the first network; The network standard of the first network is different from the network standard of the second network.
结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述第一网络为3G网络,所述第二网络为LTE网络、2G网络、5G网络或者4.5G网络;或者,所述第一网络为LTE网络,所述第二网络为5G网络或者4.5G网络。With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner, the first network is a 3G network, and the second network is an LTE network, a 2G network, a 5G network, or a 4.5G network. Or the first network is an LTE network, and the second network is a 5G network or a 4.5G network.
结合第一方面,或者第一方面的第一种或者第二种可能的实现方式,在第三种可能的实现方式中,所述为用户设备保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息之前,所述方法还包括:With reference to the first aspect, or the first or second possible implementation manner of the first aspect, in a third possible implementation manner, the core network device that saves an unused authentication vector for the user equipment Before the authentication device sends the first authentication data request message, the method further includes:
所述核心网设备向所述鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;所述核心网设备接收所述鉴权设备根据所述第二鉴权数据请求消息返回的第二鉴权数据响应消息,所述第二鉴权数据响应消息携带第二鉴权向量和所述未使用的鉴权向量;所述核心网设备向所述用户设备发送第二鉴权请求消息,所述第二鉴权请求消息包含所述第二鉴权向量中的随机数和鉴权令牌。The core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment; Receiving, by the network device, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the unused authentication a weight vector; the core network device sends a second authentication request message to the user equipment, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
第二方面,本发明实施例提供了一种无线通信网络中的鉴权方法,所述方法包括:In a second aspect, an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
鉴权设备接收为用户设备保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;所述鉴权设备根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含所述鉴权设备为所述用户设备生成的第一鉴权向量;所述鉴权设备向所述核心网设备返回所述第一鉴权数据响应消息。Receiving, by the authentication device, a first authentication data request message sent by the core network device that is saved by the user equipment with an unused authentication vector, where the first authentication data request message is used to request the authentication device to be the user The device generates an authentication vector, and the authentication device generates a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes the authentication device as the user a first authentication vector generated by the device; the authentication device returns the first authentication data response message to the core network device.
结合第二方面,在第一种可能的实现方式中,在所述鉴权设备接收为用户设备保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息之前,所述方法还包括:With reference to the second aspect, in a first possible implementation, before the authenticating device receives the first authentication data request message sent by the core network device that the user device stores the unused authentication vector, The method also includes:
所述鉴权设备接收所述核心网设备发送的第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;所述鉴权设备根据所述第二鉴权数据请求消息,生成第二鉴权数据响应消息,所 述鉴权数据响应消息包含所述鉴权设备为所述用户设备生成的第二鉴权向量和所述未使用的鉴权向量;所述鉴权设备向所述核心网设备返回所述第二鉴权数据响应消息。Receiving, by the authentication device, a second authentication data request message sent by the core network device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment; The authentication device generates a second authentication data response message according to the second authentication data request message, where The authentication data response message includes a second authentication vector generated by the authentication device for the user equipment and the unused authentication vector; the authentication device returns the second to the core network device Authentication data response message.
第三方面,本发明实施例提供了一种核心网设备,该核心网设备包括:In a third aspect, an embodiment of the present invention provides a core network device, where the core network device includes:
存储单元,用于为用户设备保存未使用的鉴权向量;a storage unit, configured to save an unused authentication vector for the user equipment;
获取单元,用于在所述存储单元为所述用户设备保存有所述未使用的鉴权向量的情况下,向所述鉴权设备发送第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量,接收所述鉴权设备根据所述鉴权数据请求消息返回的第一鉴权数据响应消息,所述第一鉴权数据响应消息包含第一鉴权向量;An acquiring unit, configured to send, by the storage unit, the first authentication data request message to the authentication device, where the storage unit saves the unused authentication vector, the first authentication The data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive a first authentication data response message returned by the authentication device according to the authentication data request message, the first The weight data response message includes a first authentication vector;
发送单元,用于向所述用户设备发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌。And a sending unit, configured to send a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
结合第三方面,在第一种可能的实现方式中,该核心网设备还包括:With reference to the third aspect, in a first possible implementation manner, the core network device further includes:
确定单元,用于在所述用户设备接入所述核心网设备所位于的第一网络之后,确定所述用户设备是从第二网络接入到所述第一网络的用户设备;其中,所述第一网络的网络制式与所述第二网络的网络制式不同;则所述获取单元具体用于在所述确定单元确定所述用户设备是从第二网络接入到所述第一网络的用户设备之后,向所述鉴权设备发送所述第一鉴权数据请求消息。a determining unit, configured to determine, after the user equipment accesses the first network where the core network device is located, the user equipment is a user equipment that is accessed from the second network to the first network; The network system of the first network is different from the network system of the second network. The acquiring unit is specifically configured to determine, in the determining unit, that the user equipment is accessed from the second network to the first network. After the user equipment, the first authentication data request message is sent to the authentication device.
结合第三方面和第三方面的第一种可能的实现方式,在第二种可能的实现方式中,所述第一网络为3G网络,所述第二网络为LTE网络、2G网络、5G网络或者4.5G网络;或者,所述第一网络为LTE网络,所述第二网络为5G网络或者4.5G网络。With reference to the third aspect and the first possible implementation manner of the third aspect, in a second possible implementation, the first network is a 3G network, and the second network is an LTE network, a 2G network, or a 5G network. Or a 4.5G network; or the first network is an LTE network, and the second network is a 5G network or a 4.5G network.
结合第三方面和第三方面的第一种或者第二种可能的实现方式,在第三种可能的实现方式中,所述获取单元还用于在向鉴权设备发送第一鉴权数据请求消息之前,向所述鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量,接收所述鉴权设备根据所述第二鉴权数据请求消息返回的第二鉴权数据响应消息,所述第二鉴权数据响应消息携带第二鉴权向量和所述未使用的鉴权向量;所述发送单元还用于在所述获取单元向鉴权设备发送第一鉴权数据请求消息之前,向所述用户 设备发送第二鉴权请求消息,所述第二鉴权请求消息包含所述第二鉴权向量中的随机数和鉴权令牌。With reference to the third aspect and the first or second possible implementation manner of the third aspect, in a third possible implementation, the acquiring unit is further configured to send the first authentication data request to the authentication device Before the message, the second authentication data request message is sent to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive the authentication. And the second authentication data response message returned by the device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the unused authentication vector; Also used to send the first authentication data request message to the authentication device before the obtaining unit sends the first authentication data request message to the user The device sends a second authentication request message, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
第四方面,本发明实施例还提供了一种鉴权设备,该鉴权设备包括接收单元,用于接收为用户设备保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;处理单元,用于根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含为所述用户设备生成的第一鉴权向量;发送单元,用于向所述核心网设备返回所述第一鉴权数据响应消息。In a fourth aspect, the embodiment of the present invention further provides an authentication device, where the authentication device includes a receiving unit, configured to receive first authentication data sent by a core network device that stores an unused authentication vector for the user equipment. a request message, the first authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and the processing unit is configured to generate a first template according to the first authentication data request message And a first data authentication message, the first authentication data response message includes a first authentication vector generated for the user equipment, and a sending unit, configured to return the first authentication data response message to the core network device.
结合第四方面,在第一种可能的实现方式中,所述接收单元还用于在接收所述第一鉴权数据请求消息之前,接收所述核心网设备发送的第二鉴权数据请求消息;所述处理单元还用于根据所述第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量,生成第二鉴权数据响应消息,所述鉴权数据响应消息包含为所述用户设备生成的第二鉴权向量和所述未使用的鉴权向量;所述发送单元还用于向所述核心网设备返回所述第二鉴权数据响应消息。With reference to the fourth aspect, in a first possible implementation, the receiving unit is further configured to: before receiving the first authentication data request message, receive a second authentication data request message sent by the core network device. The processing unit is further configured to: according to the second authentication data request message, the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, to generate a second a weight data response message, the authentication data response message includes a second authentication vector generated for the user equipment and the unused authentication vector; the sending unit is further configured to return to the core network device The second authentication data response message is described.
第五方面,本发明实施例还提供了一种鉴权系统,包括第三方面或者第三方面任一种可能的实现方式所述的核心网设备和第四方面或者第四方面任一种可能的实现方式所述的鉴权网设备。In a fifth aspect, the embodiment of the present invention further provides an authentication system, including the core network device and any of the fourth aspect or the fourth aspect, which may be implemented in any one of the third aspect or the third aspect. The implementation of the authentication network device described.
第六方面,本发明实施例还提供了一种无线通信网络中的鉴权方法,该方法包括:在用户设备从3G网络接入到长期演进LTE网络之后,所述LTE网络的移动管理实体MME获取所述3G网络的通用分组无线系统GPRS业务支撑节点SGSN为所述用户设备保存的未使用的鉴权向量;In a sixth aspect, the embodiment of the present invention further provides an authentication method in a wireless communication network, where the method includes: after the user equipment accesses from the 3G network to the long term evolution LTE network, the mobility management entity MME of the LTE network Obtaining an unused authentication vector saved by the general packet radio system GPRS service supporting node SGSN of the 3G network for the user equipment;
所述MME删除或丢弃所述未使用的鉴权向量,以便在所述用户设备从所述LTE网络重新接入到所述3G网络之后,所述MME无法将所述未使用的鉴权向量发送给所述SGSN。The MME deletes or discards the unused authentication vector, so that after the user equipment re-accesses from the LTE network to the 3G network, the MME cannot send the unused authentication vector Give the SGSN.
结合第六方面,在第一种可能的实现方式中,所述LTE网络的移动管理实体MME获取所述3G网络的通用分组无线系统GPRS业务支持节点SGSN为所述用户设备保存的未使用的鉴权向量包括: With reference to the sixth aspect, in a first possible implementation, the mobility management entity MME of the LTE network acquires an unused packet saved by the GPRS service support node SGSN of the 3G network for the user equipment The weight vector includes:
所述LTE网络的移动管理实体MME向所述3G网络的SGSN发送的上下文请求消息,接收所述SGSN返回的第一上下文响应消息,所述第一上下文响应消息包含所述未使用的鉴权向量;或者,Receiving, by the mobility management entity MME of the LTE network, a context request message sent by the SGSN of the 3G network, and receiving a first context response message returned by the SGSN, where the first context response message includes the unused authentication vector ;or,
所述LTE网络的移动管理实体MME接收所述3G网络的第一SGSN发送第一前转重定位请求消息,所述第一前转重定位请求消息包含所述未使用的鉴权向量。The first SGSN of the LTE network receives the first forward relocation request message, and the first forward relocation request message includes the unused authentication vector.
结合第六方面,或者第六方面的第一种可能的实现方式,在第二种可能的实现方式中,在所述MME删除或丢弃所述未使用的鉴权向量之后,所述方法还包括:With reference to the sixth aspect, or the first possible implementation manner of the sixth aspect, in a second possible implementation manner, after the MME deletes or discards the unused authentication vector, the method further includes :
在所述用户设备从所述LTE网络重新接入到所述3G网络之后,所述MME接收所述SGSN发送第二上下文请求消息,并向所述SGSN返回第二上下文响应消息,所述第二上下文响应消息不包含所述未使用的鉴权向量;After the user equipment re-accesses the LTE network to the 3G network, the MME receives the SGSN to send a second context request message, and returns a second context response message to the SGSN, where the second The context response message does not include the unused authentication vector;
或者,在所述用户设备从所述LTE网络重新接入到所述3G网络之后,所述MME向所述SGSN发送第二前转重定位请求消息,所述第二前转重定位请求消息不包含所述未使用的鉴权向量。Or after the user equipment re-accesses the LTE network to the 3G network, the MME sends a second forward relocation request message to the SGSN, where the second forward relocation request message is not The unused authentication vector is included.
第七方面,本发明实施例提供了一种移动性管理实体MME,包括:In a seventh aspect, an embodiment of the present invention provides a mobility management entity MME, including:
获取单元,用于在UE从3G网络接入到LTE网络之后,获取所述3G网络的SGSN为所述UE保存的未使用的鉴权向量。具体地,所述获取单元可以向所述3G网络的SGSN发送的上下文请求消息,接收所述SGSN返回的第一上下文响应消息,所述第一上下文响应消息包含所述未使用的鉴权向量;或者,所述获取单元可以接收所述3G网络的第一SGSN发送第一前转重定位请求消息,所述第一前转重定位请求消息包含所述未使用的鉴权向量;And an acquiring unit, configured to acquire, after the UE accesses the LTE network from the 3G network, an unused authentication vector saved by the SGSN of the 3G network for the UE. Specifically, the acquiring unit may receive, by using a context request message sent by the SGSN of the 3G network, a first context response message returned by the SGSN, where the first context response message includes the unused authentication vector; Alternatively, the acquiring unit may receive, by the first SGSN of the 3G network, a first forward relocation request message, where the first forward relocation request message includes the unused authentication vector;
处理单元,用于删除或丢弃所述未使用的鉴权向量,以便在所述UE从所述LTE网络重新接入到所述3G网络之后,所述MME无法将所述未使用的鉴权向量发送给所述SGSN。a processing unit, configured to delete or discard the unused authentication vector, so that the MME cannot use the unused authentication vector after the UE re-accesses from the LTE network to the 3G network Sent to the SGSN.
结合第七方面,在第一种可能的实现方式中,所述获取单元还用于在所述用户设备从所述LTE网络重新接入到所述3G网络之后,接收所述SGSN发送第二上下文请求消息,并向所述SGSN返回第二上下文响应消息,所述第二上下文响应消息不包含所述未使用的鉴权向量;或者,在所述用户设备从所述LTE 网络重新接入到所述3G网络之后,向所述SGSN发送第二前转重定位请求消息,所述第二前转重定位请求消息不包含所述未使用的鉴权向量。With reference to the seventh aspect, in a first possible implementation, the acquiring unit is further configured to: after the user equipment re-accesses the LTE network to the 3G network, receive the SGSN to send a second context. Requesting a message and returning a second context response message to the SGSN, the second context response message not including the unused authentication vector; or, at the user equipment from the LTE After the network re-accesses to the 3G network, a second forward relocation request message is sent to the SGSN, where the second forward relocation request message does not include the unused authentication vector.
第八方面,本发明实施例提供了一种核心网设备,包括处理器、存储器、总线和通信接口;In an eighth aspect, an embodiment of the present invention provides a core network device, including a processor, a memory, a bus, and a communication interface.
所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述核心网设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述核心网设备执行第一方面或者第一方面任一种可能的实现方式所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to The core network device is configured to perform an authentication method in the wireless communication network according to the first aspect or any one of the possible implementation manners of the first aspect.
第九方面,本发明实施例提供了一种鉴权设备,其特征在于,所述包括处理器、存储器、总线和通信接口;According to a ninth aspect, an embodiment of the present invention provides an authentication device, where the processor includes a processor, a memory, a bus, and a communication interface.
所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述鉴权设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述鉴权设备执行第二方面或者第二方面任一种可能的实现方式所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to The authentication device is configured to perform an authentication method in a wireless communication network according to any of the possible implementations of the second aspect or the second aspect.
本发明实施例提供了一种无线通信网络中的鉴权方法,核心网设备在向UE发送鉴权请求消息之前,即使所述核心网设备中为所述UE保存有未使用的鉴权向量,也向鉴权设备获取第一鉴权向量,并利用所述第一鉴权向量中的随机数和鉴权令牌给所述UE发送鉴权请求消息,以启动所述UE与所述核心网设备之间的网络鉴权流程。上述方法保证了每次进行CS域/PS域网络鉴权时,都是会去鉴权设备获取第一鉴权向量进行鉴权,而非利用所述核心网设备保存的未使用的鉴权向量进行鉴权,即使在CS域网络鉴权之前插入了PS域网络鉴权或者在PS域网络鉴权之前插入了CS域网络鉴权,都能够保证同步验证成功,解决了现有技术中出现的因同步失败而导致的鉴权失败的问题。An embodiment of the present invention provides an authentication method in a wireless communication network. Before the core network device sends an authentication request message to the UE, even if the core network device saves an unused authentication vector for the UE, And acquiring, by the authentication device, a first authentication vector, and sending, by using the random number and the authentication token in the first authentication vector, an authentication request message to the UE, to start the UE and the core network. Network authentication process between devices. The above method ensures that each time the CS domain/PS domain network authentication is performed, the authentication device obtains the first authentication vector for authentication, instead of using the unused authentication vector saved by the core network device. Authentication, even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, the synchronization verification can be ensured successfully, and the cause of the prior art is solved. The problem of authentication failure caused by synchronization failure.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。 In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings can also be obtained from those skilled in the art based on these drawings without paying any creative effort.
图1是本发明实施例提供的一种无线通信网络中的鉴权方法;FIG. 1 is an authentication method in a wireless communication network according to an embodiment of the present invention;
图2是本发明实施例提供的又一种无线通信网络中的鉴权方法;2 is another authentication method in a wireless communication network according to an embodiment of the present invention;
图3是本发明实施例提供的又一种无线通信网络中的鉴权方法;3 is another authentication method in a wireless communication network according to an embodiment of the present invention;
图4是本发明实施例提供的又一种无线通信网络中的鉴权方法;4 is another authentication method in a wireless communication network according to an embodiment of the present invention;
图5是本发明实施例提供的又一种无线通信网络中的鉴权方法;FIG. 5 is another authentication method in a wireless communication network according to an embodiment of the present invention;
图6是本发明实施例提供的一种核心网设备的示意图;FIG. 6 is a schematic diagram of a core network device according to an embodiment of the present disclosure;
图7是本发明实施例提供的一种鉴权设备的示意图;FIG. 7 is a schematic diagram of an authentication device according to an embodiment of the present invention;
图8是本发明实施例提供的一种鉴权系统的示意图;FIG. 8 is a schematic diagram of an authentication system according to an embodiment of the present invention; FIG.
图9是本发明实施例提供的一种无线通信网络中的鉴权设备的结构组成示意图。FIG. 9 is a schematic structural diagram of an authentication device in a wireless communication network according to an embodiment of the present invention.
具体实施方式detailed description
本发明实施例提供一种无线通信网络中的鉴权的方法、相关装置和系统,能够解决现有技术中因同步失败而导致的鉴权失败的问题。The embodiments of the present invention provide a method, a related device, and a system for authenticating in a wireless communication network, which can solve the problem of authentication failure caused by synchronization failure in the prior art.
为更清楚地描述本发明的实施例,首先对本发明实施例相关的知识做一些介绍。In order to more clearly describe the embodiments of the present invention, the knowledge related to the embodiments of the present invention is first introduced.
通常情况下,网络鉴权流程中UE需要验证自身与网络是否同步,如果不同步,则鉴权流程失败。为检测自身与网络是否同步,UE需要从核心网设备(MME/MSC/SGSN)发送的鉴权向量中获取序列号(sequence number,SQN),并检测该序列号是否满足一系列检测条件,其中包括验证序列号中包含的序列(sequence,SEQ)是否满足SEQMS-SEQ<L,其中,L通常由运营商进行设置,L可以为32,SEQMS是UE当前自身存储的最大序列号的序列。若该SQN满足全部的检测条件,则同步验证成功,并且当SEQ>SEQMS时UE中存储的SEQMS将被更新为SEQ。上述从鉴权向量中获取的SQN实际上是由鉴权设备(HLR/AUC)生成并包含在鉴权向量中的。Generally, in the network authentication process, the UE needs to verify whether it is synchronized with the network. If it is not synchronized, the authentication process fails. To detect whether the network is synchronized with the network, the UE needs to obtain a sequence number (SQN) from the authentication vector sent by the core network device (MME/MSC/SGSN), and detect whether the sequence number satisfies a series of detection conditions, where Including whether the sequence (SEQ) included in the verification sequence number satisfies SEQ MS - SEQ < L, where L is usually set by the operator, L may be 32, and SEQ MS is a sequence of the maximum sequence number currently stored by the UE itself. . If the SQN satisfy all test conditions, the synchronization verification is successful, and when SEQ> SEQ MS UE stored SEQ MS will be updated as SEQ. The above-mentioned SQN obtained from the authentication vector is actually generated by the authentication device (HLR/AUC) and included in the authentication vector.
鉴权设备产生的SQN通常以二进制表示,由SEQ和IND这两部分组成。在基于时间生成SQN的机制中,鉴权设备在自身的数据库中,为每个用户设备保存了一个差(difference,DIF)值,每个用户设备的DIF值不同,该用户设备的DIF值表示为该用户设备生成的SEQ值与全局计数器(Golbal Counter)GLC的 值的差值,因而为同一UE生成的SEQ只与全局计数器GLC的值有关。一般情况下,鉴权设备收到鉴权数据请求消息之后,如果鉴权数据请求消息指不携带同步失败指示,将从自身的数据库中查询该UE的DIF值并获取当前的全局计数器GLC的值,而后可生成SEQ,此时SEQ=GLC+DIF,也即鉴权设备为同一UE生成的两次SEQ的差值只与全局计数器GLC的值有关,而全局计数器GLC的值通常取自时间点(时间戳),例如全局计数器GLC的值可以为每0.1秒加1,则5秒内针对同一UE生成的SEQ差值为1*(5s/0.1s)=50。The SQN generated by the authentication device is usually expressed in binary, consisting of two parts, SEQ and IND. In the mechanism for generating an SQN based on time, the authentication device stores a difference (DIF) value for each user equipment in its own database, and the DIF value of each user equipment is different, and the DIF value of the user equipment is represented. The SEQ value generated for the user equipment and the global counter (Golbal Counter) GLC The difference in value, thus the SEQ generated for the same UE, is only related to the value of the global counter GLC. In general, after the authentication device receives the authentication data request message, if the authentication data request message does not carry the synchronization failure indication, it will query the DIF value of the UE from its own database and obtain the value of the current global counter GLC. Then, SEQ can be generated. At this time, SEQ=GLC+DIF, that is, the difference between the two SEQs generated by the authentication device for the same UE is only related to the value of the global counter GLC, and the value of the global counter GLC is usually taken from the time point. (Timestamp), for example, the value of the global counter GLC may be incremented by one every 0.1 seconds, and the SEQ difference generated for the same UE within 5 seconds is 1*(5s/0.1s)=50.
发明人分析发现,现有技术中由于UE对PS域和CS域的同步检测没有完全分开,一旦在CS域鉴权之前插入了一次PS域鉴权,且发起该CS域鉴权流程的MSC中保存有未使用的鉴权向量,可能导致UE对该CS域进行的网络鉴权失败;或者在PS域鉴权之前插入了一次CS域鉴权,且发起该PS域鉴权流程的MME/SGSN中保存有未使用的鉴权向量,可能导致UE对该PS域进行的网络鉴权失败。例如,针对UE在两次CS域网络鉴权之间插入了一次PS域网络鉴权的场景,若在核心网设备发起第一次CS域鉴权之前,MSC可能向鉴权设备获取了多个鉴权向量AVC11和AVC12,则在进行第一次CS域鉴权之后,MSC中仍然保存有未使用的鉴权向量AVC12;而后,由于UE的无线接入类型改变等原因,可能需要对UE发起PS域鉴权和第二次CS域鉴权,且PS域鉴权可能在第二次CS域鉴权之前,如果PS域鉴权成功,则UE中存储的最大序列号的序列SEQMS可能被更新为从PS域鉴权的鉴权向量AVP中获得的SEQP;在进行第二次CS域鉴权时,MSC将利用自身保存的未使用的鉴权向量AVC12发起鉴权流程,此时UE获取的SEQ等于从AVC12获得的SEQC12,则SEQMS-SEQ=SEQP-SEQC12,即SEQMS-SEQ的值与生成AVP(SEQP)和AVC12(SEQC12)的时间差有关。但是,由于在进行第二次CS域鉴权时,核心网设备利用的是自身保存的第一次CS域网络鉴权时获取的未使用的鉴权向量AVC12,若鉴权设备生成AVP和AVC12的时间相差很大,使得SEQMS-SEQ不小于L,则无法满足检测条件,导致同步失败,从而引起鉴权失败。The inventor has found that in the prior art, since the UE does not completely separate the synchronization detection of the PS domain and the CS domain, once the PS domain authentication is inserted before the CS domain authentication, and the CS domain authentication process is initiated, the MSC is in the MSC. If the unused authentication vector is saved, the UE may fail to perform network authentication on the CS domain; or the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process is initiated. The unused authentication vector is saved, which may cause the UE to perform network authentication failure on the PS domain. For example, in the scenario where the UE performs a PS domain network authentication between the two CS domain network authentications, the MSC may obtain multiple authentications from the authentication device before the core network device initiates the first CS domain authentication. The authentication vectors AV C11 and AV C12 , after performing the first CS domain authentication, the unused authentication vector AV C12 is still stored in the MSC; and then, due to the change of the radio access type of the UE, etc., it may be required The PS domain authentication and the second CS domain authentication are initiated for the UE, and the PS domain authentication may be before the second CS domain authentication. If the PS domain authentication succeeds, the sequence SEQ of the largest sequence number stored in the UE is The MS may be updated to SEQ P obtained from the PS domain authentication authentication vector AV P ; when performing the second CS domain authentication, the MSC will initiate the authentication process using its saved unused authentication vector AV C12 in this case the UE acquires equal SEQ obtained from AV C12 SEQ C12, the SEQ MS -SEQ = SEQ P -SEQ C12 , i.e. the value of the SEQ MS -SEQ generates AV P (SEQ P) and AV C12 (SEQ C12) The time difference is related. However, since the core network device utilizes the unused authentication vector AV C12 acquired during the first CS domain network authentication saved by itself during the second CS domain authentication, if the authentication device generates AV P and AV The time of C12 is very different, so that SEQ MS - SEQ is not less than L, and the detection condition cannot be satisfied, resulting in synchronization failure, thereby causing authentication failure.
此外,在现有技术中,当因同步失败导致鉴权失败时,核心网设备通常会收到UE发送的携带原因值的鉴权失败消息,该原因值为同步失败,核心网设备通过将携带同步失败指示的数据鉴权请求消息发送给鉴权设备来触发重同 步流程,其中该携带同步失败指示的数据鉴权请求消息还包含同步失败时UE中存储的最大序列号的序列SEQMS1的信息。不同于收到未携带同步失败指示的数据鉴权请求消息时鉴权设备根据UE的身份标识获取的UE的DIF值来生成序列SEQ的流程,在重同步流程中鉴权设备首先需要获取SEQMS1,将UE的DIF值重置为SEQMS1-GLC1,再根据重置的DIF值和当前的全局计数器GLC的值生成重同步序列SEQsy,此时重同步序列SEQsy=SEQMS1-GLC1+GLC2,其中GLC1为接到SEQMS1的时间,GLC2为生成重同步序列的时间;然后根据预设算法将重同步序列SEQsy的信息包含在鉴权向量中发送给核心网设备以进行再次鉴权。然而,由于GLC1与GLC2通常相差很小,导致重同步序列SEQsy几乎等于SEQMS1。此时,如果在核心网设备用包含该重同步序列SEQsy的鉴权向量再次发起CS域鉴权之前,插入了一次PS域鉴权,则UE在对CS域再次进行网络鉴权时,UE中存储的最大序号的同步参数SEQMS2可能已经被更新为从PS域鉴权的鉴权向量AVP2中获得的SEQP2,而此时的SEQ等于重同步序列SEQsy,则SEQMS2-SEQ=SEQP2-SEQsy≈SEQP2-SEQMS1,而往往SEQP2与SEQMS1可能相差很大,且SEQP2大于SEQMS1,使得SEQMS2-SEQsy<L无法成立,导致再次鉴权失败。同理,如果在核心网设备利用包含重同步序列的鉴权向量再次发起PS域鉴权之前,插入了一次CS域鉴权,按照现有技术的方法,也可能导致再次鉴权失败,使得鉴权过程的中止,导致UE无法正常发起业务直至重新启动。In addition, in the prior art, when the authentication fails due to the synchronization failure, the core network device usually receives an authentication failure message carrying the cause value sent by the UE, and the reason value is that the synchronization fails, and the core network device passes the The data authentication request message of the synchronization failure indication is sent to the authentication device to trigger the resynchronization process, wherein the data authentication request message carrying the synchronization failure indication further includes the information of the sequence SEQ MS1 of the largest sequence number stored in the UE when the synchronization fails. . Different from the data authentication request message that does not carry the synchronization failure indication message, the authentication device generates a sequence SEQ according to the DIF value of the UE acquired by the identity identifier of the UE. In the resynchronization process, the authentication device first needs to obtain the SEQ MS1. Resetting the UE's DIF value to SEQ MS1 -GLC1, and then generating a resynchronization sequence SEQ sy according to the reset DIF value and the current global counter GLC value, then the resynchronization sequence SEQ sy = SEQ MS1 -GLC1 + GLC2 Where GLC1 is the time to receive SEQ MS1 , and GLC2 is the time to generate the resynchronization sequence; then the information of the resynchronization sequence SEQ sy is included in the authentication vector according to a preset algorithm and sent to the core network device for re-authentication. However, since GLC1 and GLC2 usually differ greatly, the resynchronization sequence SEQ sy is almost equal to SEQ MS1 . At this time, if the PS domain authentication is inserted before the core network device initiates the CS domain authentication again by using the authentication vector including the resynchronization sequence SEQ sy , the UE performs network authentication again on the CS domain, in the UE. stored largest sequence number SEQ MS2 synchronization parameter may have been updated as SEQ P2 obtained from the authentication vector AV P2 PS domain authentication, the weight at a time equal to the synchronization sequence SEQ SEQ SY, the SEQ MS2 -SEQ = SEQ P2 -SEQ sy ≈SEQ P2 -SEQ MS1, and often SEQ P2 and SEQ MS1 may vary greatly, and SEQ P2 is greater than SEQ MS1, so that the SEQ MS2 -SEQ sy <L can not be established, again leading to failure of the authentication. Similarly, if the CS domain authentication is inserted before the core network device initiates the PS domain authentication again by using the authentication vector including the resynchronization sequence, according to the prior art method, the authentication failure may be caused again. The suspension of the rights process causes the UE to fail to initiate a service normally until it is restarted.
为了解决上述问题,本发明实施例提出了一种无线通信网络中的鉴权方法,能够使得核心网设备(MSC/SGSN/MME)在向UE发起鉴权请求之前,都从鉴权设备获取新的鉴权向量(authorization vector,AV),即使核心网设备保存有未使用的鉴权向量,也利用获取的新的鉴权向量进行鉴权,保证了每次进行CS域/PS域网络鉴权时,鉴权向量中包含的SEQ都是鉴权设备新生成的,即使在CS域网络鉴权之前插入了PS域网络鉴权或者在PS域网络鉴权之前插入了CS域网络鉴权,都能够保证同步成功,解决了现有技术中出现的因同步失败而导致的鉴权失败的问题,避免了鉴权失败而可能引起的UE脱网。In order to solve the above problem, an embodiment of the present invention provides an authentication method in a wireless communication network, which enables a core network device (MSC/SGSN/MME) to acquire a new one from an authentication device before initiating an authentication request to the UE. The authorization vector (AV), even if the core network device saves the unused authentication vector, uses the acquired new authentication vector for authentication, ensuring that each time the CS domain/PS domain network authentication is performed The SEQ included in the authentication vector is newly generated by the authentication device, and even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, The synchronization success is ensured, and the problem of authentication failure caused by the synchronization failure in the prior art is solved, and the UE disconnection may be avoided due to the authentication failure.
本发明实施例还提出了一种无线通信网络中的鉴权方法,能够使得鉴权设备在核心网设备因为同步失败而触发重同步流程时,不是利用UE中存储的最大序列号的序列SEQMS生成重同步序列SEQsy,而是像收到未携带同步失败指 示的鉴权数据请求消息一样,直接根据UE的身份标识获取UE的DIF值,根据UE的DIF值和当前全局计数器GLC的值(即生成重同步SEQ的时间)来生成重同步序列SEQsy,使得重同步序列SEQsy不是等于(或者约等于)SEQMS1,保证了核心网设备在利用包含该重同步序列SEQsy的鉴权向量进行鉴权时的鉴权成功,从而避免再次鉴权失败后导致的UE无法正常发起业务直至重新启动的问题。The embodiment of the present invention further provides an authentication method in a wireless communication network, which enables the authentication device to use the sequence SEQ MS of the largest sequence number stored in the UE when the core network device triggers the resynchronization process due to synchronization failure. The resynchronization sequence SEQ sy is generated, and the DIF value of the UE is directly obtained according to the identity identifier of the UE, just according to the authentication data request message that does not carry the synchronization failure indication, according to the DIF value of the UE and the value of the current global counter GLC ( That is, the time at which the resynchronization SEQ is generated) to generate the resynchronization sequence SEQ sy such that the resynchronization sequence SEQ sy is not equal to (or approximately equal to) SEQ MS1 , ensuring that the core network device is utilizing the authentication vector containing the resynchronization sequence SEQ sy The authentication succeeds when the authentication is performed, so as to avoid the problem that the UE cannot initiate the service normally until restarting after the failure of the authentication again.
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。需要注意的是,本发明各实施例中,核心网设备可以是MSC、SGSN或者MME,鉴权设备可以是HLR、归属用户服务器(Home Subscriber Server,HSS)、AUC或者归属环境(Home Environment,HE)。The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings. It should be noted that, in various embodiments of the present invention, the core network device may be an MSC, an SGSN, or an MME, and the authentication device may be an HLR, a Home Subscriber Server (HSS), an AUC, or a Home Environment (HE). ).
如图1所示,本发明实施例提供了一种无线通信网络中的鉴权方法,该方法包括:As shown in FIG. 1 , an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
S101:为UE保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息(authentication data request),所述第一鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量。S101: The core network device that saves the unused authentication vector for the UE sends a first authentication data request message (authentication data request), where the first authentication data request message is used to request the authentication. The device generates an authentication vector for the UE.
当UE发生无线接入类型(Radio Access Type,RAT)改变,从一种网络接入到另一种网络时,目标网络的核心网设备会对UE发起鉴权流程,该鉴权流程可以是PS域的网络鉴权流程,也可以是CS域的网络鉴权流程。例如,当处于LTE网络的UE因为电路交换回落(Circuit Switched Fallback,CSFB)或者网络重选等原因切换到2G或3G网络时,所述2G或3G网络的核心网设备可能对该UE发送鉴权请求消息,以发起CS域或PS域的网络鉴权流程。When the radio access type (RAT) of the UE changes, the core network device of the target network initiates an authentication process for the UE from one network to another. The authentication process may be PS. The network authentication process of the domain may also be the network authentication process of the CS domain. For example, when a UE in an LTE network switches to a 2G or 3G network due to Circuit Switched Fallback (CSFB) or network reselection, the core network device of the 2G or 3G network may send an authentication to the UE. Request a message to initiate a network authentication process for the CS domain or the PS domain.
在发起CS域或PS域的网络鉴权流程之前,所述核心网设备可以向所述鉴权设备发送第一鉴权数据请求消息,以请求获取鉴权向量。在本发明实施例中,核心网设备在向UE发送第一鉴权请求消息之前,无论自身是否为该UE保存有未使用的鉴权向量,都可以请求鉴权设备为所述UE生成鉴权向量,并利用所述生成的鉴权向量发起CS域或PS域的网络鉴权,避免现有技术中核心网设备利用自身保存的未使用的鉴权向量发起网络鉴权时,可能引起的同步失败而导致的鉴权失败的问题,尽可能的保障了网络鉴权的成功。Before initiating the network authentication process of the CS domain or the PS domain, the core network device may send a first authentication data request message to the authentication device to request to obtain an authentication vector. In the embodiment of the present invention, before sending the first authentication request message to the UE, the core network device may request the authentication device to generate an authentication for the UE, whether or not the UE maintains an unused authentication vector for the UE. Vector, and using the generated authentication vector to initiate network authentication of the CS domain or the PS domain, to avoid synchronization failure that may occur when the core network device in the prior art initiates network authentication by using an unused authentication vector saved by itself. The problem of authentication failure has ensured the success of network authentication as much as possible.
相应地,所述鉴权设备可以接收为所述UE保存有未使用的鉴权向量的所 述核心网设备发送的第一鉴权数据请求消息,根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含所述鉴权设备为所述UE生成的第一鉴权向量,向所述核心网设备返回所述第一鉴权数据响应消息。Correspondingly, the authentication device may receive a location in which the UE stores an unused authentication vector. The first authentication data request message sent by the core network device, according to the first authentication data request message, generating a first authentication data response message, where the first authentication data response message includes the authentication device The first authentication vector generated by the UE returns the first authentication data response message to the core network device.
需要注意的是,本发明各实施例中,为UE保存有未使用的鉴权向量,即所述未使用的鉴权向量是为所述UE生成的,或者所述未使用的鉴权向量与所述UE相关。S102:所述核心网设备接收所述鉴权设备根据所述第一鉴权数据请求消息返回的第一鉴权数据响应消息(authentication data response),所述第一鉴权数据响应消息携带第一鉴权向量。It should be noted that, in various embodiments of the present invention, an unused authentication vector is saved for the UE, that is, the unused authentication vector is generated for the UE, or the unused authentication vector and The UE is related. S102: The core network device receives a first authentication data response message (authentication data response) returned by the authentication device according to the first authentication data request message, where the first authentication data response message carries the first Authentication vector.
S103:所述核心网设备向UE发送第一鉴权请求消息(authentication request),所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌。S103: The core network device sends a first authentication request message (authentication request) to the UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
所述第一鉴权向量可能包含随机数(random number,RAND)、鉴权令牌(authentication token,AUTN)、期望响应(expected response,XRES)、完整性密钥(integrity key,IK)和加密密钥(cipher key,CK)。在获取到所述第一鉴权向量之后,所述核心网设备可以利用所述第一鉴权向量中的随机数和鉴权令牌发送第一鉴权请求消息,以启动所述UE与所述核心网设备之间的鉴权流程。所述UE可以根据所述随机数和所述鉴权令牌确定SQN,也即确定SEQ(SQN中包含SEQ),从而利用SQN(SEQ)可以完成所述UE与网络之间的同步检测或其他鉴权过程。The first authentication vector may include a random number (RAND), an authentication token (AUTN), an expected response (XRES), an integrity key (IK), and an encryption. Key (cipher key, CK). After obtaining the first authentication vector, the core network device may send a first authentication request message by using a random number and an authentication token in the first authentication vector, to start the UE and the The authentication process between the core network devices. The UE may determine an SQN according to the random number and the authentication token, that is, determine SEQ (including SEQ in SQN), so that synchronization detection between the UE and the network may be completed by using SQN (SEQ) or other The authentication process.
此外,所述核心网设备向鉴权设备获取的第一鉴权向量可以为一个或者多个,当所述第一鉴权向量为多个时,所述多个第一鉴权向量构成了鉴权向量组(authorization vectors),则所述第一鉴权请求消息可以包含所述多个第一鉴权向量中的一个鉴权向量中的鉴权令牌和随机数。In addition, the first authentication vector obtained by the core network device to the authentication device may be one or more. When the first authentication vector is multiple, the multiple first authentication vectors constitute a reference. And an authorization vector, the first authentication request message may include an authentication token and a random number in one of the plurality of first authentication vectors.
可选地,由于核心网设备如果在每次发起鉴权流程之前都去鉴权设备获取鉴权向量,可能给鉴权设备带来较大负担。在实际应用中,因为同步失败而引起的鉴权失败问题基本上都是发生在UE从LTE网络切换到3G网络之后而进行的鉴权过程中,或者发生在UE从2G网络切换到3G网络之后而进行的鉴权过程中,因此可以只针对上述场景而使用本发明的方法,则步骤101具体可以是: 在UE接入3G网络之后,所述3G网络的核心网设备向鉴权设备发送第一鉴权数据请求消息,此时,所述核心网设备中为所述UE保存有未使用的鉴权向量。相应地,步骤102和103中的核心网设备均是指该3G网络的核心网设备。Optionally, the core network device may impose a large burden on the authentication device if the authentication device obtains the authentication vector before the authentication process is initiated. In practical applications, the authentication failure problem caused by the synchronization failure basically occurs in the authentication process after the UE switches from the LTE network to the 3G network, or occurs after the UE switches from the 2G network to the 3G network. In the process of the authentication process, the method of the present invention can be used only for the above scenario, and the step 101 can be specifically: After the UE accesses the 3G network, the core network device of the 3G network sends a first authentication data request message to the authentication device. At this time, the core network device stores an unused authentication vector for the UE. . Correspondingly, the core network devices in steps 102 and 103 refer to the core network devices of the 3G network.
可选地,也可以只针对UE从第二网络切换到第一网络之后进行网络鉴权的场景,则在步骤S101之前,所述方法还可以包括步骤S100:Optionally, the method may also be performed only for the scenario that the UE performs the network authentication after the UE is switched from the second network to the first network. Before the step S101, the method may further include the step S100:
S100:UE接入所述核心网设备所位于的第一网络之后,所述核心网设备确定所述UE是从第二网络接入到所述第一网络的UE。S100: After the UE accesses the first network where the core network device is located, the core network device determines that the UE is a UE that accesses the first network from the second network.
相应地,步骤S101至步骤S103中的核心网设备均是指位于所述第一网络的核心网设备。在本发明实施例中,所述第一网络的网络制式与所述第二网络的网络制式不同,所述第一网络可以是3G网络,所述第二网络可以是LTE网络或者2G网络;或者所述第一网络可以是LTE网络,所述第二网络可以是5G/4.5G网络。Correspondingly, the core network devices in steps S101 to S103 all refer to the core network devices located in the first network. In the embodiment of the present invention, the network standard of the first network is different from the network standard of the second network, where the first network may be a 3G network, and the second network may be an LTE network or a 2G network; or The first network may be an LTE network, and the second network may be a 5G/4.5G network.
例如,当所述第一网络为3G网络,所述第二网络为LTE网络时,S100为:在UE接入3G网络之后,所述3G网络的核心网设备确定所述UE为从LTE网络接入到所述3G网络的UE,即确定所述UE为来自LTE网络的UE。该方法保证了只有在UE是从LTE网络接入到3G网络而引起鉴权过程时,即使核心网设备保存有未使用的鉴权向量,核心网设备也向鉴权设备去获取第一鉴权向量,利用第一鉴权向量来发起网络鉴权流程。For example, when the first network is a 3G network and the second network is an LTE network, S100 is: after the UE accesses the 3G network, the core network device of the 3G network determines that the UE is connected from the LTE network. The UE entering the 3G network determines that the UE is a UE from an LTE network. The method ensures that the core network device obtains the first authentication to the authentication device even if the core network device stores an unused authentication vector when the UE is accessed from the LTE network to the 3G network. The vector uses the first authentication vector to initiate the network authentication process.
所述核心网设备在确定所述UE为从LTE网络接入到所述3G网络的UE时,也可以有多种方式。所述核心网设备可以根据所述UE发送的CS域非接入层(CS domain Non-Access Stratum,CS domain NAS)消息或者所述UE在被叫场景下的寻呼响应消息判断所述UE是否为CSFB用户,如果确定是CSFB用户,即确定所述UE为从LTE网络接入到所述3G网络的UE,所述CS domain NAS消息可以是接续管理业务请求消息或位置更新请求消息等,此时所述核心网设备可以为MSC;或者,The core network device may also have multiple modes when determining that the UE is a UE accessing the LTE network to the 3G network. The core network device may determine, according to the CS domain Non-Access Stratum (CS domain NAS) message sent by the UE or the paging response message of the UE in the called scenario, whether the UE is For the CSFB user, if it is determined that it is a CSFB user, that is, the UE is determined to be a UE accessing the LTE network to the 3G network, the CS domain NAS message may be a connection management service request message or a location update request message, etc. The core network device may be an MSC; or,
所述核心网设备可以根据所述UE发送的PS非接入层(PS domain Non-Access Stratum,PS domain NAS)消息,判断所述UE是否为从LTE网络接入到所述3G网络的UE,例如可以根据路由更新(Routing Area Update,RAU)请求消息,确定所述UE是从LTE网络接入到所述3G网络的UE,此时所述核心 网设备可以为SGSN;或者,The core network device may determine, according to the PS domain Non-Access Stratum (PS domain NAS) message sent by the UE, whether the UE is a UE that accesses the LTE network to the 3G network. For example, the routing area update (RAU) request message may be used to determine that the UE is a UE that is accessed from the LTE network to the 3G network, where the core is The network device can be an SGSN; or,
还可以对基站进行功能增强,使得基站可以通过解析所述UE发送的无线资源控制(Radio Resource Control,RRC)连接请求消息中是否包含CSFB指示信息,判断所述UE是否为CSFB用户,在确定所述UE为CSFB用户时,向所述核心网设备发送通知消息,则所述核心网设备可以根据所述通知消息,确定所述UE为从LTE网络接入到所述3G网络的UE,此时所述核心网设备可以为MSC或SGSN;或者,The function of the base station may be enhanced, so that the base station can determine whether the UE is a CSFB user by analyzing whether the UE includes the CSFB indication information in the Radio Resource Control (RRC) connection request message sent by the UE. When the UE is a CSFB user, the UE sends a notification message to the core network device, and the core network device may determine, according to the notification message, that the UE is a UE that accesses the LTE network to the 3G network. The core network device may be an MSC or an SGSN; or
针对某UE,所述核心网设备可以通过判断自身与MME之间是否存在SGS接口关联,来判断所述UE是从LTE网络接入到所述3G网络的UE,若存在SGS接口关联,则确定所述UE是从LTE网络接入到所述3G网络的UE,此时所述核心网设备可以为MSC。For a certain UE, the core network device may determine whether the UE is connected to the UE of the 3G network from the LTE network by determining whether the SGS interface is associated with the MME, and if the SGS interface is associated, determining The UE is a UE that accesses the LTE network to the 3G network, and the core network device may be an MSC.
在上述实施例中,所述核心网设备中保存的所述未使用的鉴权向量可能是所述核心网设备发起上一次鉴权流程之前获取的,如图2所示,则在步骤S101之前,所述方法还可以包括:In the foregoing embodiment, the unused authentication vector saved in the core network device may be acquired before the core network device initiates the last authentication process, as shown in FIG. 2, before step S101. The method may further include:
S201:所述核心网设备向所述鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量。S201: The core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the UE.
相应地,所述鉴权设备可以接收所述核心网设备发送的第二鉴权数据请求消息,根据所述第二鉴权数据请求消息,生成第二鉴权数据响应消息,所述鉴权数据响应消息包含第二鉴权向量和所述未使用的鉴权向量,并向所述核心网设备返回所述第二鉴权数据响应消息。Correspondingly, the authentication device may receive a second authentication data request message sent by the core network device, and generate a second authentication data response message according to the second authentication data request message, where the authentication data is generated. The response message includes a second authentication vector and the unused authentication vector, and returns the second authentication data response message to the core network device.
S202:所述核心网设备接收所述鉴权设备根据所述第二鉴权数据请求消息返回的第二鉴权数据响应消息,所述第二鉴权数据响应消息包含所述鉴权设备为所述UE生成的第二鉴权向量和所述未使用的鉴权向量。S202: The core network device receives a second authentication data response message that is returned by the authentication device according to the second authentication data request message, where the second authentication data response message includes the authentication device The second authentication vector generated by the UE and the unused authentication vector.
S203:所述核心网设备向所述UE发送第二鉴权请求消息,所述第二鉴权请求消息包含所述第二鉴权向量中的随机数和鉴权令牌。S203: The core network device sends a second authentication request message to the UE, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
在本发明实施例中,所述核心网设备发送第二鉴权请求消息之前,从鉴权设备获取了为所述UE生成的第二鉴权向量和所述未使用的鉴权向量,在向所述UE发送第二鉴权请求消息时,使用了所述第二鉴权向量,则所述核心网设备中还保存了所述未使用的鉴权向量。后续所述核心网设备需要发送第一鉴权 请求消息时,不是使用所述未使用的鉴权向量,而是使用重新去鉴权设备获取为所述UE生成的第一鉴权向量,避免现有技术中核心网设备利用自身保存的未使用的鉴权向量发起网络鉴权时,可能引起的同步失败而导致的鉴权失败的问题,尽可能的保障了网络鉴权的成功。In the embodiment of the present invention, before the core network device sends the second authentication request message, the second authentication vector generated for the UE and the unused authentication vector are obtained from the authentication device. When the UE sends the second authentication request message, the second authentication vector is used, and the unused authentication vector is also saved in the core network device. The subsequent core network device needs to send the first authentication. When the message is requested, instead of using the unused authentication vector, the first authentication vector generated for the UE is obtained by using the re-authentication device to avoid the unused use of the core network device saved in the prior art. When the authentication vector initiates network authentication, the authentication failure may be caused by the synchronization failure, and the success of the network authentication is guaranteed as much as possible.
如图3所示,本发明实施例提供了一种网络鉴权方法,可以应用于两次CS域鉴权之间插入一次PS域鉴权的场景。该场景具体可以为,位于LTE网络的UE发起联合附着流程,注册于所述LTE网络的MME和3G网络的MSC上。在联合注册过程中/后,所述MSC会对所述UE发起鉴权流程,即发起第一次CS域鉴权流程。完成联合附着流程之后,所述UE驻留于所述LTE网络。后续所述UE因为CSFB等原因可能从所述LTE网络接入到3G网络,并可能由原注册的所述MSC提供CS域业务,则所述3G网络中的SGSN和所述MSC可能分别对所述UE发起PS域鉴权流程和第二次CS域鉴权流程,所述方法可以保证以上鉴权过程中鉴权成功,所述方法具体可以包括:As shown in FIG. 3, the embodiment of the present invention provides a network authentication method, which can be applied to a scenario in which PS domain authentication is inserted between two CS domain authentications. Specifically, the scenario may be that the UE located in the LTE network initiates a joint attach procedure, and is registered on the MME of the LTE network and the MSC of the 3G network. During/after the joint registration process, the MSC initiates an authentication process for the UE, that is, initiates a first CS domain authentication process. After completing the joint attach procedure, the UE resides on the LTE network. If the UE may access the 3G network from the LTE network due to reasons such as CSFB, and may provide CS domain services by the originally registered MSC, the SGSN and the MSC in the 3G network may respectively The UE initiates the PS domain authentication process and the second CS domain authentication process, and the method can ensure that the authentication is successful in the foregoing authentication process. The method may include:
S301:位于LTE网络的UE发起联合附着流程,注册于所述LTE网络的MME和3G网络的MSC上。S301: The UE located in the LTE network initiates a joint attach procedure, and is registered on the MME of the LTE network and the MSC of the 3G network.
在上述附着流程中,所述MME和所述MSC之间将对应所述UE建立SGs接口关联。具体地,所述UE向所述MME发送附着请求消息,所述附着请求消息中包含附着类型信元,所述附着类型信元用于告知所述MME所述UE请求联合演进分组系统(evolved packet system,EPS)附着或者国际移动用户识别码(International Mobile Subscriber Identity,IMSI)附着。所述MME收到所述附着请求消息后,执行EPS附着流程,而后所述MME根据配置信息和/或预算算法选择一个MSC,并向所述MSC发送位置更新请求消息,以使所述UE注册于所述MSC上。当完成所述UE在所述MSC的IMSI附着之后,所述MME和所述MSC之间的SGs口进入关联状态,也即两者之间建立对应所述UE的SGs接口关联。In the above attach procedure, an SGs interface association is established between the MME and the MSC corresponding to the UE. Specifically, the UE sends an attach request message to the MME, where the attach request message includes an attach type cell, where the attach type cell is used to notify the MME that the UE requests a joint evolved packet system (evolved packet) System, EPS) Attachment or International Mobile Subscriber Identity (IMSI) attachment. After receiving the attach request message, the MME performs an EPS attach procedure, and then the MME selects an MSC according to the configuration information and/or the budget algorithm, and sends a location update request message to the MSC to enable the UE to register. On the MSC. After the UE is attached to the IMSI of the MSC, the SGs interface between the MME and the MSC enters an association state, that is, an SGs interface association corresponding to the UE is established between the two.
S302:在联合附着过程中,所述MSC向鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息包含UE的身份标识,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量。 S302: In the joint attach process, the MSC sends a second authentication data request message to the authentication device, where the second authentication data request message includes an identity of the UE, and the second authentication data request message is used. The authentication device is requested to generate an authentication vector for the UE.
联合附着过程中,可能触发MSC或MME发起鉴权流程。所述MSC在发起鉴权流程之前,可以通过第二鉴权数据请求消息来获取鉴权向量。During the joint attach process, the MSC or MME may be triggered to initiate an authentication process. The MSC may obtain an authentication vector by using a second authentication data request message before initiating the authentication process.
其中,所述UE的身份标识可以是IMSI。通常,在向所述鉴权设备发送鉴权数据请求消息时,可以指定请求获取的鉴权向量的数量。为节省网络资源开支,每次可能获取多个鉴权向量,也即预留了后续鉴权需要的鉴权向量。例如,所述第二鉴权数据请求消息中可以包含指示信息,所述指示信息用于指示请求获取的鉴权向量的数量为3。The identity of the UE may be an IMSI. Generally, when an authentication data request message is sent to the authentication device, the number of authentication vectors requested to be acquired may be specified. In order to save network resource expenditure, multiple authentication vectors may be acquired each time, that is, an authentication vector required for subsequent authentication is reserved. For example, the second authentication data request message may include indication information, where the indication information is used to indicate that the number of authentication vectors requested to be acquired is 3.
S303:所述鉴权设备向所述MSC返回第二鉴权数据响应消息,所述第二鉴权数据响应消息包含为所述UE生成的鉴权向量AV21、AV22和AV23。S303: The authentication device returns a second authentication data response message to the MSC, where the second authentication data response message includes an authentication vector AV21, AV22, and AV23 generated for the UE.
所述鉴权设备返回的所述鉴权向量中,每个鉴权向量都可以包含随机数RAND、鉴权令牌AUTN、期望响应XRES、完整性密钥IK和加密密钥CK。在生成鉴权向量时,所述鉴权设备可以将SQN和利用随机数RAND获得的匿名密钥(anonymity key,AK)包含在鉴权令牌AUTN中,其中,SQN可以包含SEQ和IND两部分(如SQN=SEQ||IND)。例如鉴权向量AV21、AV22和AV23包含的SQN中所包含的SEQ可以分别为:SEQ21=756EA3,SEQ22=756EA4,SEQ23=756EA5。Each of the authentication vectors returned by the authentication device may include a random number RAND, an authentication token AUTN, a desired response XRES, an integrity key IK, and an encryption key CK. When generating the authentication vector, the authentication device may include the SQN and an anonymous key (AK) obtained by using the random number RAND in the authentication token AUTN, where the SQN may include the SEQ and the IND. (eg SQN=SEQ||IND). For example, the SEQs contained in the SQN contained in the authentication vectors AV21, AV22, and AV23 may be: SEQ21=756EA3, SEQ22=756EA4, and SEQ23=756EA5, respectively.
后续UE如果需要从鉴权令牌AUTN中获取SQN,可以首先从随机数RAND中获取匿名密钥AK,利用匿名密钥AK和相关算法,从鉴权令牌AUTN中获取SQN进行同步检测,也即验证SQN是否在正确范围内。If the subsequent UE needs to obtain the SQN from the authentication token AUTN, the anonymous key AK may be first obtained from the random number RAND, and the SQN is obtained from the authentication token AUTN for synchronization detection by using the anonymous key AK and the correlation algorithm. That is to verify whether the SQN is in the correct range.
S304:所述MSC向所述UE发送第二鉴权请求消息,所述第二鉴权请求消息包含鉴权向量AV21中的RAND21和AUTN21。S304: The MSC sends a second authentication request message to the UE, where the second authentication request message includes RAND21 and AUTN21 in the authentication vector AV21.
S305:所述UE根据所述第二鉴权请求消息,对所述3G网络进行CS域鉴权,鉴权成功之后,向所述MSC返回第二鉴权响应消息(authentication response)。S305: The UE performs CS domain authentication on the 3G network according to the second authentication request message, and after the authentication succeeds, returns a second authentication response message (authentication response) to the MSC.
所述UE可以首先利用RAND21和AUTN21对网络的合法性进行验证,若网络合法,再利用从RAND21中获取的AK21和相关算法,从AUTN21中获取同步序列号SQN21,其中SQN21包含参数SEQ21。UE可以比较SEQ21与自身存储的最大序号的同步参数SEQMS,若满足SEQMS-SEQ21<L(L=32),且满足其他检测条件(如:SEQ21-SEQMS≤△和SEQ21>SEQMS(i),其中△可以设为一个很大的数如228,i与IND值相同),则UE确定SQN在正确范围内,本次同步验 证成功。The UE may first verify the validity of the network by using RAND21 and AUTN21. If the network is legal, the synchronization sequence number SQN21 is obtained from the AUTN 21 by using the AK21 and related algorithm obtained from the RAND21, wherein the SQN21 includes the parameter SEQ21. The UE may compare the synchronization parameter SEQ MS of SEQ21 with the maximum sequence number stored by itself, if SEQ MS - SEQ21 < L (L = 32) is satisfied, and other detection conditions are met (eg, SEQ21-SEQ MS ≤ Δ and SEQ 21 > SEQ MS ( i), where △ can be set to a large number such as 2 28 , i is the same as the IND value), then the UE determines that the SQN is in the correct range, and the synchronization verification is successful this time.
在所述UE对网络的合法性和同步验证成功之后,即鉴权成功之后,所述UE向所述MSC返回第二鉴权响应消息,并且若SEQ21>SEQMS,所述UE会将其自身存储的SEQMS更新为SEQ21,即SEQMS=756EA3。After the UE successfully authenticates the network and the synchronization is successful, that is, after the authentication succeeds, the UE returns a second authentication response message to the MSC, and if SEQ21>SEQ MS , the UE will itself The stored SEQ MS was updated to SEQ 21, SEQ MS = 756 EA3.
S306:所述UE从所述LTE网络接入到所述3G网络。S306: The UE accesses the 3G network from the LTE network.
由于某种原因,所述UE可能从所述LTE网络接入3G网络,并且可能由原注册的MSC为其提供CS域业务。例如,可能由于所述LTE网络不支持语音业务,当所述UE需要进行语音通话时经CSFB回落到所述3G网络发起CS语音业务;又例如,可能由于所述LTE网络发生异常,所述UE经切换或者网络重选的方式而接入所述3G网络。For some reason, the UE may access the 3G network from the LTE network and may provide CS domain services for it by the originally registered MSC. For example, the LTE network may not support the voice service, and when the UE needs to make a voice call, the CSFB is dropped back to the 3G network to initiate the CS voice service; for example, the UE may be abnormal due to the LTE network. The 3G network is accessed by means of handover or network reselection.
S307:所述UE向所述3G网络的SGSN发送RAU请求消息。S307: The UE sends an RAU request message to the SGSN of the 3G network.
因改变了无线接入类型RAT,所述UE可能向所述3G网络的SGSN发送RAU请求消息,用于请求注册到所述3G网络的PS域,以便能够进行PS域业务。Because the radio access type RAT is changed, the UE may send a RAU request message to the SGSN of the 3G network for requesting registration to the PS domain of the 3G network, so as to be able to perform PS domain service.
S308:所述SGSN向所述鉴权设备发送第三鉴权数据请求消息,所述第三鉴权数据请求消息包含所述UE的身份标识,所述第三鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量。S308: The SGSN sends a third authentication data request message to the authentication device, where the third authentication data request message includes an identity identifier of the UE, and the third authentication data request message is used to request the location The authentication device generates an authentication vector for the UE.
在接收到所述UE发送的RAU请求消息之后,所述SGSN可能需要发起鉴权流程,即PS域鉴权,因而在鉴权之前,可能通过第三鉴权数据请求消息,获取鉴权向量。After receiving the RAU request message sent by the UE, the SGSN may need to initiate an authentication process, that is, PS domain authentication, and thus, before the authentication, the authentication vector may be obtained through the third authentication data request message.
S309:所述鉴权设备向所述SGSN返回第三鉴权数据响应消息,所述第三鉴权数据响应消息包含为所述UE生成的鉴权向量AV31、AV32和AV33。S309: The authentication device returns a third authentication data response message to the SGSN, where the third authentication data response message includes an authentication vector AV31, AV32, and AV33 generated for the UE.
例如,假设所述第三鉴权数据请求消息是在所述第二鉴权数据请求消息发送5s之后发送的,则所述鉴权设备生成AV31/AV32/AV33与生成AV21/AV22/AV23的时间差为5s,则鉴权向量AV31、AV32和AV33包含的SQN中所包含的SEQ可以分别为:SEQ31=756ED5,SEQ32=756ED6,SEQ33=756ED7。For example, assuming that the third authentication data request message is sent after the second authentication data request message is transmitted for 5 s, the authentication device generates a time difference between the AV31/AV32/AV33 and the generated AV21/AV22/AV23. For 5 s, the SEQs contained in the SQN contained in the authentication vectors AV31, AV32, and AV33 may be SEQ31=756ED5, SEQ32=756ED6, and SEQ33=756ED7, respectively.
S310:所述SGSN向所述UE发送第三鉴权请求消息,所述第三鉴权请求消息包含鉴权向量AV31中的RAND31和AUTN32。S310: The SGSN sends a third authentication request message to the UE, where the third authentication request message includes RAND31 and AUTN32 in the authentication vector AV31.
S311:所述UE根据所述第三鉴权请求消息,对所述3G网络进行PS域鉴权, 鉴权成功之后,向所述SGSN返回第三鉴权响应消息。S311: The UE performs PS domain authentication on the 3G network according to the third authentication request message. After the authentication succeeds, a third authentication response message is returned to the SGSN.
所述UE在对网络的合法性进行验证成功之后,可以利用RAND31和AUTN31获取SQN31(其中包含SEQ31=756ED4),进而利用SQN31进行同步验证,即验证SQN31是否在正确范围内。假设所述UE对网络的合法性和同步验证成功,即鉴权成功,则所述UE会将其自身存储的SEQMS从SEQ21更新为SEQ31,即SEQMS=756ED5。After successfully verifying the validity of the network, the UE may acquire SQN31 (including SEQ31=756ED4) by using RAND31 and AUTN31, and then perform synchronous verification by using SQN31, that is, whether the SQN31 is in the correct range. Assuming that the UE's validity and synchronization verification for the network is successful, that is, the authentication is successful, the UE updates its own stored SEQ MS from SEQ21 to SEQ31, ie, SEQ MS = 756 ED5.
可选地,步骤S306-步骤S311中,所述SGSN获取鉴权向量并针对PS域发起鉴权流程的过程也可以是由MME执行,则在该情况下,所述UE仍然位于LTE网络,由MME获取鉴权向量并针对PS域发起鉴权流程,在该鉴权流程结束之后,所述UE可能从LTE网络切换到3G网络,由3G网络的MSC执行以下步骤中的获取鉴权向量和发起CS域鉴权流程。Optionally, in the step S306-S311, the process that the SGSN obtains the authentication vector and initiates the authentication process for the PS domain may also be performed by the MME. In this case, the UE is still located in the LTE network. The MME obtains an authentication vector and initiates an authentication process for the PS domain. After the authentication process ends, the UE may switch from the LTE network to the 3G network, and the MSC of the 3G network performs the acquisition of the authentication vector and the following steps. CS domain authentication process.
S312:所述UE向所述MSC发送接入请求消息或者业务请求消息,以便获取所述3G网络的CS域服务。S312: The UE sends an access request message or a service request message to the MSC to obtain a CS domain service of the 3G network.
所述UE从LTE网络迁移至3G网络后,可以向所述MSC发送接入请求消息或者业务请求消息,如位置更新请求消息和接续管理业务请求消息等,以便获取所述3G网络的CS域服务。After the UE migrates from the LTE network to the 3G network, the UE may send an access request message or a service request message, such as a location update request message and a connection management service request message, to obtain the CS domain service of the 3G network. .
S313:所述MSC根据所述接入请求消息或者业务请求消息,判断所述UE是否为从LTE网络接入到所述3G网络的UE。S313: The MSC determines, according to the access request message or the service request message, whether the UE is a UE that accesses the LTE network to the 3G network.
S314:在确定所述UE为从LTE网络接入到3G网络的UE之后,所述MSC向所述鉴权设备发送第一鉴权数据请求消息,所述第一鉴权数据请求消息包含UE的身份标识,所述第第一鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量。S314: After determining that the UE is a UE that accesses the LTE network to the 3G network, the MSC sends a first authentication data request message to the authentication device, where the first authentication data request message includes the UE. An identifier, the first authentication data request message is used to request the authentication device to generate an authentication vector for the UE.
本发明中,虽然所述MSC中保存有未使用过的鉴权向量AV22和AV23,但是所述MSC仍然会去所述鉴权设备获取新生成的鉴权向量AV11,以确保鉴权成功。否则按照现在技术的流程,所述MSC将会利用AV22/AV23发送鉴权请求消息,如果所述UE利用AV22/AV23进行鉴权,由于UE中保存的SEQMS=756ED5比SEQ22=756EA4/SEQ23=756EA5大,且大于32,不满足检测规则中的SEQMS-SEQ<L,将引起同步检测失败而导致鉴权失败。In the present invention, although the unused authentication vectors AV22 and AV23 are stored in the MSC, the MSC still goes to the authentication device to acquire the newly generated authentication vector AV11 to ensure successful authentication. Otherwise, according to the current technical procedure, the MSC will use AV22/AV23 to send an authentication request message, if the UE uses AV22/AV23 for authentication, since the SEQ MS = 756 ED5 stored in the UE is SEQ 22 = 756 EA 4 / SEQ 23 = If 756EA5 is large and larger than 32, it does not satisfy SEQ MS -SEQ<L in the detection rule, which will cause the synchronization detection to fail and the authentication fails.
S315:所述鉴权设备向所述MSC返回第一鉴权数据响应消息,所述第一 鉴权数据响应消息包含为所述UE生成的鉴权向量AV11。S315: The authentication device returns a first authentication data response message to the MSC, where the first The authentication data response message contains an authentication vector AV11 generated for the UE.
假设所述第一鉴权数据请求消息是在所述第三鉴权数据请求消息发送0.5s之后发送的,则所述鉴权设备生成AV31/AV32/AV33与生成AV11的时间差约为0.5s,则鉴权向量AV11中包含的SEQ的信息可以为:SEQ31=756EDA。Assuming that the first authentication data request message is sent after the third authentication data request message is sent for 0.5s, the time difference between the authentication device generating the AV31/AV32/AV33 and generating the AV11 is about 0.5s. Then, the information of the SEQ included in the authentication vector AV11 may be: SEQ31=756 EDA.
可选地,所述MSC也可以向鉴权设备获取多个鉴权向量,则所述第一鉴权数据响应消息中也可以包括多个鉴权向量。Optionally, the MSC may also obtain multiple authentication vectors from the authentication device, and the first authentication data response message may also include multiple authentication vectors.
S316:所述MSC向所述UE发送第一鉴权请求消息,所述第一鉴权请求消息包含鉴权向量AV11中的RAND11和AUTN11。S316: The MSC sends a first authentication request message to the UE, where the first authentication request message includes RAND11 and AUTN11 in the authentication vector AV11.
S317:所述UE根据所述第一鉴权请求消息,对所述3G网络进行CS域鉴权,鉴权成功之后,向所述MSC返回第一鉴权响应消息。S317: The UE performs CS domain authentication on the 3G network according to the first authentication request message, and after the authentication succeeds, returns a first authentication response message to the MSC.
所述UE利用AV11中的RAND11和AUTN11对网络进行合法性验证,并利用从AUTN中获取的SQN11进行同步检测。由于UE中保存的SEQMS=756ED5比SQN31中的SEQ31=756EDA小,所以满足SEQMS-SEQ<0<L,使得同步检测成功,避免了利用现有技术进行鉴权时导致的鉴权失败的问题,避免了UE脱网。The UE performs validity verification on the network by using RAND11 and AUTN11 in the AV11, and performs synchronization detection using the SQN11 acquired from the AUTN. Since SEQ MS = 756 ED5 stored in the UE is smaller than SEQ 31 = 756 EDA in SQN 31, SEQ MS - SEQ < 0 < L is satisfied, so that the synchronization detection is successful, and the problem of authentication failure caused by the prior art for authentication is avoided. , to avoid the UE off the network.
由于在现有技术中,当UE从3G网络接入到LTE网络之后,所述3G网络的SGSN可能会将鉴权向量传给所述LTE网络的MME,当所述UE从所述LTE网络再次重新接入到所述3G网络之后,所述MME可能又会将鉴权向量发送给所述3G网络的所述SGSN,使得在鉴权过程中,所述SGSN可能使用该鉴权向量发送鉴权请求消息,而不去获取鉴权设备新生成的鉴权向量,导致鉴权失败。Since in the prior art, after the UE accesses the LTE network from the 3G network, the SGSN of the 3G network may transmit an authentication vector to the MME of the LTE network, when the UE is again from the LTE network. After re-accessing to the 3G network, the MME may send an authentication vector to the SGSN of the 3G network, so that the SGSN may use the authentication vector to send an authentication during the authentication process. The request message is not obtained by acquiring the newly generated authentication vector of the authentication device, resulting in failure of authentication.
有鉴于此,本发明实施例提供了一种无线通信网络中的鉴权方法,在UE从3G网络接入到LTE网络之后,所述3G网络的第一SGSN不将自身为所述UE保存的未使用的鉴权向量发送给所述LTE网络的MME,从而当所述UE从所述LTE网络再次重新接入到所述3G网络之后,所述MME无法将所述保存的鉴权向量发送给所述3G网络的第二SGSN,所述第一SGSN可以相同也可以不同,通过本发明实施例提供的方法,可以避免在SGSN中保存未使用的鉴权向量,从而保证SGSN在每次发起鉴权流程之前都去鉴权设备获取鉴权向量,解决了现有技术的问题。具体地,如图4所述,所述方法可以包括: In view of this, the embodiment of the present invention provides an authentication method in a wireless communication network. After the UE accesses the LTE network from the 3G network, the first SGSN of the 3G network does not save the UE as the UE. An unused authentication vector is sent to the MME of the LTE network, so that after the UE re-accesses the 3G network from the LTE network, the MME cannot send the saved authentication vector to The second SGSN of the 3G network, the first SGSN may be the same or different, and the method provided by the embodiment of the present invention may be used to prevent an unused authentication vector from being saved in the SGSN, thereby ensuring that the SGSN initiates the authentication each time. Before the rights flow, the authentication device obtains the authentication vector, which solves the problem of the prior art. Specifically, as shown in FIG. 4, the method may include:
S400:在UE从3G网络接入到LTE网络之后,所述3G网络的第一SGSN接收所述LTE网络的MME发送的上下文请求消息(context request)。S400: After the UE accesses the LTE network from the 3G network, the first SGSN of the 3G network receives a context request message sent by the MME of the LTE network.
所述上下文请求消息用于请求获取所述UE的信息。The context request message is used to request to acquire information of the UE.
S401:保存有未使用的鉴权向量的所述第一SGSN向所述MME发送第一上下文响应消息(context response),所述第一上下文响应消息不包含所述未使用的鉴权向量。S401: The first SGSN that saves an unused authentication vector sends a first context response message to the MME, where the first context response message does not include the unused authentication vector.
所述未使用的鉴权向量可以为3G鉴权向量(3G AV)。The unused authentication vector may be a 3G authentication vector (3G AV).
不同于现有技术,在本发明中,即使所述第一SGSN中保存有未使用的鉴权向量,也不将所述未使用的鉴权向量发送给所述MME,使得后续当所述UE从所述LTE网络重新接入到3G网络之后,所述MME也无法将所述未使用的鉴权向量发送给3G网络的中的SGSN,避免在SGSN中保存未使用的鉴权向量,从而保证SGSN在每次发起鉴权流程之前都获取新的鉴权向量,解决了现有技术中的鉴权失败的问题。Different from the prior art, in the present invention, even if an unused authentication vector is stored in the first SGSN, the unused authentication vector is not sent to the MME, so that when the UE is subsequently After re-accessing the LTE network to the 3G network, the MME is also unable to send the unused authentication vector to the SGSN in the 3G network, thereby avoiding saving the unused authentication vector in the SGSN, thereby ensuring The SGSN obtains a new authentication vector before each initiation of the authentication process, which solves the problem of authentication failure in the prior art.
可选地,若UE是由于执行PS域切换而从3G网络接入LTE网络的,则步骤S400-S401可以替换为:Optionally, if the UE accesses the LTE network from the 3G network due to performing PS domain handover, the steps S400-S401 may be replaced by:
S401’:在UE从3G网络接入到LTE网络之后,所述3G网络的第一SGSN发送第一前转重定位请求消息(forward relocation request)给所述LTE网络的MME;其中所述第一SGSN发送所述第一前传重定位请求消息时,为所述UE保存有未使用的鉴权向量,所述第一前转重定位请求消息不包含所述未使用的鉴权向量。S401': after the UE accesses the LTE network from the 3G network, the first SGSN of the 3G network sends a first forward relocation request message to the MME of the LTE network; wherein the first When the SGSN sends the first pre-relocation request message, the UE saves an unused authentication vector, and the first forward relocation request message does not include the unused authentication vector.
其中,所述第一前转重定位请求消息用于将所述UE的信息,如UE的身份标识和上下文等,告知所述MME。所述前转重定位请求消息并不包含所述未使用的3G鉴权向量。The first forward relocation request message is used to notify the MME of information about the UE, such as an identity and a context of the UE. The forward relocation request message does not include the unused 3G authentication vector.
可选地,所述方法还可以包括:Optionally, the method may further include:
S402:在所述UE从所述LTE网络重新接入到所述3G网络之后,所述3G网络的第二SGSN向所述MME发送第二上下文请求消息。S402: After the UE re-accesses the 3G network from the LTE network, the second SGSN of the 3G network sends a second context request message to the MME.
所述第一SGSN与所述第二SGSN可能相同,也可能不同。通过步骤S400-S401或者步骤S401’,使得所述MME中并没有所述未使用的鉴权向量。The first SGSN may be the same as or different from the second SGSN. The unused authentication vector is not included in the MME by step S400-S401 or step S401'.
S403:所述第二SGSN接收所述MME返回的第二上下文响应消息,所述第 二上下文响应消息不包含所述未使用的鉴权向量。S403: The second SGSN receives a second context response message returned by the MME, where the The second context response message does not contain the unused authentication vector.
若所述UE是由于执行PS域切换从所述LTE网络重新接入所述3G网络的,则步骤S402-S403可以替换为:If the UE is re-accessing the 3G network from the LTE network by performing PS domain handover, steps S402-S403 may be replaced by:
S403’:在所述UE从所述LTE网络重新接入到所述3G网络之后,所述3G网络的第二SGSN接收所述MME发送的第二前转重定位请求消息,所述第二前转重定位请求消息不包含所述未使用的鉴权向量。S403 ′: after the UE re-accesses the LTE network to the 3G network, the second SGSN of the 3G network receives a second forward relocation request message sent by the MME, where the second front The relocation request message does not contain the unused authentication vector.
所述第二前转重定位请求消息用于将UE的信息,如UE的身份标识和上下文等,告知所述第二SGSN。The second forward relocation request message is used to notify the second SGSN of the information of the UE, such as the identity and context of the UE.
S404:所述第二SGSN向鉴权设备发送鉴权数据请求消息。S404: The second SGSN sends an authentication data request message to the authentication device.
在所述UE从所述LTE网络重新接入到3G网络之后,所述第二SGSN可能会发起鉴权流程,由于所述第二SGSN中未保存未使用的鉴权向量,则在发起鉴权流程之前,所述第二SGSN将向所述鉴权设备请求获取鉴权向量。After the UE re-accesses from the LTE network to the 3G network, the second SGSN may initiate an authentication process, and the authentication is initiated because the unused authentication vector is not saved in the second SGSN. Before the process, the second SGSN will request the authentication device to obtain an authentication vector.
S405:所述第二SGSN接收所述鉴权设备返回的鉴权数据响应消息,所述鉴权数据响应消息包含鉴权向量。S405: The second SGSN receives an authentication data response message returned by the authentication device, where the authentication data response message includes an authentication vector.
所述鉴权向量包含随机数和鉴权令牌,或者还可以包含期望响应、完整性密钥和加密密钥。The authentication vector contains a random number and an authentication token, or may also include a desired response, an integrity key, and an encryption key.
S406:所述第二SGSN向所述UE发送鉴权请求消息,所述鉴权请求消息包含所述鉴权数据响应消息包含的所述鉴权向量中的随机数和鉴权令牌。S406: The second SGSN sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector included in the authentication data response message.
在本发明实施例中,在UE从3G网络接入到LTE网络之后,所述3G网络的第一SGSN不将自身保存的未使用的鉴权向量发送给所述LTE网络的MME,从而所述UE从所述LTE网络重新接入到3G网络之后,所述MME也无法将所述未使用的鉴权向量发送给3G网络的中的第二SGSN,避免在第二SGSN中保存所述未使用的鉴权向量,从而所述第二SGSN在向所述UE发送鉴权请求消息之前,需要从鉴权设备获取新生成的鉴权向量,解决了现有技术中的鉴权失败的问题。In the embodiment of the present invention, after the UE accesses the LTE network from the 3G network, the first SGSN of the 3G network does not send the unused authentication vector saved by itself to the MME of the LTE network, so that the After the UE re-accesses from the LTE network to the 3G network, the MME is also unable to send the unused authentication vector to the second SGSN in the 3G network, to avoid saving the unused in the second SGSN. The authentication vector, so that the second SGSN needs to obtain the newly generated authentication vector from the authentication device before sending the authentication request message to the UE, which solves the problem of authentication failure in the prior art.
本发明实施例提供了一种无线通信网络中的鉴权方法,在UE从3G网络接入到LTE网络之后,所述LTE网络的移动管理实体MME获取所述3G网络的SGSN为所述UE保存的未使用的鉴权向量,所述MME删除或丢弃所述未使用 的鉴权向量,以便在所述UE从所述LTE网络重新接入到所述3G网络之后,所述MME无法将所述未使用的鉴权向量发送给所述SGSN。通过本发明实施例提供的方法,可以避免在SGSN中保存未使用的鉴权向量,从而保证SGSN在每次发起鉴权流程之前都获取新的鉴权向量,解决了现有技术的问题。具体地,如图5所述,所述方法可以包括:An embodiment of the present invention provides an authentication method in a wireless communication network. After the UE accesses the LTE network from the 3G network, the MME of the LTE network acquires the SGSN of the 3G network and saves the SGSN of the 3G network. Unused authentication vector, the MME deletes or discards the unused An authentication vector, such that after the UE re-accesses the 3G network from the LTE network, the MME cannot send the unused authentication vector to the SGSN. The method provided by the embodiment of the present invention can prevent the unused authentication vector from being saved in the SGSN, thereby ensuring that the SGSN obtains a new authentication vector before each initiation of the authentication process, thereby solving the problem of the prior art. Specifically, as described in FIG. 5, the method may include:
S500:在UE从3G网络接入到LTE网络之后,所述LTE网络的MME向所述3G网络的第一SGSN发送的上下文请求消息。S500: A context request message sent by the MME of the LTE network to the first SGSN of the 3G network after the UE accesses the LTE network from the 3G network.
S501:所述MME接收所述第一SGSN返回的第一上下文响应消息,所述第一上下文响应消息包含所述第一SGSN为所述UE保存的未使用的鉴权向量。S501: The MME receives a first context response message returned by the first SGSN, where the first context response message includes an unused authentication vector saved by the first SGSN for the UE.
所述未使用的鉴权向量可以为3G鉴权向量。The unused authentication vector may be a 3G authentication vector.
可选地,若UE是由于执行PS域切换而从3G网络接入LTE网络的,则步骤S500-S501可以替换为:Optionally, if the UE accesses the LTE network from the 3G network due to performing the PS domain handover, the steps S500-S501 may be replaced by:
S501’:在UE从3G网络接入到LTE网络之后,所述LTE网络的MME接收所述3G网络的第一SGSN发送的第一前转重定位请求消息(forward relocation request),所述第一SGSN发送所述前传重定位请求消息时为所述UE保存有未使用的鉴权向量,则所述第一前转重定位请求消息包含所述第一SGSN保存的未使用的鉴权向量。步骤S501’的具体实现方式可以参考步骤S401’。S501 ′: after the UE accesses the LTE network from the 3G network, the MME of the LTE network receives a first forward relocation request message sent by the first SGSN of the 3G network, where the first When the SGSN sends the pre-relocation request message, the UE stores an unused authentication vector, and the first forward relocation request message includes an unused authentication vector saved by the first SGSN. For a specific implementation of step S501', reference may be made to step S401'.
S502:在所述UE从所述LTE网络重新接入到所述3G网络之后,所述MME接收所述第二SGSN发送的第二上下文请求消息。S502: After the UE re-accesses the 3G network from the LTE network, the MME receives a second context request message sent by the second SGSN.
S503:所述MME向所述第二SGSN返回的第二上下文响应消息,所述第二上下文响应消息不包含所述未使用的鉴权向量。S503: The second context response message returned by the MME to the second SGSN, where the second context response message does not include the unused authentication vector.
由于步骤S500-S501,使得所述MME中保存有所述未使用的鉴权向量,不同于现有技术,保存有所述未使用的鉴权向量的MME发送的第二上下文响应消息中,不包含所述未使用的鉴权向量。Because the step S500-S501 is configured to save the unused authentication vector in the MME, different from the prior art, the second context response message sent by the MME that stores the unused authentication vector does not The unused authentication vector is included.
不同于现有技术,在本发明中,在所述UE从所述LTE网络重新接入到3G网络之后,即使所述MME中保存有未使用的鉴权向量,也不将所述未使用的鉴权向量发送给所述3G网络的第二SGSN,避免在所述第二SGSN中保存所述未使用的鉴权向量,从而保证所示第二SGSN在每次发起鉴权流程之前都去鉴权设备获取鉴权向量,解决了现有技术中的鉴权失败的问题。 Different from the prior art, in the present invention, after the UE re-accesses from the LTE network to the 3G network, even if an unused authentication vector is stored in the MME, the unused one is not used. Sending an authentication vector to the second SGSN of the 3G network, avoiding saving the unused authentication vector in the second SGSN, so as to ensure that the second SGSN is inspected before each initiation of the authentication process. The right device obtains the authentication vector and solves the problem of authentication failure in the prior art.
若所述UE是由于执行PS域切换从所述LTE网络重新接入所述3G网络的,则步骤S502-S503可以替换为:If the UE is re-accessing the 3G network from the LTE network by performing PS domain handover, steps S502-S503 may be replaced by:
S503’:在所述UE从所述LTE网络重新接入到所述3G网络之后,所述MME向所述3G网络的第二SGSN发送第二前转重定位请求消息,所述第二前转重定位请求消息不包含所述未使用的鉴权向量。S503 ′: After the UE re-accesses the LTE network to the 3G network, the MME sends a second forward relocation request message to the second SGSN of the 3G network, where the second forwarding The relocation request message does not contain the unused authentication vector.
由于步骤S501’,使得所述MME中保存有所述未使用的鉴权向量,不同于现有技术,保存有所述未使用的鉴权向量的MME发送的第二前转重定位请求消息中,不包含所述未使用的鉴权向量。Because the step S501 ′ is configured to save the unused authentication vector in the MME, different from the prior art, the second forward relocation request message sent by the MME that saves the unused authentication vector is used. Does not contain the unused authentication vector.
需要注意的是,所述MME在接收到所述第一SGSN发送的所述未使用的鉴权向量之后,可以删除或丢弃所述未使用的鉴权向量,从而在发送给所述第二SGSN发送的所述第二前转重定位请求消息或者所述第二上下文响应消息中不包含所述未使用的鉴权向量。或者,所述MME也可以不删除所述未使用的鉴权向量,而仅仅不将所述未使用的鉴权向量发送给所述第二SGSN。It is to be noted that, after receiving the unused authentication vector sent by the first SGSN, the MME may delete or discard the unused authentication vector, so as to be sent to the second SGSN. The unused forwarding vector is not included in the sent second forward relocation request message or the second context response message. Alternatively, the MME may not delete the unused authentication vector, but only send the unused authentication vector to the second SGSN.
可选地,所述方法还可以包括:Optionally, the method may further include:
S504:所述第二SGSN向鉴权设备发送鉴权数据请求消息。S504: The second SGSN sends an authentication data request message to the authentication device.
在所述UE从所述LTE网络重新接入到3G网络之后,所述第二SGSN可能会发起鉴权流程,由于所述第二SGSN中未保存有未使用的鉴权向量,则在发起鉴权流程之前,所述第二SGSN可以向所述鉴权设备请求获取新生成的鉴权向量。After the UE re-accesses from the LTE network to the 3G network, the second SGSN may initiate an authentication process, and if the second SGSN does not store an unused authentication vector, the authentication is initiated. Before the rights flow, the second SGSN may request the authentication device to acquire a newly generated authentication vector.
S505:所述第二SGSN接收鉴权设备返回的鉴权数据响应消息,所述鉴权数据响应消息包含鉴权向量。S505: The second SGSN receives an authentication data response message returned by the authentication device, where the authentication data response message includes an authentication vector.
S506:所述第二SGSN向所述UE发送鉴权请求消息,所述鉴权请求消息包含所述鉴权数据响应消息包含的所述鉴权向量中的随机数和鉴权令牌。S506: The second SGSN sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector included in the authentication data response message.
在本发明实施例中,在所述UE从所述LTE网络重新接入到3G网络之后,即使所述LTE网络的MME中保存有未使用的鉴权向量,也不将所述未使用的鉴权向量发送给所述3G网络的第二SGSN,避免在所述第二SGSN中保存所述未使用的鉴权向量,从而所述第二SGSN在向所述UE发送鉴权请求消息之前,需要从鉴权设备获取新生成的鉴权向量,解决了现有技术中的鉴权失败的问题。 In the embodiment of the present invention, after the UE re-accesses from the LTE network to the 3G network, the unused metric is not used even if an unused authentication vector is stored in the MME of the LTE network. Transmitting a weight vector to the second SGSN of the 3G network, avoiding saving the unused authentication vector in the second SGSN, so that the second SGSN needs to send an authentication request message to the UE The newly generated authentication vector is obtained from the authentication device, which solves the problem of authentication failure in the prior art.
对应于上述方法实施例,本发明实施例提供了一种核心网设备60,如图6所示,所述核心网设备可以为移动交换中心MSC或者SGSN或者5G网络的核心网设备,所述核心网设备可以包括存储单元601、获取单元602和发送单元603;Corresponding to the foregoing method embodiment, the embodiment of the present invention provides a core network device 60. As shown in FIG. 6, the core network device may be a mobile switching center MSC or a core network device of a SGSN or a 5G network, where the core The network device may include a storage unit 601, an obtaining unit 602, and a sending unit 603;
所述存储单元601,用于为UE保存未使用的鉴权向量。The storage unit 601 is configured to save an unused authentication vector for the UE.
所述获取单元602,用于向所述鉴权设备发送第一鉴权数据请求消息,,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量,接收所述鉴权设备根据所述鉴权数据请求消息返回的第一鉴权数据响应消息,所述第一鉴权数据响应消息包含所述鉴权设备为所述UE生成的第一鉴权向量。例如,所述获取单元602可以在所述发送单元603向UE发送第一鉴权请求消息之前,所述存储单元601为所述UE保存有所述未使用的鉴权向量的情况下,向所述鉴权设备发送所述第一鉴权数据请求消息,所述第一鉴权数据请求消息还可以包含所述UE的身份标识,以便所述核心网设备根据所述UE的身份标识,为所述UE生成第一鉴权向量。The obtaining unit 602 is configured to send a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to generate an authentication vector for the UE. Receiving, by the authentication device, a first authentication data response message returned according to the authentication data request message, where the first authentication data response message includes a first authentication vector generated by the authentication device for the UE . For example, the obtaining unit 602 may send, before the sending unit 603 sends a first authentication request message to the UE, the storage unit 601, if the UE saves the unused authentication vector, The authentication device sends the first authentication data request message, where the first authentication data request message may further include an identifier of the UE, so that the core network device is configured according to the identity of the UE. The UE generates a first authentication vector.
所述发送单元603,用于向所述UEUE发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌。The sending unit 603 is configured to send a first authentication request message to the UE UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
由于核心网设备如果在每次发起鉴权流程之前都去鉴权设备获取鉴权向量,可能给鉴权设备带来较大负担。在实际应用中,可以指针对某些场景进行保护。则所述核心网设备还可以包括:The core network device may impose a large burden on the authentication device if the authentication device obtains the authentication vector before the authentication process is initiated. In practical applications, certain scenes can be protected by pointers. The core network device may further include:
确定单元604,用于在所述UE接入所述核心网设备所位于的第一网络之后,确定所述UE是从第二网络接入到所述第一网络的UE;则所述获取单元602可以在所述确定单元604确定所述UE是从第二网络接入到所述第一网络的UE之后,才向所述鉴权设备发送所述第一鉴权数据请求消息。a determining unit 604, configured to determine, after the UE accesses the first network where the core network device is located, that the UE is a UE that is accessed from the second network to the first network; 602 may send the first authentication data request message to the authentication device after the determining unit 604 determines that the UE is accessing the UE of the first network from the second network.
例如,所述第一网络可以为3G网络,所述第二网络可以为长期演进LTE网络,则所述确定单元604具体用于确定所述UE是从LTE网络接入到3G网络的UE。该方法保证了只有在UE是从LTE网络接入到3G网络而引起鉴权过程时,即使核心网设备保存有未使用的鉴权向量,核心网设备也向鉴权设备去获取第一鉴权向量,利用第一鉴权向量来发起网络鉴权流程。For example, the first network may be a 3G network, and the second network may be a long term evolution LTE network, and the determining unit 604 is specifically configured to determine that the UE is a UE that accesses the LTE network to the 3G network. The method ensures that the core network device obtains the first authentication to the authentication device even if the core network device stores an unused authentication vector when the UE is accessed from the LTE network to the 3G network. The vector uses the first authentication vector to initiate the network authentication process.
具体地,所述确定单元604在确定所述UE为从LTE网络接入到所述3G网络 的UE时,也可以有多种方式。所述确定单元604可以根据所述UE发送的CS domain NAS消息或者所述UE在被叫场景下的寻呼响应消息判断所述UE是否为CSFB用户,如果确定是CSFB用户,即确定所述UE为从LTE网络接入到所述3G网络的UE,所述CS domain NAS消息可以是接续管理业务请求消息或位置更新请求消息等,此时所述核心网设备可以为MSC;或者,所述确定单元604可以根据所述UE发送的PS domain NAS消息,判断所述UE是否为从LTE网络接入到所述3G网络的UE,例如可以根据RAU请求消息,确定所述UE是从LTE网络接入到所述3G网络的UE,此时所述核心网设备可以为SGSN;或者,所述确定单元604可以根据基站发送的通知消息,确定所述UE是从LTE网络接入到3G网络的UE,所述通知消息为所述基站在确定所述UE为电路交换回落CSFB用户之后向所述核心网设备发送的消息,此时所述核心网设备可以为MSC或SGSN;或者,针对某UE,所述确定单元604可以通过判断所述核心网设备与MME之间是否存在SGS接口关联,来判断所述UE是从LTE网络接入到所述3G网络的UE,若存在SGS接口关联,则确定所述UE是从LTE网络接入到所述3G网络的UE,此时所述核心网设备可以为MSC。Specifically, the determining unit 604 determines that the UE is accessing from the LTE network to the 3G network. There are also many ways to use the UE. The determining unit 604 may determine, according to the CS domain NAS message sent by the UE or the paging response message of the UE in the called scenario, whether the UE is a CSFB user, and if it is determined to be a CSFB user, determine the UE. For the UE that accesses the LTE network to the 3G network, the CS domain NAS message may be a connection management service request message or a location update request message, etc., where the core network device may be an MSC; or, the determining The unit 604 may determine, according to the PS domain NAS message sent by the UE, whether the UE is a UE that accesses the LTE network to the 3G network, for example, may determine, according to the RAU request message, that the UE is accessed from an LTE network. To the UE of the 3G network, the core network device may be an SGSN, or the determining unit 604 may determine, according to the notification message sent by the base station, that the UE is a UE that accesses the LTE network to the 3G network. The notification message is a message sent by the base station to the core network device after determining that the UE is a circuit switched fallback CSFB user, and the core network device may be an MSC or an SGSN; or, The determining unit 604 may determine, by determining whether the SGS interface is associated between the core network device and the MME, that the UE is an UE that is accessed from the LTE network to the 3G network, and if there is an SGS interface association, And determining that the UE is a UE that accesses the LTE network to the 3G network, where the core network device may be an MSC.
可选地,所述存储单元601中保存的所述未使用的鉴权向量可能是所述核心网设备发起上一次鉴权流程之前获取的,则:所述获取单元602还用于在向鉴权设备发送第一鉴权数据请求消息之前,向所述鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量,接收所述鉴权设备根据所述第二鉴权数据请求消息返回的第二鉴权数据响应消息,所述第二鉴权数据响应消息携带所述鉴权设备为所述UE生成的第二鉴权向量和所述未使用的鉴权向量;所述发送单元603还用于在所述获取单元602向鉴权设备发送第一鉴权数据请求消息之前,向所述UE发送第二鉴权请求消息,所述第二鉴权请求消息包含所述第二鉴权向量中的随机数和鉴权令牌。Optionally, the unused authentication vector saved in the storage unit 601 may be acquired before the core network device initiates the last authentication process, and the acquiring unit 602 is further configured to And before the sending, by the right device, the first authentication data request message, sending a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate a template for the UE a weight vector, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the authentication device generated by the authentication device for the UE a second authentication vector and the unused authentication vector; the sending unit 603 is further configured to send the second to the UE before the acquiring unit 602 sends the first authentication data request message to the authentication device An authentication request message, the second authentication request message includes a random number and an authentication token in the second authentication vector.
在本发明实施例中,所述获取单元602可以在所述存储单元601为UE保存有未使用的鉴权向量的情况下,向所述鉴权设备发送所述第一鉴权数据请求消息,接收所述鉴权设备根据所述鉴权数据请求消息返回的第一鉴权数据响应消息,所述第一鉴权数据响应消息包含所述鉴权设备为所述UE生成的第一鉴权 向量,所述发送单元603可以向所述UE发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌,使得核心网设备即使保存有未使用的鉴权向量,也利用所述第一鉴权向量进行鉴权,避免现有技术中核心网设备利用自身保存的未使用的鉴权向量发起网络鉴权时,可能引起的同步失败而导致的鉴权失败的问题,尽可能的保障了网络鉴权的成功。In the embodiment of the present invention, the acquiring unit 602 may send the first authentication data request message to the authentication device if the storage unit 601 saves an unused authentication vector for the UE. Receiving, by the authentication device, the first authentication data response message returned by the authentication data request message, where the first authentication data response message includes the first authentication generated by the authentication device for the UE a vector, the sending unit 603 may send a first authentication request message to the UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector, so that the core network device Even if an unused authentication vector is saved, the first authentication vector is used for authentication, which avoids synchronization that may occur when the core network device in the prior art initiates network authentication by using an unused authentication vector saved by itself. The failure of authentication caused by failure has ensured the success of network authentication as much as possible.
对应于上述方法实施例,本发明实施例还提供了一种鉴权设备,如图7所示,所述鉴权设备可以为归属环境HE、归属位置寄存器HLR、归属用户服务器HSS或者鉴权中心AUC,所述鉴权设备包括接收单元701、处理单元702和发送单元703;Corresponding to the foregoing method embodiment, the embodiment of the present invention further provides an authentication device. As shown in FIG. 7, the authentication device may be a home environment HE, a home location register HLR, a home subscriber server HSS, or an authentication center. AUC, the authentication device includes a receiving unit 701, a processing unit 702, and a sending unit 703;
所述接收单元701,用于接收保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量;The receiving unit 701 is configured to receive a first authentication data request message sent by a core network device that stores an unused authentication vector, where the first authentication data request message is used to request the authentication device to be Said UE generates an authentication vector;
所述处理单元702,用于根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含为所述UE生成的第一鉴权向量;The processing unit 702 is configured to generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes a first authentication vector generated for the UE;
所述发送单元703,用于向所述核心网设备返回所述第一鉴权数据响应消息。The sending unit 703 is configured to return the first authentication data response message to the core network device.
可选地,所述接收单元701还用于在接收所述第一鉴权数据请求消息之前,接收所述核心网设备发送的第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述UE生成鉴权向量;所述处理单元702还用于根据所述第二鉴权数据请求消息,生成第二鉴权数据响应消息,所述第二鉴权数据响应消息包含为所述UE生成的第二鉴权向量和所述未使用的鉴权向量;所述发送单元703还用于向所述核心网设备返回所述第二鉴权数据响应消息。Optionally, the receiving unit 701 is further configured to: before receiving the first authentication data request message, receive a second authentication data request message sent by the core network device, where the second authentication data request message is And the processing unit 702 is further configured to generate a second authentication data response message according to the second authentication data request message, where the second authentication is generated. The weight data response message includes a second authentication vector generated for the UE and the unused authentication vector; the sending unit 703 is further configured to return the second authentication data response message to the core network device. .
在本发明实施例中,鉴权设备可以接收为UE保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息,并为所述保存有未使用的鉴权向量的核心网设备返回第一鉴权数据响应消息,所述第一鉴权数据响应消息包含为所述UE生成的第一鉴权向量,使得核心网设备即使保存有未使用的鉴权向量,也利用所述第一鉴权向量进行鉴权,避免现有技术中核心网设备利用自身保存 的未使用的鉴权向量发起网络鉴权时,可能引起的同步失败而导致的鉴权失败的问题,尽可能的保障了网络鉴权的成功。In the embodiment of the present invention, the authentication device may receive the first authentication data request message sent by the core network device that the UE saves the unused authentication vector, and is the core that holds the unused authentication vector. The network device returns a first authentication data response message, where the first authentication data response message includes a first authentication vector generated for the UE, so that the core network device uses the unused authentication vector even if it is saved. The first authentication vector is used for authentication, so that the core network device in the prior art is saved by itself. When the unused authentication vector initiates network authentication, the authentication failure caused by the synchronization failure may be caused, and the success of the network authentication is guaranteed as much as possible.
如图8所示,本发明实施例还提供了一种鉴权系统80,包括核心网设备60和鉴权设备70。核心网设备60和鉴权设备70各自执行的动作以及它们之间的交互,可以参见图1至图3对应的方法实施例的描述,也可以参考图6和图7对应的装置实施例的描述,此处不再赘述。As shown in FIG. 8, an embodiment of the present invention further provides an authentication system 80, including a core network device 60 and an authentication device 70. For the actions performed by the core network device 60 and the authentication device 70 and the interaction between them, refer to the description of the method embodiment corresponding to FIG. 1 to FIG. 3, and also the description of the device embodiment corresponding to FIG. 6 and FIG. , will not repeat them here.
可选地,所述鉴权系统还可以包括用户设备801;Optionally, the authentication system may further include a user equipment 801;
例如,所述核心网设备可以用于,在为所述用户设备保存有未使用的鉴权向量的情况下向鉴权设备发送第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;For example, the core network device may be configured to send a first authentication data request message to the authentication device, where the user equipment saves an unused authentication vector, the first authentication data request message And configured to request the authentication device to generate an authentication vector for the user equipment;
所述鉴权设备可以用于接收所述第一鉴权数据请求消息,根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含所述鉴权设备为所述用户设备生成的第一鉴权向量,并向所述核心网设备返回所述第一鉴权数据响应消息。The authentication device may be configured to receive the first authentication data request message, and generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes Determining, by the authentication device, a first authentication vector generated by the user equipment, and returning the first authentication data response message to the core network device.
所述核心网设备还可以用于接收所述第一鉴权数据响应消息,向用户设备发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌;The core network device may be further configured to receive the first authentication data response message, and send a first authentication request message to the user equipment, where the first authentication request message includes random in the first authentication vector Number and authentication token;
所述用户设备可以接收所述第一鉴权请求消息,利用所述第一鉴权请求消息包含的所述第一鉴权向量中的随机数和鉴权令牌进行鉴权。The user equipment may receive the first authentication request message, and perform authentication by using a random number and an authentication token in the first authentication vector included in the first authentication request message.
如图9所示,本发明实施例还提供了一种无线通信系统中的鉴权装置,所述鉴权装置可以包括:As shown in FIG. 9, an embodiment of the present invention further provides an authentication device in a wireless communication system, where the authentication device may include:
处理器901、存储器902、总线904和通信接口905。处理器901、存储器902和通信接口905之间通过总线904连接并完成相互间的通信。The processor 901, the memory 902, the bus 904, and the communication interface 905. The processor 901, the memory 902, and the communication interface 905 are connected by a bus 904 and complete communication with each other.
处理器901可能为单核或多核中央处理单元,或者为特定集成电路,或者为被配置成实施本发明实施例的一个或多个集成电路。 Processor 901 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.
存储器902可以为高速RAM存储器,也可以为非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。 The memory 902 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
存储器902用于计算机执行指令903。具体的,计算机执行指令903中可以包括程序代码。Memory 902 is used by computer to execute instructions 903. Specifically, the computer execution instructions 903 may include program code.
当所述鉴权装置运行时,处理器901运行计算机执行指令903,可以执行图1至图3任意之一对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程或者图4至图5任意之一对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程。所述鉴权装置可以为核心网设备或者鉴权设备。When the authentication device is running, the processor 901 runs the computer execution instruction 903, and may perform the method flow of the authentication method in the wireless communication system according to the method embodiment corresponding to any one of FIG. 1 to FIG. 3 or FIG. The method flow of the authentication method in the wireless communication system described in the method embodiment corresponding to any one of FIG. The authentication device may be a core network device or an authentication device.
本发明实施例还提供了一种计算机可读介质,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行图1至图3任意之一对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程或者图4至图5任意之一对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程。The embodiment of the present invention further provides a computer readable medium, including a computer executing instruction, when the processor of the computer executes the computer execution instruction, the computer performs the method embodiment corresponding to any one of FIG. 1 to FIG. The method flow of the authentication method in the wireless communication system or the method flow of the authentication method in the wireless communication system described in the method embodiment corresponding to any one of FIG. 4 to FIG.
本发明中所提到的LTE网络,包括LTE A网络、以及后续可能出现LTE版本。本发明实施例中的第一、第二、第三、第四、第五等仅用于区分不同的指示信息、消息或其他对象,不代表顺序关系。The LTE network mentioned in the present invention includes an LTE A network, and may subsequently have an LTE version. The first, second, third, fourth, fifth, etc. in the embodiments of the present invention are only used to distinguish different indication information, messages, or other objects, and do not represent sequential relationships.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, for clarity of hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另 外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division, and the actual implementation may have another The manner of division, such as multiple units or components, may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。 The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any equivalent person can be easily conceived within the technical scope of the present invention by any person skilled in the art. Modifications or substitutions are intended to be included within the scope of the invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (27)

  1. 一种无线通信网络中的鉴权方法,其特征在于,所述方法包括:An authentication method in a wireless communication network, the method comprising:
    为用户设备保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;The core network device that stores the unused authentication vector for the user equipment sends a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to be the user equipment. Generating an authentication vector;
    所述核心网设备接收所述鉴权设备根据所述第一鉴权数据请求消息返回的第一鉴权数据响应消息,所述第一鉴权数据响应消息携带第一鉴权向量;Receiving, by the core network device, the first authentication data response message returned by the authentication device according to the first authentication data request message, where the first authentication data response message carries a first authentication vector;
    所述核心网设备向所述用户设备发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌。The core network device sends a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  2. 根据权利要求1所述的方法,其特征在于,所述为用户设备保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息之前,所述方法还包括:The method according to claim 1, wherein the method further comprises: before the core network device that stores the unused authentication vector for the user equipment sends the first authentication data request message to the authentication device, the method further includes:
    所述用户设备接入所述核心网设备所位于的第一网络之后,所述核心网设备确定所述用户设备是从第二网络接入到所述第一网络的用户设备;其中,所述第一网络的网络制式与所述第二网络的网络制式不同。After the user equipment accesses the first network where the core network device is located, the core network device determines that the user equipment is a user equipment that is accessed from the second network to the first network; The network format of the first network is different from the network format of the second network.
  3. 根据权利要求2所述的方法,其特征在于,所述第一网络为3G网络,所述第二网络为长期演进LTE网络;The method according to claim 2, wherein the first network is a 3G network, and the second network is a long term evolution LTE network;
    则所述核心网设备确定所述用户设备是从第二网络接入到所述第一网络的用户设备包括:所述核心网设备确定所述用户设备是从LTE网络接入到3G网络的用户设备。And determining, by the core network device, that the user equipment is a user equipment that is accessed from the second network to the first network, where the core network device determines that the user equipment is a user that accesses the LTE network to the 3G network. device.
  4. 根据权利要求3所述的方法,其特征在于,所述3G网络的所述核心网设备确定所述用户设备是从LTE网络接入到3G网络的用户设备包括:The method according to claim 3, wherein the determining, by the core network device of the 3G network, that the user equipment is a user equipment that is accessed from an LTE network to a 3G network, includes:
    所述核心网设备根据所述用户设备发送的分组交换域非接入层消息,确定所述用户设备为从LTE网络接入到3G网络的用户设备;或者Determining, by the core network device, that the user equipment is a user equipment that accesses the LTE network to the 3G network according to the packet switched domain non-access stratum message sent by the user equipment; or
    所述核心网设备根据所述用户设备发送的寻呼响应消息或者电路交换域非接入层消息,确定所述用户设备是从LTE网络接入到3G网络的用户设备;或者,Determining, by the core network device, that the user equipment is a user equipment that is accessed from the LTE network to the 3G network according to the paging response message sent by the user equipment or the circuit switched domain non-access stratum message; or
    所述核心网设备通过确定自身与移动管理实体MME之间对应所述用户设备存在SGS接口关联,确定所述用户设备是从LTE网络接入到3G网络的用户设 备;或者,The core network device determines that the user equipment is associated with the SG S interface of the user equipment, and determines that the user equipment is a user equipment that is accessed from the LTE network to the 3G network; or
    所述核心网设备根据基站发送的通知消息,确定所述用户设备是从LTE网络接入到3G网络的用户设备,所述通知消息为所述基站在确定所述用户设备为电路交换回落CSFB用户之后向所述核心网设备发送的消息。The core network device determines, according to the notification message sent by the base station, that the user equipment is a user equipment that is accessed from the LTE network to the 3G network, and the notification message is that the base station determines that the user equipment is a circuit switched fallback CSFB user. The message is then sent to the core network device.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述为用户设备保存有未使用的鉴权向量的核心网设备向鉴权设备发送第一鉴权数据请求消息之前,所述方法还包括:The method according to any one of claims 1-4, wherein the core network device storing the unused authentication vector for the user equipment sends the first authentication data request message to the authentication device before the The method also includes:
    所述核心网设备向所述鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;The core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment;
    所述核心网设备接收所述鉴权设备根据所述第二鉴权数据请求消息返回的第二鉴权数据响应消息,所述第二鉴权数据响应消息携带第二鉴权向量和所述未使用的鉴权向量;Receiving, by the core network device, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the The authentication vector used;
    所述核心网设备向所述用户设备发送第二鉴权请求消息,所述第二鉴权请求消息包含所述第二鉴权向量中的随机数和鉴权令牌。The core network device sends a second authentication request message to the user equipment, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述核心网设备为移动交换中心MSC或者通用分组无线系统GPRS业务支持节点SGSN。The method according to any of claims 1-5, wherein the core network device is a mobile switching center MSC or a general packet radio system GPRS service support node SGSN.
  7. 一种无线通信网络中的鉴权方法,其特征在于,所述方法包括:An authentication method in a wireless communication network, the method comprising:
    鉴权设备接收为用户设备保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;Receiving, by the authentication device, a first authentication data request message sent by the core network device that is saved by the user equipment with an unused authentication vector, where the first authentication data request message is used to request the authentication device to be the user The device generates an authentication vector;
    所述鉴权设备根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含所述鉴权设备为所述用户设备生成的第一鉴权向量;The authentication device generates a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes the first authentication generated by the authentication device for the user equipment Weight vector
    所述鉴权设备向所述核心网设备返回所述第一鉴权数据响应消息。The authentication device returns the first authentication data response message to the core network device.
  8. 根据权利要求6所述的方法,其特征在于,在所述鉴权设备接收为用户设备保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息之前,所述方法还包括:The method according to claim 6, wherein the method further comprises before the authentication device receives a first authentication data request message sent by a core network device that the user equipment holds an unused authentication vector include:
    所述鉴权设备接收所述核心网设备发送的第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量; Receiving, by the authentication device, a second authentication data request message sent by the core network device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment;
    所述鉴权设备根据所述第二鉴权数据请求消息,生成第二鉴权数据响应消息,所述鉴权数据响应消息包含所述鉴权设备为所述用户设备生成的第二鉴权向量和所述未使用的鉴权向量;The authentication device generates a second authentication data response message according to the second authentication data request message, where the authentication data response message includes a second authentication vector generated by the authentication device for the user equipment And the unused authentication vector;
    所述鉴权设备向所述核心网设备返回所述第二鉴权数据响应消息。The authentication device returns the second authentication data response message to the core network device.
  9. 根据权利要求7或8所述的方法,其特征在于,所述鉴权设备为归属环境HE、归属位置寄存器HLR、归属用户服务器HSS或者鉴权中心AUC。The method according to claim 7 or 8, wherein the authentication device is a home environment HE, a home location register HLR, a home subscriber server HSS or an authentication center AUC.
  10. 一种核心网设备,其特征在于,包括:A core network device, comprising:
    存储单元,用于为用户设备保存未使用的鉴权向量;a storage unit, configured to save an unused authentication vector for the user equipment;
    获取单元,用于在所述存储单元为所述用户设备保存有所述未使用的鉴权向量的情况下,向所述鉴权设备发送第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量,接收所述鉴权设备根据所述鉴权数据请求消息返回的第一鉴权数据响应消息,所述第一鉴权数据响应消息包含第一鉴权向量;An acquiring unit, configured to send, by the storage unit, the first authentication data request message to the authentication device, where the storage unit saves the unused authentication vector, the first authentication The data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive a first authentication data response message returned by the authentication device according to the authentication data request message, the first The weight data response message includes a first authentication vector;
    发送单元,用于向所述用户设备发送第一鉴权请求消息,所述第一鉴权请求消息包含所述第一鉴权向量中的随机数和鉴权令牌。And a sending unit, configured to send a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  11. 根据权利要求10所述的核心网设备,其特征在于,所述核心网设备还包括:The core network device according to claim 10, wherein the core network device further comprises:
    确定单元,用于在所述用户设备接入所述核心网设备所位于的第一网络之后,确定所述用户设备是从第二网络接入到所述第一网络的用户设备;其中,所述第一网络的网络制式与所述第二网络的网络制式不同;a determining unit, configured to determine, after the user equipment accesses the first network where the core network device is located, the user equipment is a user equipment that is accessed from the second network to the first network; The network standard of the first network is different from the network format of the second network;
    则所述获取单元具体用于在所述确定单元确定所述用户设备是从第二网络接入到所述第一网络的用户设备之后,向所述鉴权设备发送所述第一鉴权数据请求消息。The obtaining unit is specifically configured to: after the determining unit determines that the user equipment is accessed from the second network to the user equipment of the first network, send the first authentication data to the authentication device. Request message.
  12. 根据权利要求11所述的核心网设备,其特征在于,所述第一网络为3G网络,所述第二网络为长期演进LTE网络;The core network device according to claim 11, wherein the first network is a 3G network, and the second network is a long term evolution LTE network;
    则所述确定单元具体用于确定所述用户设备是从LTE网络接入到3G网络的用户设备。The determining unit is specifically configured to determine that the user equipment is a user equipment that is accessed from an LTE network to a 3G network.
  13. 根据权利要求12所述的核心网设备,其特征在于,所述确定单元具体用于根据所述用户设备发送的分组交换域非接入层消息,确定所述用户设备为 从LTE网络接入到3G网络的用户设备;或者The core network device according to claim 12, wherein the determining unit is configured to determine, according to the packet switched domain non-access stratum message sent by the user equipment, that the user equipment is User equipment accessing from the LTE network to the 3G network; or
    根据所述用户设备发送的寻呼响应消息或者电路交换域非接入层消息,确定所述用户设备是从LTE网络接入到3G网络的用户设备;或者,Determining, according to the paging response message sent by the user equipment or the circuit switching domain non-access stratum message, that the user equipment is a user equipment that is accessed from the LTE network to the 3G network; or
    通过确定自身与移动管理实体MME之间对应所述用户设备存在SGS接口关联,确定所述用户设备是从LTE网络接入到3G网络的用户设备;或者,Determining that the user equipment is a user equipment that is connected to the 3G network from the LTE network by determining that the user equipment and the mobility management entity MME are associated with the SG S interface; or
    根据基站发送的通知消息,确定所述用户设备是从LTE网络接入到3G网络的用户设备,所述通知消息为所述基站在确定所述用户设备为电路交换回落CSFB用户之后向所述核心网设备发送的消息。Determining, according to the notification message sent by the base station, that the user equipment is a user equipment that is accessed from the LTE network to the 3G network, and the notification message is that the base station sends the CSFB user to the core after determining that the user equipment is a circuit switched fallback CSFB user. The message sent by the network device.
  14. 根据权利要求10-13任一项所述的核心网设备,其特征在于,所述获取单元还用于在向鉴权设备发送第一鉴权数据请求消息之前,向所述鉴权设备发送第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量,接收所述鉴权设备根据所述第二鉴权数据请求消息返回的第二鉴权数据响应消息,所述第二鉴权数据响应消息携带第二鉴权向量和所述未使用的鉴权向量;The core network device according to any one of claims 10 to 13, wherein the obtaining unit is further configured to send the first authentication data request message to the authentication device before sending the first authentication data request message to the authentication device. a second authentication data request message, the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and the receiving the authentication device according to the second authentication data request message Returning a second authentication data response message, the second authentication data response message carrying a second authentication vector and the unused authentication vector;
    所述发送单元还用于在所述获取单元向鉴权设备发送第一鉴权数据请求消息之前,向所述用户设备发送第二鉴权请求消息,所述第二鉴权请求消息包含所述第二鉴权向量中的随机数和鉴权令牌。The sending unit is further configured to: before the sending unit sends the first authentication data request message to the authentication device, send a second authentication request message to the user equipment, where the second authentication request message includes the A random number and an authentication token in the second authentication vector.
  15. 根据权利要求10-14任一项所述的核心网设备,其特征在于,所述核心网设备为移动交换中心MSC或者通用分组无线系统GPRS业务支持节点SGSN。The core network device according to any one of claims 10-14, wherein the core network device is a mobile switching center MSC or a general packet radio system GPRS service support node SGSN.
  16. 一种鉴权设备,其特征在于,包括:An authentication device, comprising:
    接收单元,用于接收为用户设备保存有未使用的鉴权向量的核心网设备发送的第一鉴权数据请求消息,所述第一鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量;a receiving unit, configured to receive a first authentication data request message sent by a core network device that saves an unused authentication vector, where the first authentication data request message is used to request the authentication device to be The user equipment generates an authentication vector;
    处理单元,用于根据所述第一鉴权数据请求消息,生成第一鉴权数据响应消息,所述第一鉴权数据响应消息包含为所述用户设备生成的第一鉴权向量;a processing unit, configured to generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes a first authentication vector generated for the user equipment;
    发送单元,用于向所述核心网设备返回所述第一鉴权数据响应消息。And a sending unit, configured to return the first authentication data response message to the core network device.
  17. 根据权利要求16所述的鉴权设备,其特征在于,所述接收单元还用于在接收所述第一鉴权数据请求消息之前,接收所述核心网设备发送的第二鉴权 数据请求消息;The authentication device according to claim 16, wherein the receiving unit is further configured to receive the second authentication sent by the core network device before receiving the first authentication data request message. Data request message
    所述处理单元还用于根据所述第二鉴权数据请求消息,所述第二鉴权数据请求消息用于请求所述鉴权设备为所述用户设备生成鉴权向量,生成第二鉴权数据响应消息,所述鉴权数据响应消息包含为所述用户设备生成的第二鉴权向量和所述未使用的鉴权向量;The processing unit is further configured to: according to the second authentication data request message, the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and generate a second authentication. a data response message, the authentication data response message including a second authentication vector generated for the user equipment and the unused authentication vector;
    所述发送单元还用于向所述核心网设备返回所述第二鉴权数据响应消息。The sending unit is further configured to return the second authentication data response message to the core network device.
  18. 根据权利要求16或17所述的方法,其特征在于,所述鉴权设备为归属环境HE、归属位置寄存器HLR、归属用户服务器HSS或者鉴权中心AUC。The method according to claim 16 or 17, wherein the authentication device is a home environment HE, a home location register HLR, a home subscriber server HSS or an authentication center AUC.
  19. 一种鉴权系统,其特征在于,包括如权利要求10-15任一项所述的核心网设备和如权利要求16-18任一项所述的鉴权设备。An authentication system, comprising the core network device according to any one of claims 10-15 and the authentication device according to any one of claims 16-18.
  20. 根据权利要求19所述的系统,其特征在于,还包括用户设备;The system of claim 19, further comprising a user equipment;
    所述用户设备用于接收所述核心网设备发送的第一鉴权请求消息,利用所述第一鉴权请求消息包含的第一鉴权向量中的随机数和鉴权令牌进行鉴权。The user equipment is configured to receive a first authentication request message sent by the core network device, and perform authentication by using a random number and an authentication token in the first authentication vector included in the first authentication request message.
  21. 一种无线通信网络中的鉴权方法,其特征在于,所述方法包括An authentication method in a wireless communication network, characterized in that the method comprises
    在用户设备从3G网络接入到长期演进LTE网络之后,所述LTE网络的移动管理实体MME获取所述3G网络的通用分组无线系统GPRS业务支撑节点SGSN为所述用户设备保存的未使用的鉴权向量;After the user equipment accesses from the 3G network to the long-term evolution LTE network, the mobility management entity MME of the LTE network acquires an unused packet saved by the GPRS service support node SGSN of the 3G network for the user equipment. Weight vector
    所述MME删除或丢弃所述未使用的鉴权向量,以便在所述用户设备从所述LTE网络重新接入到所述3G网络之后,所述MME无法将所述未使用的鉴权向量发送给所述SGSN。The MME deletes or discards the unused authentication vector, so that after the user equipment re-accesses from the LTE network to the 3G network, the MME cannot send the unused authentication vector Give the SGSN.
  22. 根据权利要求21所述的方法,其特征在于,所述LTE网络的移动管理实体MME获取所述3G网络的通用分组无线系统GPRS业务支持节点SGSN为所述用户设备保存的未使用的鉴权向量包括:The method according to claim 21, wherein the mobility management entity MME of the LTE network acquires an unused authentication vector saved by the general packet radio system GPRS service support node SGSN of the 3G network for the user equipment include:
    所述LTE网络的移动管理实体MME向所述3G网络的SGSN发送的上下文请求消息,接收所述SGSN返回的第一上下文响应消息,所述第一上下文响应消息包含所述未使用的鉴权向量;或者,Receiving, by the mobility management entity MME of the LTE network, a context request message sent by the SGSN of the 3G network, and receiving a first context response message returned by the SGSN, where the first context response message includes the unused authentication vector ;or,
    所述LTE网络的移动管理实体MME接收所述3G网络的第一SGSN发送第一前转重定位请求消息,所述第一前转重定位请求消息包含所述未使用的鉴权向量。 The first SGSN of the LTE network receives the first forward relocation request message, and the first forward relocation request message includes the unused authentication vector.
  23. 根据权利要求21或22所述的方法,其特征在于,在所述MME删除或丢弃所述未使用的鉴权向量之后,所述方法还包括:The method according to claim 21 or 22, wherein after the MME deletes or discards the unused authentication vector, the method further includes:
    在所述用户设备从所述LTE网络重新接入到所述3G网络之后,所述MME接收所述SGSN发送第二上下文请求消息,并向所述SGSN返回第二上下文响应消息,所述第二上下文响应消息不包含所述未使用的鉴权向量;After the user equipment re-accesses the LTE network to the 3G network, the MME receives the SGSN to send a second context request message, and returns a second context response message to the SGSN, where the second The context response message does not include the unused authentication vector;
    或者,在所述用户设备从所述LTE网络重新接入到所述3G网络之后,所述MME向所述SGSN发送第二前转重定位请求消息,所述第二前转重定位请求消息不包含所述未使用的鉴权向量。Or after the user equipment re-accesses the LTE network to the 3G network, the MME sends a second forward relocation request message to the SGSN, where the second forward relocation request message is not The unused authentication vector is included.
  24. 一种核心网设备,其特征在于,包括处理器、存储器、总线和通信接口;A core network device, comprising: a processor, a memory, a bus, and a communication interface;
    所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述核心网设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述核心网设备执行如权利要求1-6中任一项所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to The core network device is caused to perform an authentication method in the wireless communication network according to any one of claims 1-6.
  25. 一种鉴权设备,其特征在于,所述包括处理器、存储器、总线和通信接口;An authentication device, characterized in that the processor comprises a processor, a memory, a bus and a communication interface;
    所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述鉴权设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述鉴权设备执行如权利要求7-9中任一项所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to The authentication device is caused to perform an authentication method in the wireless communication network according to any one of claims 7-9.
  26. 一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行如权利要求1-6中任一项所述的无线通信网络中的鉴权方法。A computer readable medium, comprising: a computer executing instructions for execution by a processor of a computer, the computer executing the wireless communication network of any of claims 1-6 The authentication method in the middle.
  27. 一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行如权利要求7-9中任一项所述的无线通信网络中的鉴权方法。 A computer readable medium, comprising: a computer executing instructions for execution by a processor of a computer to execute a wireless communication network according to any one of claims 7-9 The authentication method in the middle.
PCT/CN2014/092787 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system WO2016086355A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/092787 WO2016086355A1 (en) 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system
CN201480083832.2A CN107005842B (en) 2014-12-02 2014-12-02 Authentication method, related device and system in wireless communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/092787 WO2016086355A1 (en) 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system

Publications (1)

Publication Number Publication Date
WO2016086355A1 true WO2016086355A1 (en) 2016-06-09

Family

ID=56090804

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092787 WO2016086355A1 (en) 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system

Country Status (2)

Country Link
CN (1) CN107005842B (en)
WO (1) WO2016086355A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200228982A1 (en) * 2017-11-17 2020-07-16 Huawei Technologies Co., Ltd. Authentication method, device, and system
CN112867001A (en) * 2019-11-26 2021-05-28 维沃移动通信有限公司 Authentication method, terminal equipment and network equipment
CN114338073A (en) * 2021-11-09 2022-04-12 江铃汽车股份有限公司 Protection method, system, storage medium and equipment for vehicle-mounted network
US20230048689A1 (en) * 2016-09-12 2023-02-16 Zte Corporation Network access authentication processing method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112469043B (en) * 2019-09-09 2022-10-28 华为技术有限公司 Authentication method and device
CN115915132A (en) * 2020-04-30 2023-04-04 华为技术有限公司 Key management method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
CN103281693A (en) * 2013-05-10 2013-09-04 北京凯华网联技术有限公司 Wireless communication authentication method, network translation equipment and terminal
CN103905400A (en) * 2012-12-27 2014-07-02 中国移动通信集团公司 Service authentication method, apparatus and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100384120C (en) * 2004-09-30 2008-04-23 华为技术有限公司 Method for carrying out authentication for terminal user identification module in IP multimedia subsystem
CN100428848C (en) * 2005-05-31 2008-10-22 华为技术有限公司 Method for authenticating IP multi-media zone to terminal user mark module
CN101043744B (en) * 2006-03-21 2012-06-06 华为技术有限公司 Method for user terminal accessing authentication in IMS network
CN102413467B (en) * 2011-11-29 2017-10-27 中兴通讯股份有限公司 A kind of SRVCC switching handling methods, device and its terminal
CN103906051B (en) * 2012-12-25 2017-11-21 中国移动通信集团北京有限公司 A kind of mthods, systems and devices for accessing LTE network
CN104038934B (en) * 2014-06-30 2017-08-08 武汉虹信技术服务有限责任公司 The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
CN103905400A (en) * 2012-12-27 2014-07-02 中国移动通信集团公司 Service authentication method, apparatus and system
CN103281693A (en) * 2013-05-10 2013-09-04 北京凯华网联技术有限公司 Wireless communication authentication method, network translation equipment and terminal

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230048689A1 (en) * 2016-09-12 2023-02-16 Zte Corporation Network access authentication processing method and device
US20200228982A1 (en) * 2017-11-17 2020-07-16 Huawei Technologies Co., Ltd. Authentication method, device, and system
US11595817B2 (en) * 2017-11-17 2023-02-28 Huawei Technologies Co., Ltd. Authentication method, device, and system
CN112867001A (en) * 2019-11-26 2021-05-28 维沃移动通信有限公司 Authentication method, terminal equipment and network equipment
CN114338073A (en) * 2021-11-09 2022-04-12 江铃汽车股份有限公司 Protection method, system, storage medium and equipment for vehicle-mounted network

Also Published As

Publication number Publication date
CN107005842A (en) 2017-08-01
CN107005842B (en) 2019-12-24

Similar Documents

Publication Publication Date Title
KR102264718B1 (en) Methods of implementing security, and related devices and systems
CN109587688B (en) Security in inter-system mobility
JP6942804B2 (en) Security context handling during idle mode in 5G
WO2016086355A1 (en) Authentication method within wireless communication network, related apparatus and system
JP6812421B2 (en) Equipment and methods for mobility procedures involving mobility management entity relocation
CN112566112B (en) Apparatus, method, and storage medium for wireless communication
CN106028331B (en) Method and equipment for identifying pseudo base station
CN106465106B (en) Method and system for providing security from a radio access network
US9467295B2 (en) HNB or HeNB security access method and system, and core network element
CN109922474B (en) Method for triggering network authentication and related equipment
US9445265B2 (en) Method and device for processing SRVCC switching, and terminal
WO2009152759A1 (en) Method and device for preventing loss of network security synchronization
EP2603024B1 (en) Key separation method and device
US11070376B2 (en) Systems and methods for user-based authentication
CN105830476A (en) Method and system for providing security from a radio access network
EP3079392A1 (en) Method, apparatus and system for selecting authentication algorithm
WO2016086356A1 (en) Authentication method within wireless communication network, related apparatus and system
JP7014800B2 (en) Link reestablishment method, device, and system
CN110881020A (en) Authentication method for user subscription data and data management network element
WO2019095748A1 (en) Communication management method, apparatus and system, and terminal, management entity and storage medium
JP2021520664A (en) Security mechanism for cooperation with independent SEAF in 5G network
CN116939734A (en) Communication method and device
WO2014169568A1 (en) Security context handling method and apparatus
WO2014059568A1 (en) Switching processing method and device in wireless communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14907419

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14907419

Country of ref document: EP

Kind code of ref document: A1