WO2016086356A1 - Authentication method within wireless communication network, related apparatus and system - Google Patents

Authentication method within wireless communication network, related apparatus and system Download PDF

Info

Publication number
WO2016086356A1
WO2016086356A1 PCT/CN2014/092793 CN2014092793W WO2016086356A1 WO 2016086356 A1 WO2016086356 A1 WO 2016086356A1 CN 2014092793 W CN2014092793 W CN 2014092793W WO 2016086356 A1 WO2016086356 A1 WO 2016086356A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user equipment
sequence
request message
seq
Prior art date
Application number
PCT/CN2014/092793
Other languages
French (fr)
Chinese (zh)
Inventor
崇卫微
吴晓波
吕阳明
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201480083607.9A priority Critical patent/CN107113610A/en
Priority to PCT/CN2014/092793 priority patent/WO2016086356A1/en
Publication of WO2016086356A1 publication Critical patent/WO2016086356A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an authentication method, related device, and system in a wireless communication network.
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • the UE triggers the authentication process by initiating a registration request, a service request, or a handover request to the network.
  • authentication is a one-way process, and the network needs to verify the legitimacy of the UE; in the third generation (Third Generation, 3G) network or Long Term Evolution (Long Term Evolution, In the LTE network, in addition to verifying the legitimacy of the UE, the UE also needs to verify the validity of the network, that is, perform network authentication.
  • 3G Third Generation
  • LTE Long Term Evolution
  • the authentication process is performed in a domain-by-domain manner, that is, a packet switching (PS) domain and a circuit switching (CS) domain respectively perform an authentication process, and a PS domain authentication is performed by a mobility management entity ( The Mobility Management Entity (MME) or the General Packet Radio Service (GPRS) Service Support Node (SGSN) is initiated.
  • MME Mobility Management Entity
  • GPRS General Packet Radio Service
  • SGSN General Packet Radio Service
  • the CS domain authentication is initiated by the Mobile Switching Center (MSC).
  • MSC Mobile Switching Center
  • the UE needs to Network authentication is performed on the PS domain and the CS domain, respectively.
  • the MSC/SGSN sends an authentication request carrying the authentication vector to the UE. Message.
  • the UE first determines the validity of the network according to the authentication request message. If the network is legal, it verifies whether the network is synchronized with the network. If the synchronization is successful, the UE successfully authenticates the network, and the UE returns a response message to the network, and the MSC/SGSN according to the UE. The response message sent by the UE verifies the validity of the UE. If the synchronization fails, the UE will reply the MSC/SGSN with an authentication failure message carrying the cause value, and the MSC/SGSN will send an authentication request message to the UE again.
  • the UE may fail to perform network authentication on the CS domain; or
  • the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process saves the unused authentication vector, which may cause the UE to fail the network authentication for the CS domain.
  • the MSC/SGSN/MME receives the authentication failure message sent by the UE twice, the authentication process is terminated, and an authentication rejection message is sent to the UE. Once the UE receives the authentication rejection message, it will not be able to initiate the service normally until it restarts, which has a serious impact on the user.
  • the embodiments of the present invention provide an authentication method, a related device, and a system in a wireless communication network, which can solve the problem that the user equipment cannot initiate the service normally caused by two consecutive authentication failures in the prior art. Until the issue of rebooting.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the authentication device includes: an authentication data request message sent by a core network device, where the authentication data request message includes a user equipment. Identity and synchronization failure indications;
  • the authentication device acquires a difference DIF value of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization sequence according to the DIF value of the user equipment;
  • the authentication device generates an authentication vector according to the resynchronization sequence
  • the authentication device sends the authentication vector to the core network device.
  • the authentication device acquires a difference of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization according to the difference of the user equipment.
  • the sequence includes:
  • the authentication device queries the database according to the identity identifier of the user equipment, and obtains a DIF value of the user equipment; the authentication device is configured according to a DIF value of the user equipment and a value of a current global counter.
  • the resynchronization sequence is generated.
  • the authentication data request message further includes information about a sequence of a maximum sequence number stored by the user equipment. .
  • the identity of the user equipment is an international mobile subscriber identity of the user equipment IMSI.
  • an embodiment of the present invention provides an authentication device, where the core network device sends an authentication data request message to an authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication.
  • the core network device receives the authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence, and the resynchronization sequence is the authentication device according to the authentication device.
  • the identity of the user equipment is generated by the DIF value of the user equipment acquired;
  • the core network sends an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
  • the method before the sending, by the core network device, the authentication data request message to the authentication device, the method further includes:
  • the core network device receives an authentication failure message sent by the user equipment, where the authentication failure message includes a cause value, and the cause value is a synchronization failure.
  • an embodiment of the present invention provides an authentication device, including:
  • a receiving unit configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
  • a processing unit configured to determine a DIF value of the user equipment according to the identity identifier of the user equipment, determine a resynchronization sequence according to the difference DIF value of the user equipment, and generate an authentication vector according to the resynchronization sequence;
  • a sending unit configured to send the authentication vector to the core network device.
  • the processing unit is specifically configured to query a database according to an identity identifier of the user equipment, to obtain a DIF value of the user equipment, and according to a DIF value of the user equipment.
  • the value of the current global counter is generated to generate the resynchronization sequence.
  • the authentication data request message further includes information about a sequence of a maximum sequence number stored by the user equipment.
  • an embodiment of the present invention provides a core network device, including:
  • a sending unit configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
  • An obtaining unit configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to a resynchronization sequence, where the resynchronization sequence is The identity of the user equipment is generated by the DIF value of the user equipment acquired;
  • the sending unit is further configured to send an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
  • the core network device further includes:
  • a receiving unit configured to receive an authentication failure message sent by the user equipment, where the sending failure unit sends a verification data request message, where the authentication failure message includes a cause value, the cause value Failed for synchronization.
  • an embodiment of the present invention provides an authentication system, including the authentication device according to any one of the third aspect or the third aspect, and any of the fourth or fourth aspects.
  • the core network device described in the implementation manner.
  • the system further includes a user equipment
  • the user equipment is configured to receive an authentication request message sent by the core network device, and perform authentication by using a random number and an authentication token in the authentication vector included in the authentication request message.
  • an embodiment of the present invention provides an authentication device, including a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the authentication device is configured to perform an authentication method in the wireless communication network of the first aspect or any of the possible implementations of the first aspect.
  • an embodiment of the present invention provides a core network device, where the processor includes a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the core network device is configured to perform an authentication method in the wireless communication network described in the second aspect or the first possible implementation manner of the second aspect.
  • an embodiment of the present invention provides a computer readable medium, comprising: executing, by a computer, an instruction to execute, by a processor of a computer, the first aspect or the first An authentication method in a wireless communication network as described in any of the possible implementations.
  • an embodiment of the present invention provides a computer readable medium, comprising: a computer executing an instruction, when the processor of the computer executes the computer to execute an instruction, the computer performs the second aspect or the second An authentication method in a wireless communication network as described in the first possible implementation of the aspect.
  • the DIF value of the user equipment represents a difference between a value of a sequence generated by the user equipment and a value of a global counter.
  • the embodiment of the present invention provides an authentication method in a wireless communication network, after the authentication device receives the authentication data request message sent by the core network device, even if the authentication data request message carries a synchronization failure indication, The ID of the UE obtains the DIF value of the UE to generate a resynchronization sequence, so that the resynchronization sequence is not equal to (or approximately equal to) the sequence of the maximum sequence number stored by the UE, which avoids resynchronization in the prior art.
  • the re-authentication failure caused by the sequence equal to (or approximately equal to) the sequence of the largest sequence number stored by the UE ensures that the authentication of the core network device by using the authentication vector including the resynchronization sequence is successful, thereby solving the present problem.
  • the UE fails to initiate the service normally until the restart is caused after the failure of the authentication again.
  • FIG. 1 is an authentication method in a wireless communication network according to an embodiment of the present invention
  • 3 is another authentication method in a wireless communication network according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of an authentication device according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a core network device according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic diagram of an authentication system according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an authentication device in a wireless communication network according to an embodiment of the present invention.
  • the embodiment of the invention provides a method, a related device and a system for authenticating in a wireless communication network, which can solve the problem that the user equipment cannot initiate a service normally until restarting due to two consecutive authentication failures in the prior art.
  • the UE needs to verify whether it is synchronized with the network. If it is not synchronized, the authentication process fails.
  • the UE needs to obtain a sequence number (SQN) from the authentication vector sent by the core network device (MME/MSC/SGSN), and detect whether the sequence number satisfies a series of detection conditions, where Including whether the sequence (SEQ) included in the verification sequence number satisfies SEQ MS - SEQ ⁇ L, where L is usually set by the operator, L may be 32, and SEQ MS is a sequence of the maximum sequence number currently stored by the UE itself.
  • the SQN generated by the authentication device is usually expressed in binary, consisting of two parts, SEQ and IND.
  • the authentication device stores a difference (DIF) value for each user equipment in its own database, and the DIF value of each user equipment is different, and the DIF value of the user equipment is represented.
  • the difference between the two generated SEQs is only related to the value of the global counter GLC, and the value of the global counter GLC is usually taken from the time point (time stamp). For example, the value of the global counter GLC can be increased by 1 every 0.1 seconds, then 5 seconds.
  • the inventor has found that in the prior art, since the UE does not completely separate the synchronization detection of the PS domain and the CS domain, once the PS domain authentication is inserted before the CS domain authentication, and the CS domain authentication process is initiated, the MSC is in the MSC. If the unused authentication vector is saved, the UE may fail to perform network authentication on the CS domain; or the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process is initiated. The unused authentication vector is saved, which may cause the UE to perform network authentication failure on the PS domain.
  • the MSC may obtain multiple authentications from the authentication device before the core network device initiates the first CS domain authentication.
  • the authentication vectors AV C11 and AV C12 after performing the first CS domain authentication, the unused authentication vector AV C12 is still stored in the MSC; and then, due to the change of the radio access type of the UE, etc., it may be required
  • the PS domain authentication and the second CS domain authentication are initiated for the UE, and the PS domain authentication may be before the second CS domain authentication.
  • the core network device utilizes the unused authentication vector AV C12 acquired during the first CS domain network authentication saved by itself during the second CS domain authentication, if the authentication device generates AV P and AV The time of C12 is very different, so that SEQ MS - SEQ is not less than L, and the detection condition cannot be satisfied, resulting in synchronization failure, thereby causing authentication failure.
  • the core network device when the authentication fails due to the synchronization failure, the core network device usually receives an authentication failure message carrying the cause value sent by the UE, and the reason value is that the synchronization fails, and the core network device passes the The data authentication request message of the synchronization failure indication is sent to the authentication device to trigger the resynchronization process, wherein the data authentication request message carrying the synchronization failure indication further includes the information of the sequence SEQ MS1 of the largest sequence number stored in the UE when the synchronization fails. . Different from the data authentication request message that does not carry the synchronization failure indication message, the authentication device generates a sequence SEQ according to the DIF value of the UE acquired by the identity identifier of the UE.
  • the resynchronization sequence SEQ sy is almost equal to SEQ MS1 .
  • the UE performs network authentication again on the CS domain, in the UE.
  • the authentication failure may be caused again.
  • the suspension of the rights process causes the UE to fail to initiate a service normally until it is restarted.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, which enables a core network device (MSC/SGSN/MME) to acquire a new one from an authentication device before initiating an authentication request to the UE.
  • a core network device MSC/SGSN/MME
  • the authorization vector even if the core network device saves the unused authentication vector, uses the acquired new authentication vector for authentication, ensuring that each time the CS domain/PS domain network authentication is performed
  • the SEQ included in the authentication vector is newly generated by the authentication device, and even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, The synchronization success is ensured, and the problem of authentication failure caused by the synchronization failure in the prior art is solved, and the UE disconnection may be avoided due to the authentication failure.
  • the embodiment of the present invention further provides an authentication method in a wireless communication network, which enables the authentication device to use the sequence SEQ MS of the largest sequence number stored in the UE when the core network device triggers the resynchronization process due to synchronization failure.
  • the resynchronization sequence SEQ sy is generated, and the DIF value of the UE is directly obtained according to the identity identifier of the UE, just according to the authentication data request message that does not carry the synchronization failure indication, according to the DIF value of the UE and the value of the current global counter GLC ( That is, the time at which the resynchronization SEQ is generated) to generate the resynchronization sequence SEQ sy such that the resynchronization sequence SEQ sy is not equal to (or approximately equal to) SEQ MS1 , ensuring that the core network device is utilizing the authentication vector containing the resynchronization sequence SEQ sy
  • the authentication succeeds when the authentication is performed, so as to avoid the problem that the UE cannot initiate the service normally until
  • the core network device may be an MSC, an SGSN, or an MME
  • the authentication device may be an authentication device, which may be an HLR, a Home Subscriber Server (HSS), an AUC, or a home environment. (Home Environment, HE).
  • An embodiment of the present invention provides an authentication method in a wireless communication network. As shown in FIG. 1, the method may include:
  • the authentication device receives an authentication data request sent by the core network device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
  • the identity of the UE may be an International Mobile Subscriber Identity (IMSI) of the UE, the synchronization failure indication is used to indicate that the synchronization fails, and the authentication data request message including the synchronization failure indication is usually The resynchronization process is triggered.
  • IMSI International Mobile Subscriber Identity
  • the authentication data request may also contain information of the sequence SEQ MS1 of the largest sequence number stored by the user equipment, from which the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is stored by the UE after the last successful authentication.
  • the sequence of the largest sequence number of the SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the authentication device acquires a DIF value of the UE according to the identity identifier of the UE, and determines a resynchronization sequence SEQ sy according to the DIF value of the UE.
  • the authentication device may query the database according to the identity identifier of the UE, and obtain a DIF value of the UE stored in the database, according to the DIF value of the UE and the value of the current global counter GLC (ie, generate resynchronization At the time of the sequence SEQ sy , a resynchronization sequence SEQ sy is generated.
  • the database is typically configured in the authentication device.
  • the resynchronization sequence SEQ sy is generated, which avoids the re-authentication failure caused by the resynchronization sequence SEQ sy equal to (or approximately equal to) SEQ MS1 in the prior art, and solves the problem that the UE cannot initiate the service normally until restarting due to the re-authentication failure.
  • the problem is to avoid impact on the UE's business.
  • the authentication device generates an authentication vector according to the resynchronization sequence SEQ sy .
  • the authentication device may first include the resynchronization sequence SEQ sy in the sequence number SQN by using a preset algorithm; and then use the SQN and obtain an anonymous key (anonymity key according to a random number (RAND). AK), generating an authentication token (AUTN), the authentication vector including the authentication token and the random number.
  • RAND random number
  • AK anonymity key according to a random number
  • AUTN authentication token
  • the authentication device may obtain an anonymous key AK by using a random number, and include the SQN, the anonymous key AK, and other necessary parameters in the authentication token, where the finally generated authentication vector includes The authentication token and the random number.
  • the UE and the like may obtain the anonymous key AK by using the random number included in the authentication vector, and obtain, by using the anonymous key AK, the re-synchronization sequence from the authentication token.
  • the sequence number ie the authentication token and the random number, may be used to determine an SQN comprising the resynchronization sequence SEQ sy .
  • the authentication vector may further include an expected response (XRES), an integrity key (IK), and a cipher key (CK).
  • XRES expected response
  • IK integrity key
  • CK cipher key
  • the authentication device sends the authentication vector to the core network device, so that the core network device initiates an authentication process by using the authentication vector.
  • the authentication device may send the authentication vector to the core network device by using an authentication data response message.
  • the authentication data response message includes the authentication vector.
  • An embodiment of the present invention further provides an authentication method in a wireless communication network. As shown in FIG. 2, the method includes:
  • the core network device sends an authentication data request message to the authentication device, where the authentication data is requested.
  • the request message includes the identity of the UE and a synchronization failure indication.
  • the authentication failure message may further include information of a sequence SEQ MS1 of the maximum sequence number stored by the user equipment, and according to the information, the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE.
  • the sequence of the maximum sequence number stored after SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the authentication data request message may further comprise information of the SEQ MS1 .
  • the core network device receives an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence SEQ sy , and the resynchronization sequence SEQ sy is The authentication device is generated according to the DIF value of the user equipment acquired by the identity of the user equipment.
  • the core network device sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector.
  • the core network device may initiate an authentication process by using a random number and an authentication token in the authentication vector, and the UE may use the random number to obtain an anonymous key AK, and use the anonymous key AK.
  • acquiring from the authentication token comprises a sequence number SQN resynchronization SEQ sy and acquires the resynchronization sequence SEQ sy synchronize sequence number SQN from the authentication in.
  • the resynchronization sequence SEQ sy is determined by the authentication device according to the DIF value of the UE obtained according to the identity of the UE, regardless of SEQ MS1 , the prior art due to the resynchronization sequence SEQ sy is avoided. It is equal to (or approximately equal to) the re-authentication failure caused by the SEQ MS1 , which solves the problem that the UE cannot initiate the service normally until restarting due to the failure of the authentication again, and avoids the impact on the service of the UE.
  • step S200 may be further included before S201:
  • the core network device receives an authentication failure message sent by the UE, where the authentication failure message includes a cause value, and the cause value is a synchronisation failure.
  • the core network device may send an authentication data request message to the authentication device according to the authentication failure message, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
  • An embodiment of the present invention provides an authentication method in a wireless network communication network. As shown in FIG. 3, the method includes:
  • the UE returns an authentication failure message to the MSC, where the authentication failure message carries the cause value and the information of the sequence SEQ MS1 of the maximum sequence number stored by the UE after the last successful authentication, where the cause value is a synchronization failure.
  • the SGSN of the 3G network may need to obtain an authentication vector from the HLR/HE/AUC to initiate PS domain authentication, and thus step S302 may be performed.
  • the SGSN sends a first authentication data request message to the HLR/HE/AUC, where the first authentication data request message carries an IMSI of the UE.
  • the first authentication data request message is also a PS authentication data request message.
  • the HLR/HE/AUC returns a first authentication data response message to the SGSN, where the first authentication data response message includes an authentication vector AV ps .
  • the AV ps includes the RAND ps and the AUTN ps .
  • the MSC sends a second authentication data request message to the HLR/HE/AUC, where the second authentication data request message includes an IMSI of the UE, a synchronization failure indication, and information of the SEQ MS1 .
  • the HLR/HE/AUC obtains a DIF value DIF of the UE according to the IMSI of the UE, and determines a resynchronization sequence SEQ sy according to the DIF value of the UE, and generates according to the resynchronization sequence SEQ sy
  • the authentication vector AV sy the AV sy contains a random number RAND sy and an authentication token AUTN sy .
  • the HLR/HE/AUC returns a second authentication data response message to the MSC, where the second authentication data response message includes the AV sy .
  • the SGSN sends a first authentication request message to the UE, where the first authentication request message includes RAND ps and AUTN ps (SEQ ps ) in the AV ps .
  • S308 If the authentication succeeds and SEQ ps is greater than SEQ MS1 , the UE updates the sequence of the largest sequence number stored by itself to SEQ ps .
  • the UE updates the sequence of the largest sequence number stored by itself to SEQ ps .
  • steps S307-S308 may also be used in the embodiment of the present invention before the step S304.
  • S309 The UE returns a first authentication response message to the SGSN.
  • the MSC sends a second authentication request message to the UE, where the second authentication request message includes RAND sy and AUTN sy (SEQ sy ) in AV sy .
  • S311 If the authentication succeeds and SEQ sy is greater than SEQ ps , the UE updates the sequence of the largest sequence number stored by itself to SEQ sy .
  • the UE After receiving the second authentication request message, the UE obtains AK sy according to RAND sy , obtains SQN sy including SEQ sy from AUTN sy according to the AK sy and related algorithm, and obtains SEQ sy And compare SEQ sy with the sequence of the largest sequence number stored by itself.
  • the value of the global counter GLC when generating SEQ sy is definitely later than GLC T2
  • S312 The UE returns a second authentication response message to the MSC.
  • the authentication device may directly obtain the re-synchronization sequence SEQ sy according to the IMIF of the UE to obtain the re-synchronization sequence SEQ sy according to the IMSI of the UE.
  • the resynchronization sequence SEQ sy generates an authentication vector and sends the authentication vector to the core network device, even if the subsequent core network device performs CS domain (or PS domain) authentication by using the resynchronization sequence SEQ sy
  • the previous PS domain (or CS domain) authentication is inserted, which also ensures the authentication success, avoiding the use of the prior art process so that the generated resynchronization sequence SEQ sy is almost equal to (or approximately equal to) SEQ MS1 .
  • the problem of authentication failure is possible.
  • the embodiment of the present invention provides an authentication device 40.
  • the authentication device 40 may be an HLR or an AUC or an HE.
  • the authentication device 40 includes a receiving unit 401. , processing unit 402 and transmitting unit 403;
  • the receiving unit 401 is configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication, where the identity of the UE may be the UE IMSI;
  • the processing unit 402 is configured to determine a DIF value of the UE according to the identity identifier of the UE, determine a resynchronization sequence SEQ sy according to the DIF value of the UE, and generate an authentication according to the resynchronization sequence SEQ sy Specifically, the processing unit 402 may query the database according to the identity of the UE, obtain a DIF value of the UE, and generate the resynchronization sequence according to the DIF value of the UE and the value of the current global counter GLC.
  • the processing unit 402 may further include the resynchronization sequence SEQ sy in the sequence number by using a preset algorithm, and generate an authentication token by using the sequence number and the anonymous key AK obtained according to the random number.
  • the authentication vector includes the authentication token and the random number.
  • the sending unit 403 is configured to send the authentication vector to the core network device.
  • the authentication data request may further include information of a sequence SEQ MS1 of a maximum sequence number stored by the user equipment, and according to the information, the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE.
  • the sequence of the maximum sequence number stored after SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the receiving unit 401 receives the sync failure indication is carried in the authentication data request message
  • the processing unit 402 acquires a UE identity UE according DIF values, according to the The DIF value of the UE and the value of the current global counter GLC are used to generate the resynchronization sequence SEQ sy , which avoids the re-authentication failure caused by the resynchronization sequence SEQ sy equal to (or approximately equal to) the SEQ MS1 in the prior art.
  • the problem that the UE fails to initiate the service and restarts due to the failure of the right does not affect the service of the UE.
  • the embodiment of the present invention provides a core network device 50.
  • the core network device 50 may be an MME or an MSC or an SGSN, and the core network device 50 includes a sending unit. 501 and acquisition unit 502;
  • the sending unit 501 is configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication; the identity identifier of the UE may be an IMSI of the UE;
  • the authentication failure message may further include information of the sequence SEQ MS1 of the largest sequence number stored by the user equipment, according to which the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE.
  • the sequence of the maximum sequence number stored after SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the authentication data request message may further comprise information of the SEQ MS1 .
  • the obtaining unit 502 is configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence SEQ sy , and the resynchronization sequence SEQ sy is The authentication device is generated according to the DIF value of the user equipment acquired by the identity identifier of the user equipment;
  • the sending unit 501 is further configured to send an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector. Therefore, the UE may obtain the anonymous key AK by using the random number, and obtain the sequence number SQN including the resynchronization sequence SEQ sy from the authentication token by using the anonymous key AK, and The resynchronization sequence SEQ sy is obtained in the serial number SQN for synchronization verification. Since the resynchronization sequence SEQ sy is determined by the authentication device according to the DIF value of the UE obtained according to the identity of the UE, regardless of SEQ MS1 , the prior art due to the resynchronization sequence SEQ sy is avoided.
  • the core network device further includes: a receiving unit 503, configured to receive an authentication failure message sent by the UE, where the authentication failure message includes a cause value, and the cause value is a synchronization failure; Specifically, the method is used to send an authentication data request message to the authentication device according to the authentication failure message, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
  • an embodiment of the present invention further provides an authentication system 60, as shown in FIG. 6, including an authentication device 40 and a core network device 50.
  • an authentication system 60 including an authentication device 40 and a core network device 50.
  • the actions performed by the authentication device 40 and the core network device 50 and the interaction between them refer to the description of the method embodiment corresponding to FIG. 1 to FIG. 3, and also the description of the device embodiment corresponding to FIG. 4 and FIG. , will not repeat them here.
  • the authentication system may further include a user equipment 601;
  • the user equipment 601 may be configured to receive an authentication request message sent by the core network device 50, and perform authentication by using a random number and an authentication token in the authentication vector included in the authentication request message.
  • the user equipment 601 is further configured to send an authentication failure message to the core network device 50, where the authentication failure message includes a cause value, and the cause value is a synchronization failure.
  • an embodiment of the present invention further provides an authentication device in a wireless communication system, where the authentication device 700 can include:
  • the processor 701, the memory 702, and the communication interface 705 are connected by a bus 704 and complete communication with each other.
  • Processor 701 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.
  • the memory 702 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • Memory 702 is used by computer to execute instructions 703.
  • the computer execution instructions 703 may include program code.
  • the processor 701 runs the computer execution instruction 703, and may execute the method flow of the authentication method in the wireless communication system according to the method embodiment corresponding to any one of FIG. 1 to FIG.
  • the authentication device may be an authentication device, and the method corresponding to FIG. 2 or FIG. 3 is implemented.
  • the authentication device may be a core network device.
  • the embodiment of the present invention further provides a computer readable medium, comprising: a computer executing instructions for a processor of a computer to execute the computer to execute an instruction, the computer performing the wireless operation of FIG. 1 or FIG. Method flow of an authentication method in a communication network.
  • the embodiment of the present invention further provides a computer readable medium, comprising: a computer executing instructions for a processor of a computer to execute the computer execution instructions, wherein the computer performs the wireless operation of FIG. 2 or FIG. Method flow of an authentication method in a communication network.
  • the LTE network mentioned in the present invention includes an LTE A network, and may subsequently have an LTE version.
  • the first, second, third, fourth, fifth, etc. in the embodiments of the present invention are only used to distinguish different indication information, messages, or other objects, and do not represent sequential relationships.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are an authentication method within a wireless communication network, a related apparatus and a system. After receiving an authentication data request message sent by a core network device, even if the authentication data request message carries a synchronisation failure indication, an authentication device queries and obtains a DIF value of a UE according to an identifier of the UE in order to generate a resynchronisation sequence, so that the resynchronisation sequence is not equal to (or approximately equal to) a self-stored maximum sequence number sequence reported by the UE, preventing repeated authentication failure in the prior art caused by the resynchronisation sequence being equal to (or approximately equal to) the maximum sequence number sequence stored by the UE, and ensuring successful authentication for the core network device when an authentication vector including the resynchronisation sequence is used to perform authentication, thereby solving the problem in the prior art caused after repeated authentication failure that the UE is not able to initiate a service in a normal manner until restarted.

Description

一种无线通信网络中的鉴权方法、相关装置及系统Authentication method, related device and system in wireless communication network 技术领域Technical field
本发明涉及通信技术领域,具体涉及一种无线通信网络中的鉴权方法、相关装置及系统。The present invention relates to the field of communications technologies, and in particular, to an authentication method, related device, and system in a wireless communication network.
背景技术Background technique
鉴权是移动网络安全性管理的一部分,用来实现移动网络的保密性、数据完整性。在当前的移动通信网络中,只有有效的用户设备(User Equipment,UE)才有权得到服务,而验证UE是否有效,需要通过鉴权过程来完成。UE在向网络发起注册请求、业务请求或切换请求等都会触发鉴权流程。在第二代(Second Generation,2G)网络系统中,鉴权是个单向过程,网络需要对UE合法性进行验证;而在第三代(Third Generation,3G)网络或长期演进(Long Term Evolution,LTE)网络中,除了网络需验证UE的合法性外,UE也需要对网络的合法性进行验证,即进行网络鉴权。Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks. In the current mobile communication network, only a valid user equipment (User Equipment, UE) is entitled to receive the service, and verifying whether the UE is valid needs to be completed through an authentication process. The UE triggers the authentication process by initiating a registration request, a service request, or a handover request to the network. In the second generation (Second Generation, 2G) network system, authentication is a one-way process, and the network needs to verify the legitimacy of the UE; in the third generation (Third Generation, 3G) network or Long Term Evolution (Long Term Evolution, In the LTE network, in addition to verifying the legitimacy of the UE, the UE also needs to verify the validity of the network, that is, perform network authentication.
需要注意的是,鉴权流程是分域进行的,即分组交换(Packet Switched,PS)域和电路交换(Circuit Switched,CS)域分别进行鉴权流程,PS域鉴权由移动性管理实体(Mobility Management Entity,MME)或者通用分组无线系统(General Packet Radio Service,GPRS)业务支持节点(Serving GPRSSupport Node,SGSN)发起,CS域鉴权由移动交换中心(Mobile Switching Center,MSC)发起,UE需要分别对PS域和CS域进行网络鉴权。以3G的鉴权过程为例,MSC/SGSN从归属位置寄存器(home location register,HLR)或者鉴权中心(authentication center,AUC)获取鉴权向量后,向UE发送携带鉴权向量的鉴权请求消息。UE根据鉴权请求消息,首先判断网络的合法性,若网络合法,再验证自身与网络是否同步,如果同步,则说明UE对网络验证成功,UE向网络回复响应消息,MSC/SGSN再根据UE发来的响应消息验证UE的合法性;若不同步即同步失败,则UE会向MSC/SGSN回复携带原因值的鉴权失败消息,MSC/SGSN将再次向UE发送鉴权请求消息。It should be noted that the authentication process is performed in a domain-by-domain manner, that is, a packet switching (PS) domain and a circuit switching (CS) domain respectively perform an authentication process, and a PS domain authentication is performed by a mobility management entity ( The Mobility Management Entity (MME) or the General Packet Radio Service (GPRS) Service Support Node (SGSN) is initiated. The CS domain authentication is initiated by the Mobile Switching Center (MSC). The UE needs to Network authentication is performed on the PS domain and the CS domain, respectively. Taking the 3G authentication process as an example, after obtaining the authentication vector from the home location register (HLR) or the authentication center (AUC), the MSC/SGSN sends an authentication request carrying the authentication vector to the UE. Message. The UE first determines the validity of the network according to the authentication request message. If the network is legal, it verifies whether the network is synchronized with the network. If the synchronization is successful, the UE successfully authenticates the network, and the UE returns a response message to the network, and the MSC/SGSN according to the UE. The response message sent by the UE verifies the validity of the UE. If the synchronization fails, the UE will reply the MSC/SGSN with an authentication failure message carrying the cause value, and the MSC/SGSN will send an authentication request message to the UE again.
在现有技术中,MSC/SGSN/MME向HLR/AUC获取鉴权向量时,一般都 会索取多个鉴权向量,以节省网络开支减轻HLR/AUC的负担。并且,由于大多数UE的通用移动通信系统用户标识模块(Universal Mobile Telecommunications System Subscriber Identity Module,USIM)不支持分域同步检测,从而UE对PS域和CS域网络的同步检测并没有完全分开。一旦在CS域鉴权之前插入了一次PS域鉴权,且发起该CS域鉴权流程的MSC中保存有未使用的鉴权向量,可能导致UE对该CS域进行的网络鉴权失败;或者在PS域鉴权之前插入了一次CS域鉴权,且发起该PS域鉴权流程的MME/SGSN中保存有未使用的鉴权向量,可能导致UE对该CS域进行的网络鉴权失败。In the prior art, when the MSC/SGSN/MME obtains an authentication vector from the HLR/AUC, Multiple authentication vectors are requested to save network expenses and reduce the burden on HLR/AUC. Moreover, since the Universal Mobile Telecommunications System Subscriber Identity Module (USIM) of most UEs does not support the domain synchronization detection, the UE does not completely separate the synchronization detection of the PS domain and the CS domain network. Once the PS domain authentication is inserted before the CS domain authentication, and the unused authentication vector is stored in the MSC that initiates the CS domain authentication process, the UE may fail to perform network authentication on the CS domain; or The CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process saves the unused authentication vector, which may cause the UE to fail the network authentication for the CS domain.
此外,如果MSC/SGSN/MME连续两次收到UE发送的鉴权失败消息,则终止鉴权过程,并向UE发送鉴权拒绝消息。UE一旦收到鉴权拒绝消息,将无法正常发起业务直至重新启动,给用户带来了严重的影响。In addition, if the MSC/SGSN/MME receives the authentication failure message sent by the UE twice, the authentication process is terminated, and an authentication rejection message is sent to the UE. Once the UE receives the authentication rejection message, it will not be able to initiate the service normally until it restarts, which has a serious impact on the user.
发明内容Summary of the invention
针对现有技术的上述问题,本发明实施例提供了一种无线通信网络中的鉴权方法、相关装置及系统,能够解决现有技术中连续两次鉴权失败导致的用户设备无法正常发起业务直至重新启动的问题。For the above problems in the prior art, the embodiments of the present invention provide an authentication method, a related device, and a system in a wireless communication network, which can solve the problem that the user equipment cannot initiate the service normally caused by two consecutive authentication failures in the prior art. Until the issue of rebooting.
第一方面,本发明实施例提供了一种无线通信网络中的鉴权方法,该方面包括:鉴权设备接收核心网设备发送的鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;In a first aspect, an embodiment of the present invention provides an authentication method in a wireless communication network, where the authentication device includes: an authentication data request message sent by a core network device, where the authentication data request message includes a user equipment. Identity and synchronization failure indications;
所述鉴权设备根据所述用户设备的身份标识,获取所述用户设备的差DIF值,根据所述用户设备的DIF值,生成重同步序列;The authentication device acquires a difference DIF value of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization sequence according to the DIF value of the user equipment;
所述鉴权设备根据所述重同步序列,生成鉴权向量;The authentication device generates an authentication vector according to the resynchronization sequence;
所述鉴权设备将所述鉴权向量发送给所述核心网设备。The authentication device sends the authentication vector to the core network device.
结合第一方面,在第一种可能的实现方式中,所述鉴权设备根据所述用户设备的身份标识,获取所述用户设备的差值,根据所述用户设备的差值,生成重同步序列包括:With reference to the first aspect, in a first possible implementation, the authentication device acquires a difference of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization according to the difference of the user equipment. The sequence includes:
所述鉴权设备根据所述用户设备的身份标识查询数据库,得到所述用户设备的DIF值;所述鉴权设备根据所述用户设备的DIF值和当前全局计数器的值, 生成所述重同步序列。The authentication device queries the database according to the identity identifier of the user equipment, and obtains a DIF value of the user equipment; the authentication device is configured according to a DIF value of the user equipment and a value of a current global counter. The resynchronization sequence is generated.
结合第一方面,或者第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述鉴权数据请求消息还包含所述用户设备存储的最大序列号的序列的信息。With reference to the first aspect, or the first possible implementation manner of the first aspect, in a second possible implementation manner, the authentication data request message further includes information about a sequence of a maximum sequence number stored by the user equipment. .
结合第一方面,或者第一方面的第一种或者第二种可能的实现方式,在第三种可能的实现方式中,所述用户设备的身份标识为所述用户设备的国际移动用户识别码IMSI。With reference to the first aspect, or the first or second possible implementation manner of the first aspect, in a third possible implementation manner, the identity of the user equipment is an international mobile subscriber identity of the user equipment IMSI.
结合第二方面,本发明实施例提供了一种鉴权设备,包括核心网设备向鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;With reference to the second aspect, an embodiment of the present invention provides an authentication device, where the core network device sends an authentication data request message to an authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication.
所述核心网设备接收所述鉴权设备返回的鉴权向量;其中,所述鉴权向量为所述鉴权设备根据重同步序列而生成的,所述重同步序列为所述鉴权设备根据所述用户设备的身份标识所获取的所述用户设备的DIF值而生成的;The core network device receives the authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence, and the resynchronization sequence is the authentication device according to the authentication device. The identity of the user equipment is generated by the DIF value of the user equipment acquired;
所述核心网设向所述用户设备发送鉴权请求消息,所述鉴权请求消息包含所述鉴权向量中的随机数和鉴权令牌。The core network sends an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
结合第二方面,在第一种可能的实现方式中,在所述核心网设备向鉴权设备发送鉴权数据请求消息之前,所述方法还包括:With reference to the second aspect, in a first possible implementation, before the sending, by the core network device, the authentication data request message to the authentication device, the method further includes:
所述核心网设备接收所述用户设备发送的鉴权失败消息,所述鉴权失败消息包含原因值,所述原因值为同步失败。The core network device receives an authentication failure message sent by the user equipment, where the authentication failure message includes a cause value, and the cause value is a synchronization failure.
第三方面,本发明实施例提供了一种鉴权设备,包括:In a third aspect, an embodiment of the present invention provides an authentication device, including:
接收单元,用于接收核心网设备发送的鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;a receiving unit, configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
处理单元,用于根据所述用户设备的身份标识,确定所述用户设备的DIF值,根据所述用户设备的差DIF值,确定重同步序列,根据所述重同步序列,生成鉴权向量;a processing unit, configured to determine a DIF value of the user equipment according to the identity identifier of the user equipment, determine a resynchronization sequence according to the difference DIF value of the user equipment, and generate an authentication vector according to the resynchronization sequence;
发送单元,用于将所述鉴权向量发送给所述核心网设备。And a sending unit, configured to send the authentication vector to the core network device.
结合第三方面,在第一种可能的实现方式,所述处理单元具体用于根据所述用户设备的身份标识查询数据库,得到所述用户设备的DIF值;根据所述用户设备的DIF值和当前全局计数器的值,生成所述重同步序列。 With reference to the third aspect, in a first possible implementation, the processing unit is specifically configured to query a database according to an identity identifier of the user equipment, to obtain a DIF value of the user equipment, and according to a DIF value of the user equipment. The value of the current global counter is generated to generate the resynchronization sequence.
结合第三方面或者第三方面的第一种可能的实现方式,在第二种可能的实现方式中,所述鉴权数据请求消息还包含所述用户设备存储的最大序列号的序列的信息。With reference to the third aspect, or the first possible implementation manner of the third aspect, in a second possible implementation manner, the authentication data request message further includes information about a sequence of a maximum sequence number stored by the user equipment.
第四方面,本发明实施例提供了一种核心网设备,包括:In a fourth aspect, an embodiment of the present invention provides a core network device, including:
发送单元,用于向鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;a sending unit, configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
获取单元,用于接收所述鉴权设备返回的鉴权向量;其中,所述鉴权向量为所述鉴权设备根据重同步序列而生成的,所述重同步序列为所述鉴权设备根据所述用户设备的身份标识所获取的所述用户设备的DIF值而生成的;An obtaining unit, configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to a resynchronization sequence, where the resynchronization sequence is The identity of the user equipment is generated by the DIF value of the user equipment acquired;
所述发送单元还用于向所述用户设备发送鉴权请求消息,所述鉴权请求消息包含所述鉴权向量中的随机数和鉴权令牌。The sending unit is further configured to send an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
结合第四方面,在第一种可能的实现方式中,所述核心网设备还包括:With reference to the fourth aspect, in a first possible implementation, the core network device further includes:
接收单元,用于在所述发送单元向所述鉴权设备发送鉴权数据请求消息之前,接收所述用户设备发送的鉴权失败消息,所述鉴权失败消息包含原因值,所述原因值为同步失败。a receiving unit, configured to receive an authentication failure message sent by the user equipment, where the sending failure unit sends a verification data request message, where the authentication failure message includes a cause value, the cause value Failed for synchronization.
第五方面,本发明实施例提供了一种鉴权系统,包括第三方面或者第三方面任一种可能的实现方式所述的鉴权设备和第四方面或者第四方面任一种可能的实现方式所述的核心网设备。According to a fifth aspect, an embodiment of the present invention provides an authentication system, including the authentication device according to any one of the third aspect or the third aspect, and any of the fourth or fourth aspects. The core network device described in the implementation manner.
结合第五方面,在第一种可能的实现方式中,该系统还包括用户设备;With reference to the fifth aspect, in a first possible implementation, the system further includes a user equipment;
所述用户设备用于接收所述核心网设备发送的鉴权请求消息,利用所述鉴权请求消息包含的鉴权向量中的随机数和鉴权令牌进行鉴权。The user equipment is configured to receive an authentication request message sent by the core network device, and perform authentication by using a random number and an authentication token in the authentication vector included in the authentication request message.
第六方面,本发明实施例提供了一种鉴权设备,包括处理器、存储器、总线和通信接口;In a sixth aspect, an embodiment of the present invention provides an authentication device, including a processor, a memory, a bus, and a communication interface.
所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述鉴权设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述鉴权设备执行第一方面或者第一方面中任一种可能的实现方式所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to The authentication device is configured to perform an authentication method in the wireless communication network of the first aspect or any of the possible implementations of the first aspect.
第七方面,本发明实施例提供了一种核心网设备,其特征在于,所述包括处理器、存储器、总线和通信接口; In a seventh aspect, an embodiment of the present invention provides a core network device, where the processor includes a processor, a memory, a bus, and a communication interface.
所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述核心网设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述核心网设备执行第二方面或者第二方面中第一种可能的实现方式所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to The core network device is configured to perform an authentication method in the wireless communication network described in the second aspect or the first possible implementation manner of the second aspect.
第八方面,本发明实施例提供了一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行第一方面或者第一方面中任一种可能的实现方式所述的无线通信网络中的鉴权方法。According to an eighth aspect, an embodiment of the present invention provides a computer readable medium, comprising: executing, by a computer, an instruction to execute, by a processor of a computer, the first aspect or the first An authentication method in a wireless communication network as described in any of the possible implementations.
第九方面,本发明实施例提供了一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行第二方面或者第二方面中第一种可能的实现方式所述的无线通信网络中的鉴权方法。According to a ninth aspect, an embodiment of the present invention provides a computer readable medium, comprising: a computer executing an instruction, when the processor of the computer executes the computer to execute an instruction, the computer performs the second aspect or the second An authentication method in a wireless communication network as described in the first possible implementation of the aspect.
在本发明中,所述用户设备的DIF值表示为所述用户设备生成的序列的值与全局计数器的值的差值。本发明实施例提供了一种无线通信网络中的鉴权方法,鉴权设备在接收到核心网设备发送的鉴权数据请求消息后,即使所述鉴权数据请求消息携带同步失败指示,也根据UE的身份标识查询得到所述UE的DIF值来生成重同步序列,使得重同步序列不是等于(或者约等于)UE上报的自身存储的最大序列号的序列,避免了现有技术中由于重同步序列等于(或者约等于)UE存储的最大序列号的序列导致的再次鉴权失败,保证了核心网设备在利用包含该重同步序列的鉴权向量进行鉴权时的鉴权成功,从而解决了现有技术中再次鉴权失败后引起的UE无法正常发起业务直至重新启动的问题。In the present invention, the DIF value of the user equipment represents a difference between a value of a sequence generated by the user equipment and a value of a global counter. The embodiment of the present invention provides an authentication method in a wireless communication network, after the authentication device receives the authentication data request message sent by the core network device, even if the authentication data request message carries a synchronization failure indication, The ID of the UE obtains the DIF value of the UE to generate a resynchronization sequence, so that the resynchronization sequence is not equal to (or approximately equal to) the sequence of the maximum sequence number stored by the UE, which avoids resynchronization in the prior art. The re-authentication failure caused by the sequence equal to (or approximately equal to) the sequence of the largest sequence number stored by the UE ensures that the authentication of the core network device by using the authentication vector including the resynchronization sequence is successful, thereby solving the present problem. In the technology, the UE fails to initiate the service normally until the restart is caused after the failure of the authentication again.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings can also be obtained from those skilled in the art based on these drawings without paying any creative effort.
图1是本发明实施例提供的一种无线通信网络中的鉴权方法;FIG. 1 is an authentication method in a wireless communication network according to an embodiment of the present invention;
图2是本发明实施例提供的又一种无线通信网络中的鉴权方法;2 is another authentication method in a wireless communication network according to an embodiment of the present invention;
图3是本发明实施例提供的又一种无线通信网络中的鉴权方法; 3 is another authentication method in a wireless communication network according to an embodiment of the present invention;
图4是本发明实施例提供的一种鉴权设备的示意图;4 is a schematic diagram of an authentication device according to an embodiment of the present invention;
图5是本发明实施例提供的一种核心网设备的示意图;FIG. 5 is a schematic diagram of a core network device according to an embodiment of the present disclosure;
图6是本发明实施例提供的一种鉴权系统的示意图;FIG. 6 is a schematic diagram of an authentication system according to an embodiment of the present invention; FIG.
图7是本发明实施例提供的一种无线通信网络中的鉴权设备的结构组成示意图。FIG. 7 is a schematic structural diagram of an authentication device in a wireless communication network according to an embodiment of the present invention.
具体实施方式detailed description
本发明实施例提供一种无线通信网络中的鉴权的方法、相关装置和系统,能够解决现有技术中连续两次鉴权失败导致的用户设备无法正常发起业务直至重新启动的问题。The embodiment of the invention provides a method, a related device and a system for authenticating in a wireless communication network, which can solve the problem that the user equipment cannot initiate a service normally until restarting due to two consecutive authentication failures in the prior art.
为更清楚地描述本发明的实施例,首先对本发明实施例相关的知识做一些介绍。In order to more clearly describe the embodiments of the present invention, the knowledge related to the embodiments of the present invention is first introduced.
通常情况下,网络鉴权流程中UE需要验证自身与网络是否同步,如果不同步,则鉴权流程失败。为检测自身与网络是否同步,UE需要从核心网设备(MME/MSC/SGSN)发送的鉴权向量中获取序列号(sequence number,SQN),并检测该序列号是否满足一系列检测条件,其中包括验证序列号中包含的序列(sequence,SEQ)是否满足SEQMS-SEQ<L,其中,L通常由运营商进行设置,L可以为32,SEQMS是UE当前自身存储的最大序列号的序列。若该SQN满足全部的检测条件,则同步验证成功,并且当SEQ>SEQMS时UE中存储的SEQMS将被更新为SEQ。上述从鉴权向量中获取的SQN实际上是由鉴权设备(HLR/AUC)生成并包含在鉴权向量中的。Generally, in the network authentication process, the UE needs to verify whether it is synchronized with the network. If it is not synchronized, the authentication process fails. To detect whether the network is synchronized with the network, the UE needs to obtain a sequence number (SQN) from the authentication vector sent by the core network device (MME/MSC/SGSN), and detect whether the sequence number satisfies a series of detection conditions, where Including whether the sequence (SEQ) included in the verification sequence number satisfies SEQ MS - SEQ < L, where L is usually set by the operator, L may be 32, and SEQ MS is a sequence of the maximum sequence number currently stored by the UE itself. . If the SQN satisfy all test conditions, the synchronization verification is successful, and when SEQ> SEQ MS UE stored SEQ MS will be updated as SEQ. The above-mentioned SQN obtained from the authentication vector is actually generated by the authentication device (HLR/AUC) and included in the authentication vector.
鉴权设备产生的SQN通常以二进制表示,由SEQ和IND这两部分组成。在基于时间生成SQN的机制中,鉴权设备在自身的数据库中,为每个用户设备保存了一个差(difference,DIF)值,每个用户设备的DIF值不同,该用户设备的DIF值表示为该用户设备生成的SEQ值与全局计数器(Golbal Counter)GLC的值的差值,因而为同一UE生成的SEQ只与全局计数器GLC的值有关。一般情况下,鉴权设备收到鉴权数据请求消息之后,如果鉴权数据请求消息指不携带同步失败指示,将从自身的数据库中查询该UE的DIF值并获取当前的全局计数器GLC的值,而后可生成SEQ,此时SEQ=GLC+DIF,也即鉴权设备为同一UE 生成的两次SEQ的差值只与全局计数器GLC的值有关,而全局计数器GLC的值通常取自时间点(时间戳),例如全局计数器GLC的值可以为每0.1秒加1,则5秒内针对同一UE生成的SEQ差值为1*(5s/0.1s)=50。The SQN generated by the authentication device is usually expressed in binary, consisting of two parts, SEQ and IND. In the mechanism for generating an SQN based on time, the authentication device stores a difference (DIF) value for each user equipment in its own database, and the DIF value of each user equipment is different, and the DIF value of the user equipment is represented. The difference between the SEQ value generated for the user equipment and the value of the global counter (Golbal Counter) GLC, thus the SEQ generated for the same UE is only related to the value of the global counter GLC. In general, after the authentication device receives the authentication data request message, if the authentication data request message does not carry the synchronization failure indication, it will query the DIF value of the UE from its own database and obtain the value of the current global counter GLC. Then, SEQ can be generated, and SEQ=GLC+DIF, that is, the authentication device is the same UE. The difference between the two generated SEQs is only related to the value of the global counter GLC, and the value of the global counter GLC is usually taken from the time point (time stamp). For example, the value of the global counter GLC can be increased by 1 every 0.1 seconds, then 5 seconds. The SEQ difference generated for the same UE is 1*(5s/0.1s)=50.
发明人分析发现,现有技术中由于UE对PS域和CS域的同步检测没有完全分开,一旦在CS域鉴权之前插入了一次PS域鉴权,且发起该CS域鉴权流程的MSC中保存有未使用的鉴权向量,可能导致UE对该CS域进行的网络鉴权失败;或者在PS域鉴权之前插入了一次CS域鉴权,且发起该PS域鉴权流程的MME/SGSN中保存有未使用的鉴权向量,可能导致UE对该PS域进行的网络鉴权失败。例如,针对UE在两次CS域网络鉴权之间插入了一次PS域网络鉴权的场景,若在核心网设备发起第一次CS域鉴权之前,MSC可能向鉴权设备获取了多个鉴权向量AVC11和AVC12,则在进行第一次CS域鉴权之后,MSC中仍然保存有未使用的鉴权向量AVC12;而后,由于UE的无线接入类型改变等原因,可能需要对UE发起PS域鉴权和第二次CS域鉴权,且PS域鉴权可能在第二次CS域鉴权之前,如果PS域鉴权成功,则UE中存储的最大序列号的序列SEQMS可能被更新为从PS域鉴权的鉴权向量AVP中获得的SEQP;在进行第二次CS域鉴权时,MSC将利用自身保存的未使用的鉴权向量AVC12发起鉴权流程,此时UE获取的SEQ等于从AVC12获得的SEQC12,则SEQMS-SEQ=SEQP-SEQC12,即SEQMS-SEQ的值与生成AVP(SEQP)和AVC12(SEQC12)的时间差有关。但是,由于在进行第二次CS域鉴权时,核心网设备利用的是自身保存的第一次CS域网络鉴权时获取的未使用的鉴权向量AVC12,若鉴权设备生成AVP和AVC12的时间相差很大,使得SEQMS-SEQ不小于L,则无法满足检测条件,导致同步失败,从而引起鉴权失败。The inventor has found that in the prior art, since the UE does not completely separate the synchronization detection of the PS domain and the CS domain, once the PS domain authentication is inserted before the CS domain authentication, and the CS domain authentication process is initiated, the MSC is in the MSC. If the unused authentication vector is saved, the UE may fail to perform network authentication on the CS domain; or the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process is initiated. The unused authentication vector is saved, which may cause the UE to perform network authentication failure on the PS domain. For example, in the scenario where the UE performs a PS domain network authentication between the two CS domain network authentications, the MSC may obtain multiple authentications from the authentication device before the core network device initiates the first CS domain authentication. The authentication vectors AV C11 and AV C12 , after performing the first CS domain authentication, the unused authentication vector AV C12 is still stored in the MSC; and then, due to the change of the radio access type of the UE, etc., it may be required The PS domain authentication and the second CS domain authentication are initiated for the UE, and the PS domain authentication may be before the second CS domain authentication. If the PS domain authentication succeeds, the sequence SEQ of the largest sequence number stored in the UE is The MS may be updated to SEQ P obtained from the PS domain authentication authentication vector AV P ; when performing the second CS domain authentication, the MSC will initiate the authentication process using its saved unused authentication vector AV C12 in this case the UE acquires equal SEQ obtained from AV C12 SEQ C12, the SEQ MS -SEQ = SEQ P -SEQ C12 , i.e. the value of the SEQ MS -SEQ generates AV P (SEQ P) and AV C12 (SEQ C12) The time difference is related. However, since the core network device utilizes the unused authentication vector AV C12 acquired during the first CS domain network authentication saved by itself during the second CS domain authentication, if the authentication device generates AV P and AV The time of C12 is very different, so that SEQ MS - SEQ is not less than L, and the detection condition cannot be satisfied, resulting in synchronization failure, thereby causing authentication failure.
此外,在现有技术中,当因同步失败导致鉴权失败时,核心网设备通常会收到UE发送的携带原因值的鉴权失败消息,该原因值为同步失败,核心网设备通过将携带同步失败指示的数据鉴权请求消息发送给鉴权设备来触发重同步流程,其中该携带同步失败指示的数据鉴权请求消息还包含同步失败时UE中存储的最大序列号的序列SEQMS1的信息。不同于收到未携带同步失败指示的数据鉴权请求消息时鉴权设备根据UE的身份标识获取的UE的DIF值来生成序列SEQ的流程,在重同步流程中鉴权设备首先需要获取SEQMS1,将UE的DIF 值重置为SEQMS1-GLC1,再根据重置的DIF值和当前的全局计数器GLC的值生成重同步序列SEQsy,此时重同步序列SEQsy=SEQMS1-GLC1+GLC2,其中GLC1为接到SEQMS1的时间,GLC2为生成重同步序列的时间;然后根据预设算法将重同步序列SEQsy的信息包含在鉴权向量中发送给核心网设备以进行再次鉴权。然而,由于GLC1与GLC2通常相差很小,导致重同步序列SEQsy几乎等于SEQMS1。此时,如果在核心网设备用包含该重同步序列SEQsy的鉴权向量再次发起CS域鉴权之前,插入了一次PS域鉴权,则UE在对CS域再次进行网络鉴权时,UE中存储的最大序号的同步参数SEQMS2可能已经被更新为从PS域鉴权的鉴权向量AVP2中获得的SEQP2,而此时的SEQ等于重同步序列SEQsy,则SEQMS2-SEQ=SEQP2-SEQsy≈SEQP2-SEQMS1,而往往SEQP2与SEQMS1可能相差很大,且SEQP2大于SEQMS1,使得SEQMS2-SEQsy<L无法成立,导致再次鉴权失败。同理,如果在核心网设备利用包含重同步序列的鉴权向量再次发起PS域鉴权之前,插入了一次CS域鉴权,按照现有技术的方法,也可能导致再次鉴权失败,使得鉴权过程的中止,导致UE无法正常发起业务直至重新启动。In addition, in the prior art, when the authentication fails due to the synchronization failure, the core network device usually receives an authentication failure message carrying the cause value sent by the UE, and the reason value is that the synchronization fails, and the core network device passes the The data authentication request message of the synchronization failure indication is sent to the authentication device to trigger the resynchronization process, wherein the data authentication request message carrying the synchronization failure indication further includes the information of the sequence SEQ MS1 of the largest sequence number stored in the UE when the synchronization fails. . Different from the data authentication request message that does not carry the synchronization failure indication message, the authentication device generates a sequence SEQ according to the DIF value of the UE acquired by the identity identifier of the UE. In the resynchronization process, the authentication device first needs to obtain the SEQ MS1. , reset the UE's DIF value to SEQ MS1 -GLC1, and then generate a resynchronization sequence SEQ sy according to the reset DIF value and the current global counter GLC value, then the resynchronization sequence SEQ sy = SEQ MS1 -GLC1 + GLC2 Where GLC1 is the time to receive SEQ MS1 , and GLC2 is the time to generate the resynchronization sequence; then the information of the resynchronization sequence SEQ sy is included in the authentication vector according to a preset algorithm and sent to the core network device for re-authentication. However, since GLC1 and GLC2 usually differ greatly, the resynchronization sequence SEQ sy is almost equal to SEQ MS1 . At this time, if the PS domain authentication is inserted before the core network device initiates the CS domain authentication again by using the authentication vector including the resynchronization sequence SEQ sy , the UE performs network authentication again on the CS domain, in the UE. stored largest sequence number SEQ MS2 synchronization parameter may have been updated as SEQ P2 obtained from the authentication vector AV P2 PS domain authentication, the weight at a time equal to the synchronization sequence SEQ SEQ SY, the SEQ MS2 -SEQ = SEQ P2 -SEQ sy ≈SEQ P2 -SEQ MS1, and often SEQ P2 and SEQ MS1 may vary greatly, and SEQ P2 is greater than SEQ MS1, so that the SEQ MS2 -SEQ sy <L can not be established, again leading to failure of the authentication. Similarly, if the CS domain authentication is inserted before the core network device initiates the PS domain authentication again by using the authentication vector including the resynchronization sequence, according to the prior art method, the authentication failure may be caused again. The suspension of the rights process causes the UE to fail to initiate a service normally until it is restarted.
为了解决上述问题,本发明实施例提出了一种无线通信网络中的鉴权方法,能够使得核心网设备(MSC/SGSN/MME)在向UE发起鉴权请求之前,都从鉴权设备获取新的鉴权向量(authorization vector,AV),即使核心网设备保存有未使用的鉴权向量,也利用获取的新的鉴权向量进行鉴权,保证了每次进行CS域/PS域网络鉴权时,鉴权向量中包含的SEQ都是鉴权设备新生成的,即使在CS域网络鉴权之前插入了PS域网络鉴权或者在PS域网络鉴权之前插入了CS域网络鉴权,都能够保证同步成功,解决了现有技术中出现的因同步失败而导致的鉴权失败的问题,避免了鉴权失败而可能引起的UE脱网。In order to solve the above problem, an embodiment of the present invention provides an authentication method in a wireless communication network, which enables a core network device (MSC/SGSN/MME) to acquire a new one from an authentication device before initiating an authentication request to the UE. The authorization vector (AV), even if the core network device saves the unused authentication vector, uses the acquired new authentication vector for authentication, ensuring that each time the CS domain/PS domain network authentication is performed The SEQ included in the authentication vector is newly generated by the authentication device, and even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, The synchronization success is ensured, and the problem of authentication failure caused by the synchronization failure in the prior art is solved, and the UE disconnection may be avoided due to the authentication failure.
本发明实施例还提出了一种无线通信网络中的鉴权方法,能够使得鉴权设备在核心网设备因为同步失败而触发重同步流程时,不是利用UE中存储的最大序列号的序列SEQMS生成重同步序列SEQsy,而是像收到未携带同步失败指示的鉴权数据请求消息一样,直接根据UE的身份标识获取UE的DIF值,根据UE的DIF值和当前全局计数器GLC的值(即生成重同步SEQ的时间)来生成重同步序列SEQsy,使得重同步序列SEQsy不是等于(或者约等于)SEQMS1,保证了核心网设备在利用包含该重同步序列SEQsy的鉴权向量进行鉴权时的鉴权 成功,从而避免再次鉴权失败后导致的UE无法正常发起业务直至重新启动的问题。The embodiment of the present invention further provides an authentication method in a wireless communication network, which enables the authentication device to use the sequence SEQ MS of the largest sequence number stored in the UE when the core network device triggers the resynchronization process due to synchronization failure. The resynchronization sequence SEQ sy is generated, and the DIF value of the UE is directly obtained according to the identity identifier of the UE, just according to the authentication data request message that does not carry the synchronization failure indication, according to the DIF value of the UE and the value of the current global counter GLC ( That is, the time at which the resynchronization SEQ is generated) to generate the resynchronization sequence SEQ sy such that the resynchronization sequence SEQ sy is not equal to (or approximately equal to) SEQ MS1 , ensuring that the core network device is utilizing the authentication vector containing the resynchronization sequence SEQ sy The authentication succeeds when the authentication is performed, so as to avoid the problem that the UE cannot initiate the service normally until restarting after the failure of the authentication again.
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。需要注意的是,本发明各实施例中,核心网设备可以是MSC、SGSN或者MME,鉴权设备可以是鉴权设备可以是HLR、归属用户服务器(Home Subscriber Server,HSS)、AUC或者归属环境(Home Environment,HE)。The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings. It should be noted that, in various embodiments of the present invention, the core network device may be an MSC, an SGSN, or an MME, and the authentication device may be an authentication device, which may be an HLR, a Home Subscriber Server (HSS), an AUC, or a home environment. (Home Environment, HE).
本发明实施例提供了一种无线通信网络中的鉴权方法,如图1所示,所述方法可以包括:An embodiment of the present invention provides an authentication method in a wireless communication network. As shown in FIG. 1, the method may include:
S101:鉴权设备接收核心网设备发送的鉴权数据请求消息(authentication data request),所述鉴权数据请求消息包含UE的身份标识和同步失败指示(synchronisation failure indication)。S101: The authentication device receives an authentication data request sent by the core network device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
所述UE的身份标识可以为所述UE的国际移动用户识别码(International Mobile Subscriber Identity,IMSI),所述同步失败指示用于指示同步失败,包含所述同步失败指示的鉴权数据请求消息通常会触发重同步流程。The identity of the UE may be an International Mobile Subscriber Identity (IMSI) of the UE, the synchronization failure indication is used to indicate that the synchronization fails, and the authentication data request message including the synchronization failure indication is usually The resynchronization process is triggered.
此外,所述鉴权数据请求还可以包含所述用户设备存储的最大序列号的序列SEQMS1的信息,根据所述信息,可以确定该SEQMS1。由于所述用户设备存储的最大序列号的序列在鉴权成功之后可以更新,因此具体来说,所述鉴权数据请求中包含的SEQMS1的信息为所述UE在上一次成功鉴权后存储的最大序列号的序列SEQMS1的信息,也即本次鉴权失败时所述UE中存储的最大序列号的序列的信息。Furthermore, the authentication data request may also contain information of the sequence SEQ MS1 of the largest sequence number stored by the user equipment, from which the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is stored by the UE after the last successful authentication. The sequence of the largest sequence number of the SEQ MS1 , that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
S102:所述鉴权设备根据所述UE的身份标识,获取所述UE的DIF值,根据所述UE的DIF值,确定重同步序列SEQsyS102: The authentication device acquires a DIF value of the UE according to the identity identifier of the UE, and determines a resynchronization sequence SEQ sy according to the DIF value of the UE.
鉴权设备的数据库中,为每个用户设备保存了相应的DIF值,该用户设备的DIF值表示为用户设备生成的SEQ值与全局计数器(Golbal Counter)GLC的值的差值。因而所述鉴权设备可以根据所述UE的身份标识,查询该数据库,获取数据库中存储的所述UE的DIF值,根据所述UE的DIF值和当前全局计数器GLC的值(即生成重同步序列SEQsy的时间),生成重同步序列SEQsy。所述数据库通常配置在所述鉴权设备中。 In the database of the authentication device, a corresponding DIF value is saved for each user equipment, and the DIF value of the user equipment is represented as the difference between the SEQ value generated by the user equipment and the value of the global counter (Golbal Counter) GLC. Therefore, the authentication device may query the database according to the identity identifier of the UE, and obtain a DIF value of the UE stored in the database, according to the DIF value of the UE and the value of the current global counter GLC (ie, generate resynchronization At the time of the sequence SEQ sy , a resynchronization sequence SEQ sy is generated. The database is typically configured in the authentication device.
不同于现有技术中收到携带同步失败指示的数据鉴权请求消息时,将UE的DIF值重置为SEQMS1-GLC1(GLC1为接到SEQMS1时全局计数器GLC的值)导致重同步序列SEQsy几乎等于SEQMS1,而是像收到未携带同步失败指示的鉴权数据请求消息一样,直接根据UE的身份标识获取UE的DIF值,根据UE的DIF值和当前全局计数器GLC的值来生成重同步序列SEQsy,避免了现有技术中由于重同步序列SEQsy等于(或者约等于)SEQMS1导致的再次鉴权失败,解决了再次鉴权失败引起的UE无法正常发起业务直至重新启动的问题,避免对UE的业务产生影响。Different from the prior art, when receiving the data authentication request message carrying the synchronization failure indication, resetting the DIF value of the UE to SEQ MS1 -GLC1 (the value of the global counter GLC when GLC1 is connected to SEQ MS1 ) results in a resynchronization sequence. SEQ sy is almost equal to SEQ MS1 , and instead of receiving the authentication data request message that does not carry the synchronization failure indication, the DIF value of the UE is directly obtained according to the identity of the UE, according to the DIF value of the UE and the value of the current global counter GLC. The resynchronization sequence SEQ sy is generated, which avoids the re-authentication failure caused by the resynchronization sequence SEQ sy equal to (or approximately equal to) SEQ MS1 in the prior art, and solves the problem that the UE cannot initiate the service normally until restarting due to the re-authentication failure. The problem is to avoid impact on the UE's business.
S103:所述鉴权设备根据所述重同步序列SEQsy,生成鉴权向量。S103: The authentication device generates an authentication vector according to the resynchronization sequence SEQ sy .
所述鉴权设备可以首先利用预设算法,将所述重同步序列SEQsy包含在序列号SQN中;再利用所述SQN和根据随机数(random number,RAND)获得匿名密钥(anonymity key,AK),生成鉴权令牌(authentication token,AUTN),所述鉴权向量包含所述鉴权令牌和所述随机数。The authentication device may first include the resynchronization sequence SEQ sy in the sequence number SQN by using a preset algorithm; and then use the SQN and obtain an anonymous key (anonymity key according to a random number (RAND). AK), generating an authentication token (AUTN), the authentication vector including the authentication token and the random number.
具体地,所述鉴权设备可以利用随机数获得匿名密钥AK,将所述SQN、所述匿名密钥AK以及其他必要参数包含在鉴权令牌中,最终生成的所述鉴权向量包含所述鉴权令牌和所述随机数。后续,UE等设备可以利用所述鉴权向量包含的所述随机数,获得所述匿名密钥AK,利用所述匿名密钥AK从所述鉴权令牌中获取包含所述重同步序列的所述序列号,即所述鉴权令牌和所述随机数可以用于确定包含所述重同步序列SEQsy的SQN。Specifically, the authentication device may obtain an anonymous key AK by using a random number, and include the SQN, the anonymous key AK, and other necessary parameters in the authentication token, where the finally generated authentication vector includes The authentication token and the random number. Subsequently, the UE and the like may obtain the anonymous key AK by using the random number included in the authentication vector, and obtain, by using the anonymous key AK, the re-synchronization sequence from the authentication token. The sequence number, ie the authentication token and the random number, may be used to determine an SQN comprising the resynchronization sequence SEQ sy .
此外,所述鉴权向量还可以包括期望响应(expected response,XRES)、完整性密钥(integrity key,IK)和加密密钥(cipher key,CK)。In addition, the authentication vector may further include an expected response (XRES), an integrity key (IK), and a cipher key (CK).
S104:所述鉴权设备将所述鉴权向量发送给所述核心网设备,以便所述核心网设备利用所述鉴权向量发起鉴权流程。S104: The authentication device sends the authentication vector to the core network device, so that the core network device initiates an authentication process by using the authentication vector.
所述鉴权设备可以通过鉴权数据响应消息,将所述鉴权向量发送给所述核心网设备,此时,所述鉴权数据响应消息中包含所述鉴权向量。The authentication device may send the authentication vector to the core network device by using an authentication data response message. In this case, the authentication data response message includes the authentication vector.
本发明实施例还提供了一种无线通信网络中的鉴权方法,如图2所示,所述方法包括:An embodiment of the present invention further provides an authentication method in a wireless communication network. As shown in FIG. 2, the method includes:
S201:核心网设备向鉴权设备发送鉴权数据请求消息,所述鉴权数据请 求消息包含UE的身份标识和同步失败指示。S201: The core network device sends an authentication data request message to the authentication device, where the authentication data is requested. The request message includes the identity of the UE and a synchronization failure indication.
所述鉴权失败消息还可以包含所述用户设备存储的最大序列号的序列SEQMS1的信息,根据所述信息,可以确定该SEQMS1。由于所述用户设备存储的最大序列号的序列在鉴权成功之后可以更新,因此具体来说,所述所述鉴权数据请求中包含的SEQMS1的信息为所述UE在上一次成功鉴权后存储的最大序列号的序列SEQMS1的信息,也即本次鉴权失败时所述UE中存储的最大序列号的序列的信息。相应地,所述鉴权数据请求消息还可以包含所述SEQMS1的信息。The authentication failure message may further include information of a sequence SEQ MS1 of the maximum sequence number stored by the user equipment, and according to the information, the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE. The sequence of the maximum sequence number stored after SEQ MS1 , that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails. Correspondingly, the authentication data request message may further comprise information of the SEQ MS1 .
S202:所述核心网设备接收所述鉴权设备返回的鉴权向量;其中,所述鉴权向量为所述鉴权设备根据重同步序列SEQsy而生成的,所述重同步序列SEQsy为所述鉴权设备根据所述用户设备的身份标识所获取的所述用户设备的DIF值而生成的。S202: The core network device receives an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence SEQ sy , and the resynchronization sequence SEQ sy is The authentication device is generated according to the DIF value of the user equipment acquired by the identity of the user equipment.
S203:所述核心网设备向所述UE发送鉴权请求消息(authentication request),所述鉴权请求消息包含所述鉴权向量中的随机数和鉴权令牌。S203: The core network device sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector.
所述核心网设备可以利用所述鉴权向量中的随机数和鉴权令牌发起鉴权流程,后续所述UE可以利用所述随机数,获得匿名密钥AK,利用所述匿名密钥AK从所述鉴权令牌中获取包含所述重同步序列SEQsy的序列号SQN,并从所述序列号SQN中获取所述重同步序列SEQsy进行同步验证。The core network device may initiate an authentication process by using a random number and an authentication token in the authentication vector, and the UE may use the random number to obtain an anonymous key AK, and use the anonymous key AK. acquiring from the authentication token comprises a sequence number SQN resynchronization SEQ sy and acquires the resynchronization sequence SEQ sy synchronize sequence number SQN from the authentication in.
由于所述重同步序列SEQsy是所述鉴权设备根据所述UE的身份标识获得的所述UE的DIF值而确定的,与SEQMS1无关,避免了现有技术中由于重同步序列SEQsy等于(或者约等于)SEQMS1导致的再次鉴权失败,解决了再次鉴权失败引起的UE无法正常发起业务直至重新启动的问题,避免对UE的业务产生影响。Since the resynchronization sequence SEQ sy is determined by the authentication device according to the DIF value of the UE obtained according to the identity of the UE, regardless of SEQ MS1 , the prior art due to the resynchronization sequence SEQ sy is avoided. It is equal to (or approximately equal to) the re-authentication failure caused by the SEQ MS1 , which solves the problem that the UE cannot initiate the service normally until restarting due to the failure of the authentication again, and avoids the impact on the service of the UE.
可选地,在S201之前还可以包含步骤S200:Optionally, step S200 may be further included before S201:
S200:核心网设备接收UE发送的鉴权失败消息(authentication failure),所述鉴权失败消息包含原因值(cause),所述原因值为同步失败(synchronisation failure)。则所述核心网设备可以根据所述鉴权失败消息,向所述鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含所述UE的身份标识和同步失败指示。 S200: The core network device receives an authentication failure message sent by the UE, where the authentication failure message includes a cause value, and the cause value is a synchronisation failure. The core network device may send an authentication data request message to the authentication device according to the authentication failure message, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
本发明实施例提供了一种无线网络通信网络中的鉴权方法,如图3所示,所述方法包括:An embodiment of the present invention provides an authentication method in a wireless network communication network. As shown in FIG. 3, the method includes:
S301:UE向MSC返回鉴权失败消息,所述鉴权失败消息携带原因值和所述UE在上一次成功鉴权后存储的最大序列号的序列SEQMS1的信息,所述原因值为同步失败。S301: The UE returns an authentication failure message to the MSC, where the authentication failure message carries the cause value and the information of the sequence SEQ MS1 of the maximum sequence number stored by the UE after the last successful authentication, where the cause value is a synchronization failure. .
在所述MSC根据所述鉴权失败消息,发起重同步流程之前,3G网络的SGSN可能需要向HLR/HE/AUC获取鉴权向量以发起PS域鉴权,因而可以执行步骤S302。Before the MSC initiates the resynchronization procedure according to the authentication failure message, the SGSN of the 3G network may need to obtain an authentication vector from the HLR/HE/AUC to initiate PS domain authentication, and thus step S302 may be performed.
S302:SGSN向所述HLR/HE/AUC发送第一鉴权数据请求消息,所述第一鉴权数据请求消息携带所述UE的IMSI。S302: The SGSN sends a first authentication data request message to the HLR/HE/AUC, where the first authentication data request message carries an IMSI of the UE.
所述第一鉴权数据请求消息也即PS鉴权数据请求消息。The first authentication data request message is also a PS authentication data request message.
S303:所述HLR/HE/AUC向所述SGSN返回第一鉴权数据响应消息,第一鉴权数据响应消息包含鉴权向量AVpsS303: The HLR/HE/AUC returns a first authentication data response message to the SGSN, where the first authentication data response message includes an authentication vector AV ps .
所述HLR/HE/AUC可以首先根据所述UE的IMSI,得到所述UE的DIF值DIF,再生成序列SEQps,其中SEQps=DIF+GLCT1,GLCT1为生成SEQps时全局计数器GLC的值,然后将SEQps包含在序列号SQNps中,并将SQNps和利用随机数RANDps获得的匿名密钥AKps包含在鉴权令牌AUTNps中,最后生成鉴权向量AVps,所述AVps包含所述RANDps和所述AUTNpsThe HLR/HE/AUC may first obtain the DIF value DIF of the UE according to the IMSI of the UE, and generate a sequence SEQ ps , where SEQ ps = DIF + GLC T1 , and GLC T1 is a global counter GLC when generating SEQ ps value, then the number contained in the sequence SEQ ps SQN ps, and the SQN ps and the anonymity key AK ps using the random number RAND ps contained in the obtained authentication token AUTN ps, and finally generated authentication vector AV ps, The AV ps includes the RAND ps and the AUTN ps .
具体来说,假设SEQMS1=5,全局计数器GLC的值可以为每0.1秒加1,在生成SEQMS14.5秒后,HLR/HE/AUC接收到来自SGSN的第一鉴权数据请求消息,则生成的SEQps=50。Specifically, assuming SEQ MS1 = 5, the value of the global counter GLC may be incremented by one every 0.1 seconds, and after the SEQ MS1 is generated 4.5 seconds, the HLR/HE/AUC receives the first authentication data request message from the SGSN, then The generated SEQ ps = 50.
S304:所述MSC向HLR/HE/AUC发送第二鉴权数据请求消息,所述第二鉴权数据请求消息包含所述UE的IMSI、同步失败指示和SEQMS1的信息。S304: The MSC sends a second authentication data request message to the HLR/HE/AUC, where the second authentication data request message includes an IMSI of the UE, a synchronization failure indication, and information of the SEQ MS1 .
S305:所述HLR/HE/AUC根据所述UE的IMSI,得到所述UE的DIF值DIF,并利用所述UE的DIF值,确定重同步序列SEQsy,根据所述重同步序列SEQsy生成鉴权向量AVsy,所述AVsy包含随机数RANDsy和鉴权令牌AUTNsyS305: The HLR/HE/AUC obtains a DIF value DIF of the UE according to the IMSI of the UE, and determines a resynchronization sequence SEQ sy according to the DIF value of the UE, and generates according to the resynchronization sequence SEQ sy The authentication vector AV sy , the AV sy contains a random number RAND sy and an authentication token AUTN sy .
具体地,所述重同步序列SEQsy可以为SEQsy=DIF+GLCT2,GLCT2为生成 SEQsy时全局计数器GLC的值。例如,假设在生成SEQps 2秒后,HLR/HE/AUC接收到来自MSC的第二鉴权数据请求消息,则生成的SEQsy=70。Specifically, the resynchronization sequence SEQ sy may be SEQ sy = DIF + GLC T2 , and GLC T2 is a value of the global counter GLC when SEQ sy is generated. For example, assume that after 2 seconds of generating SEQ ps , the HLR/HE/AUC receives the second authentication data request message from the MSC, the generated SEQ sy = 70.
S306:所述HLR/HE/AUC向所述MSC返回第二鉴权数据响应消息,所述第二鉴权数据响应消息包含所述AVsyS306: The HLR/HE/AUC returns a second authentication data response message to the MSC, where the second authentication data response message includes the AV sy .
S307:所述SGSN向所述UE发送第一鉴权请求消息,所述第一鉴权请求消息包含AVps中的RANDps和AUTNps(SEQps)。S307: The SGSN sends a first authentication request message to the UE, where the first authentication request message includes RAND ps and AUTN ps (SEQ ps ) in the AV ps .
S308:鉴权成功且SEQps大于SEQMS1,所述UE将自身存储的最大序列号的序列更新为SEQpsS308: If the authentication succeeds and SEQ ps is greater than SEQ MS1 , the UE updates the sequence of the largest sequence number stored by itself to SEQ ps .
如果鉴权成功且SEQps大于SEQMS1,所述UE将自身存储的最大序列号的序列更新为SEQpsIf the authentication is successful and SEQ ps is greater than SEQ MS1 , the UE updates the sequence of the largest sequence number stored by itself to SEQ ps .
步骤S307-S308也可以在步骤S304之前,本发明实施例在此不做限定。The steps S307-S308 may also be used in the embodiment of the present invention before the step S304.
S309:所述UE向所述SGSN返回第一鉴权响应消息。S309: The UE returns a first authentication response message to the SGSN.
S310:所述MSC向所述UE发送第二鉴权请求消息,所述第二鉴权请求消息包含AVsy中的RANDsy和AUTNsy(SEQsy)。S310: The MSC sends a second authentication request message to the UE, where the second authentication request message includes RAND sy and AUTN sy (SEQ sy ) in AV sy .
S311:鉴权成功且SEQsy大于SEQps,所述UE将自身存储的最大序列号的序列更新为SEQsyS311: If the authentication succeeds and SEQ sy is greater than SEQ ps , the UE updates the sequence of the largest sequence number stored by itself to SEQ sy .
所述UE在接收到所述第二鉴权请求消息之后,将根据RANDsy,获得AKsy,根据所述AKsy和相关算法,从AUTNsy中获取包含SEQsy的SQNsy,进而获取SEQsy,并将SEQsy与自身存储的最大序列号的序列进行比较。After receiving the second authentication request message, the UE obtains AK sy according to RAND sy , obtains SQN sy including SEQ sy from AUTN sy according to the AK sy and related algorithm, and obtains SEQ sy And compare SEQ sy with the sequence of the largest sequence number stored by itself.
由于此时UE存储的最大序列号的序列已经更新为SEQps,可知SEQMS-SEQ=SEQps-SEQsy=GLCT1-GLCT2,而生成SEQsy时全局计数器GLC的值GLCT2肯定晚于生成SEQMS2时全局计数器GLC的值GLCT1,则SEQMS-SEQ=SEQps-SEQsy GLCT1-GLCT2<0<L保证了UE与网络同步成功,进而保证了鉴权成功,从而避免再次鉴权失败后导致的UE无法正常发起业务直至重新启动的问题。Since the sequence of the largest sequence number stored by the UE has been updated to SEQ ps at this time, it is known that SEQ MS - SEQ = SEQ ps - SEQ sy = GLC T1 - GLC T2 , and the value of the global counter GLC when generating SEQ sy is definitely later than GLC T2 Generating the value GLC T1 of the global counter GLC when SEQ MS2 is generated, then SEQ MS - SEQ = SEQ ps - SEQ sy GLC T1 - GLC T2 < 0 < L ensures that the UE is successfully synchronized with the network, thereby ensuring successful authentication, thereby avoiding again After the authentication fails, the UE cannot initiate the service normally until it restarts.
而如果按照现有技术的流程,则生成的SEQsy等于或者约等于SEQMS1,由于SEQsy大于SEQMS1,导致SEQMS-SEQ=SEQps-SEQsy≈SEQps-SEQMS1,如果在生成SEQMS14.5秒后,HLR/HE/AUC接收到来自SGSN的第一鉴权数据请求消息,则=50-5>L(L=32),导致再次同步验证失败,使得UE无法正常发 起业务直至重新启动。If the process according to the prior art, the resulting SEQ SY is equal to or approximately equal SEQ MSl, since larger than SEQ SY SEQ MSl, resulting in SEQ MS -SEQ = SEQ ps -SEQ sy ≈SEQ ps -SEQ MS1, if generated in SEQ After 4.5 seconds of MS1 , the HLR/HE/AUC receives the first authentication data request message from the SGSN, then =50-5>L (L=32), causing the resynchronization verification to fail, so that the UE cannot initiate the service normally until the start up.
S312:所述UE向所述MSC返回第二鉴权响应消息。S312: The UE returns a second authentication response message to the MSC.
本发明实施例中,所述鉴权设备在收到携带同步失败指示的鉴权数据请求消息之后,可以直接根据所述UE的IMSI获取所述UE的DIF值来生成重同步序列SEQsy,根据所述重同步序列SEQsy,生成鉴权向量,并将所述鉴权向量发送给所述核心网设备,即使后续核心网设备利用该重同步序列SEQsy进行CS域(或者PS域)鉴权之前插入了一次PS域(或者CS域)鉴权,也可以保证鉴权成功,避免了利用现有技术的流程使得生成的重同步序列SEQsy几乎等于(或者约等于)SEQMS1而引起的再次鉴权失败的问题。In the embodiment of the present invention, after receiving the authentication data request message carrying the synchronization failure indication, the authentication device may directly obtain the re-synchronization sequence SEQ sy according to the IMIF of the UE to obtain the re-synchronization sequence SEQ sy according to the IMSI of the UE. The resynchronization sequence SEQ sy generates an authentication vector and sends the authentication vector to the core network device, even if the subsequent core network device performs CS domain (or PS domain) authentication by using the resynchronization sequence SEQ sy The previous PS domain (or CS domain) authentication is inserted, which also ensures the authentication success, avoiding the use of the prior art process so that the generated resynchronization sequence SEQ sy is almost equal to (or approximately equal to) SEQ MS1 . The problem of authentication failure.
对应于上述方法实施例,本发明实施例提供了一种鉴权设备40,如图4所示,所述鉴权设备40可以是HLR或者AUC或者HE,所述鉴权设备40包括接收单元401、处理单元402和发送单元403;Corresponding to the above method embodiment, the embodiment of the present invention provides an authentication device 40. As shown in FIG. 4, the authentication device 40 may be an HLR or an AUC or an HE. The authentication device 40 includes a receiving unit 401. , processing unit 402 and transmitting unit 403;
所述接收单元401用于接收核心网设备发送的鉴权数据请求消息,所述鉴权数据请求消息包含UE的身份标识和同步失败指示;其中,所述UE的身份标识可以为所述UE的IMSI;The receiving unit 401 is configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication, where the identity of the UE may be the UE IMSI;
所述处理单元402用于根据所述UE的身份标识,确定所述UE的DIF值,根据所述UE的DIF值,确定重同步序列SEQsy,根据所述重同步序列SEQsy,生成鉴权向量;具体地,所述处理单元402可以根据所述UE的身份标识查询数据库,得到所述UE的DIF值,根据所述UE的DIF值和当前全局计数器GLC的值,生成所述重同步序列SEQsy;所述处理单元402还可以利用预设算法,将所述重同步序列SEQsy包含在序列号中,利用所述序列号和根据随机数获得的匿名密钥AK,生成鉴权令牌,所述鉴权向量包含所述鉴权令牌和所述随机数。The processing unit 402 is configured to determine a DIF value of the UE according to the identity identifier of the UE, determine a resynchronization sequence SEQ sy according to the DIF value of the UE, and generate an authentication according to the resynchronization sequence SEQ sy Specifically, the processing unit 402 may query the database according to the identity of the UE, obtain a DIF value of the UE, and generate the resynchronization sequence according to the DIF value of the UE and the value of the current global counter GLC. SEQ sy ; The processing unit 402 may further include the resynchronization sequence SEQ sy in the sequence number by using a preset algorithm, and generate an authentication token by using the sequence number and the anonymous key AK obtained according to the random number. The authentication vector includes the authentication token and the random number.
所述发送单元403用于将所述鉴权向量发送给所述核心网设备。The sending unit 403 is configured to send the authentication vector to the core network device.
可选地,所述鉴权数据请求还可以包含所述用户设备存储的最大序列号的序列SEQMS1的信息,根据所述信息,可以确定该SEQMS1。由于所述用户设备存储的最大序列号的序列在鉴权成功之后可以更新,因此具体来说,所述所述鉴权数据请求中包含的SEQMS1的信息为所述UE在上一次成功鉴权后存储的最大序列号的序列SEQMS1的信息,也即本次鉴权失败时所述UE中存储的最大序 列号的序列的信息。Optionally, the authentication data request may further include information of a sequence SEQ MS1 of a maximum sequence number stored by the user equipment, and according to the information, the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE. The sequence of the maximum sequence number stored after SEQ MS1 , that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
不同于现有技术中收到携带同步失败指示的数据鉴权请求消息时,将UE的DIF值重置为SEQMS1-GLC1(GLC1为接到SEQMS1时全局计数器GLC的值)导致重同步序列SEQsy几乎等于SEQMS1,本发明实施例中,在所述接收单元401接收到携带同步失败指示的数据鉴权请求消息之后,所述处理单元402根据UE的身份标识获取UE的DIF值,根据UE的DIF值和当前全局计数器GLC的值来生成重同步序列SEQsy,避免了现有技术中由于重同步序列SEQsy等于(或者约等于)SEQMS1导致的再次鉴权失败,解决了再次鉴权失败引起的UE无法正常发起业务直至重新启动的问题,避免对UE的业务产生影响。Different from the prior art, when receiving the data authentication request message carrying the synchronization failure indication, resetting the DIF value of the UE to SEQ MS1 -GLC1 (the value of the global counter GLC when GLC1 is connected to SEQ MS1 ) results in a resynchronization sequence. SEQ sy almost equal SEQ MS1, embodiments of the present invention, the receiving unit 401 receives the sync failure indication is carried in the authentication data request message, the processing unit 402 acquires a UE identity UE according DIF values, according to the The DIF value of the UE and the value of the current global counter GLC are used to generate the resynchronization sequence SEQ sy , which avoids the re-authentication failure caused by the resynchronization sequence SEQ sy equal to (or approximately equal to) the SEQ MS1 in the prior art. The problem that the UE fails to initiate the service and restarts due to the failure of the right does not affect the service of the UE.
对应于上述方法实施例,本发明实施例提供了一种核心网设备50,如图5所示,所述核心网设备50可以是MME或者MSC或者SGSN,所述核心网设50备包括发送单元501和获取单元502;Corresponding to the foregoing method embodiment, the embodiment of the present invention provides a core network device 50. As shown in FIG. 5, the core network device 50 may be an MME or an MSC or an SGSN, and the core network device 50 includes a sending unit. 501 and acquisition unit 502;
所述发送单元501用于向鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含UE的身份标识和同步失败指示;所述UE的身份标识可以是所述UE的IMSI;所述鉴权失败消息还可以包含所述用户设备存储的最大序列号的序列SEQMS1的信息,根据所述信息,可以确定该SEQMS1。由于所述用户设备存储的最大序列号的序列在鉴权成功之后可以更新,因此具体来说,所述所述鉴权数据请求中包含的SEQMS1的信息为所述UE在上一次成功鉴权后存储的最大序列号的序列SEQMS1的信息,也即本次鉴权失败时所述UE中存储的最大序列号的序列的信息。相应地,所述鉴权数据请求消息还可以包含所述SEQMS1的信息。The sending unit 501 is configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication; the identity identifier of the UE may be an IMSI of the UE; The authentication failure message may further include information of the sequence SEQ MS1 of the largest sequence number stored by the user equipment, according to which the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE. The sequence of the maximum sequence number stored after SEQ MS1 , that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails. Correspondingly, the authentication data request message may further comprise information of the SEQ MS1 .
所述获取单元502用于接收所述鉴权设备返回的鉴权向量;其中,所述鉴权向量为所述鉴权设备根据重同步序列SEQsy而生成的,所述重同步序列SEQsy为所述鉴权设备根据所述用户设备的身份标识所获取的所述用户设备的DIF值而生成的;The obtaining unit 502 is configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence SEQ sy , and the resynchronization sequence SEQ sy is The authentication device is generated according to the DIF value of the user equipment acquired by the identity identifier of the user equipment;
所述发送单元501还用于向所述UE发送鉴权请求消息,所述鉴权请求消息包含所述鉴权向量中的随机数和鉴权令牌。从而后续所述UE可以利用所述随机数,获得匿名密钥AK,利用所述匿名密钥AK从所述鉴权令牌中获取包 含所述重同步序列SEQsy的序列号SQN,并从所述序列号SQN中获取所述重同步序列SEQsy进行同步验证。由于所述重同步序列SEQsy是所述鉴权设备根据所述UE的身份标识获得的所述UE的DIF值而确定的,与SEQMS1无关,避免了现有技术中由于重同步序列SEQsy等于(或者约等于)SEQMS1导致的再次鉴权失败,解决了再次鉴权失败引起的UE无法正常发起业务直至重新启动的问题,避免对UE的业务产生影响。The sending unit 501 is further configured to send an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector. Therefore, the UE may obtain the anonymous key AK by using the random number, and obtain the sequence number SQN including the resynchronization sequence SEQ sy from the authentication token by using the anonymous key AK, and The resynchronization sequence SEQ sy is obtained in the serial number SQN for synchronization verification. Since the resynchronization sequence SEQ sy is determined by the authentication device according to the DIF value of the UE obtained according to the identity of the UE, regardless of SEQ MS1 , the prior art due to the resynchronization sequence SEQ sy is avoided. It is equal to (or approximately equal to) the re-authentication failure caused by the SEQ MS1 , which solves the problem that the UE cannot initiate the service normally until restarting due to the failure of the authentication again, and avoids the impact on the service of the UE.
可选地,所述核心网设备还包括:接收单元503,用于接收UE发送的鉴权失败消息,所述鉴权失败消息包含原因值,所述原因值为同步失败;则所述发送单元具体用于根据所述鉴权失败消息,向鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含UE的身份标识和同步失败指示。Optionally, the core network device further includes: a receiving unit 503, configured to receive an authentication failure message sent by the UE, where the authentication failure message includes a cause value, and the cause value is a synchronization failure; Specifically, the method is used to send an authentication data request message to the authentication device according to the authentication failure message, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
如图6所示,本发明实施例还提供了一种鉴权系统60,如图6所示,包括鉴权设备40和核心网设备50。鉴权设备40和核心网设备50各自执行的动作以及它们之间的交互,可以参见图1至图3对应的方法实施例的描述,也可以参考图4和图5对应的装置实施例的描述,此处不再赘述。As shown in FIG. 6, an embodiment of the present invention further provides an authentication system 60, as shown in FIG. 6, including an authentication device 40 and a core network device 50. For the actions performed by the authentication device 40 and the core network device 50 and the interaction between them, refer to the description of the method embodiment corresponding to FIG. 1 to FIG. 3, and also the description of the device embodiment corresponding to FIG. 4 and FIG. , will not repeat them here.
可选地,所述鉴权系统还可以包括用户设备601;Optionally, the authentication system may further include a user equipment 601;
所述用户设备601可以用于接收所述核心网设备50发送的鉴权请求消息,利用所述鉴权请求消息包含的鉴权向量中的随机数和鉴权令牌进行鉴权。The user equipment 601 may be configured to receive an authentication request message sent by the core network device 50, and perform authentication by using a random number and an authentication token in the authentication vector included in the authentication request message.
可选地,所述用户设备601还可以用于向所述核心网设备50发送鉴权失败消息,所述鉴权失败消息包含原因值,所述原因值为同步失败。Optionally, the user equipment 601 is further configured to send an authentication failure message to the core network device 50, where the authentication failure message includes a cause value, and the cause value is a synchronization failure.
如图7所示,本发明实施例还提供了一种无线通信系统中的鉴权装置,所述鉴权装置700可以包括:As shown in FIG. 7, an embodiment of the present invention further provides an authentication device in a wireless communication system, where the authentication device 700 can include:
处理器701、存储器702、总线704和通信接口705。处理器701、存储器702和通信接口705之间通过总线704连接并完成相互间的通信。 Processor 701, memory 702, bus 704, and communication interface 705. The processor 701, the memory 702, and the communication interface 705 are connected by a bus 704 and complete communication with each other.
处理器701可能为单核或多核中央处理单元,或者为特定集成电路,或者为被配置成实施本发明实施例的一个或多个集成电路。 Processor 701 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.
存储器702可以为高速RAM存储器,也可以为非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。 The memory 702 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
存储器702用于计算机执行指令703。具体的,计算机执行指令703中可以包括程序代码。Memory 702 is used by computer to execute instructions 703. Specifically, the computer execution instructions 703 may include program code.
当所述鉴权装置运行时,处理器701运行计算机执行指令703,可以执行图1至图3任意之一对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程。在执行图1或图3对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程时,所述鉴权装置可以为鉴权设备,在执行图2或图3对应的方法实施例所述的无线通信系统中的鉴权方法的方法流程时,所述鉴权装置可以为核心网设备。When the authentication device is running, the processor 701 runs the computer execution instruction 703, and may execute the method flow of the authentication method in the wireless communication system according to the method embodiment corresponding to any one of FIG. 1 to FIG. In the method flow of the authentication method in the wireless communication system described in the method embodiment corresponding to FIG. 1 or FIG. 3, the authentication device may be an authentication device, and the method corresponding to FIG. 2 or FIG. 3 is implemented. In the method flow of the authentication method in the wireless communication system, the authentication device may be a core network device.
本发明实施例还提供了一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行图1或图3所述的无线通信网络中的鉴权方法的方法流程。The embodiment of the present invention further provides a computer readable medium, comprising: a computer executing instructions for a processor of a computer to execute the computer to execute an instruction, the computer performing the wireless operation of FIG. 1 or FIG. Method flow of an authentication method in a communication network.
本发明实施例还提供了一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行图2或图3所述的无线通信网络中的鉴权方法的方法流程。The embodiment of the present invention further provides a computer readable medium, comprising: a computer executing instructions for a processor of a computer to execute the computer execution instructions, wherein the computer performs the wireless operation of FIG. 2 or FIG. Method flow of an authentication method in a communication network.
本发明中所提到的LTE网络,包括LTE A网络、以及后续可能出现LTE版本。本发明实施例中的第一、第二、第三、第四、第五等仅用于区分不同的指示信息、消息或其他对象,不代表顺序关系。The LTE network mentioned in the present invention includes an LTE A network, and may subsequently have an LTE version. The first, second, third, fourth, fifth, etc. in the embodiments of the present invention are only used to distinguish different indication information, messages, or other objects, and do not represent sequential relationships.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, for clarity of hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。 A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。 因此,本发明的保护范围应以权利要求的保护范围为准。 The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any equivalent person can be easily conceived within the technical scope of the present invention by any person skilled in the art. Modifications or substitutions are intended to be included within the scope of the invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (17)

  1. 一种无线通信网络中的鉴权方法,其特征在于,所述方法包括:An authentication method in a wireless communication network, the method comprising:
    鉴权设备接收核心网设备发送的鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;The authentication device receives an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication.
    所述鉴权设备根据所述用户设备的身份标识,获取所述用户设备的差DIF值,根据所述用户设备的DIF值,生成重同步序列;The authentication device acquires a difference DIF value of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization sequence according to the DIF value of the user equipment;
    所述鉴权设备根据所述重同步序列,生成鉴权向量;The authentication device generates an authentication vector according to the resynchronization sequence;
    所述鉴权设备将所述鉴权向量发送给所述核心网设备。The authentication device sends the authentication vector to the core network device.
  2. 根据权利要求1所述的方法,其特征在于,所述鉴权设备根据所述用户设备的身份标识,获取所述用户设备的差值,根据所述用户设备的差值,生成重同步序列包括:The method according to claim 1, wherein the authentication device acquires a difference value of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization sequence according to the difference of the user equipment, including :
    所述鉴权设备根据所述用户设备的身份标识查询数据库,得到所述用户设备的DIF值;The authentication device queries the database according to the identity identifier of the user equipment, and obtains a DIF value of the user equipment;
    所述鉴权设备根据所述用户设备的DIF值和当前全局计数器的值,生成所述重同步序列。The authentication device generates the resynchronization sequence according to a DIF value of the user equipment and a value of a current global counter.
  3. 根据权利要求1或2所述的方法,其特征在于,所述鉴权设备根据所述重同步序列,生成鉴权向量包括:The method according to claim 1 or 2, wherein the authenticating device generates an authentication vector according to the resynchronization sequence, including:
    所述鉴权设备利用预设算法,将所述重同步序列包含在序列号中;The authentication device uses the preset algorithm to include the resynchronization sequence in the sequence number;
    所述鉴权设备利用所述序列号和根据随机数获得的匿名密钥AK,生成鉴权令牌,所述鉴权向量包含所述鉴权令牌和所述随机数。The authentication device generates an authentication token by using the sequence number and an anonymous key AK obtained according to a random number, the authentication vector including the authentication token and the random number.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述鉴权数据请求消息还包含所述用户设备存储的最大序列号的序列的信息。The method according to any one of claims 1 to 3, wherein the authentication data request message further comprises information of a sequence of a maximum sequence number stored by the user equipment.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述用户设备的身份标识为所述用户设备的国际移动用户识别码IMSI。The method according to any one of claims 1-4, wherein the identity of the user equipment is an International Mobile Subscriber Identity (IMSI) of the user equipment.
  6. 一种无线通信网络中的鉴权方法,其特征在于,所述方法包括:An authentication method in a wireless communication network, the method comprising:
    核心网设备向鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;The core network device sends an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication.
    所述核心网设备接收所述鉴权设备返回的鉴权向量;其中,所述鉴权向量为所述鉴权设备根据重同步序列而生成的,所述重同步序列为所述鉴权设备根 据所述用户设备的身份标识所获取的所述用户设备的DIF值而生成的;Receiving, by the core network device, an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to a resynchronization sequence, where the resynchronization sequence is the root of the authentication device Generating according to the DIF value of the user equipment acquired by the identity of the user equipment;
    所述核心网设备向所述用户设备发送鉴权请求消息,所述鉴权请求消息包含所述鉴权向量中的随机数和鉴权令牌。The core network device sends an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
  7. 一种鉴权设备,其特征在于,包括:An authentication device, comprising:
    接收单元,用于接收核心网设备发送的鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;a receiving unit, configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
    处理单元,用于根据所述用户设备的身份标识,确定所述用户设备的DIF值,根据所述用户设备的差DIF值,确定重同步序列,根据所述重同步序列,生成鉴权向量;a processing unit, configured to determine a DIF value of the user equipment according to the identity identifier of the user equipment, determine a resynchronization sequence according to the difference DIF value of the user equipment, and generate an authentication vector according to the resynchronization sequence;
    发送单元,用于将所述鉴权向量发送给所述核心网设备。And a sending unit, configured to send the authentication vector to the core network device.
  8. 根据权利要求7所述的鉴权设备,其特征在于,所述处理单元具体用于根据所述用户设备的身份标识查询数据库,得到所述用户设备的DIF值;根据所述用户设备的DIF值和当前全局计数器的值,生成所述重同步序列。The authentication device according to claim 7, wherein the processing unit is configured to obtain a DIF value of the user equipment according to an identity identifier of the user equipment, and obtain a DIF value according to the user equipment. And the value of the current global counter, the resynchronization sequence is generated.
  9. 根据权利要求7或8所述的鉴权设备,其特征在于,所述处理单元具体用于利用预设算法,将所述重同步序列包含在序列号中;利用所述序列号和根据随机数获得的匿名密钥AK,生成鉴权令牌,所述鉴权向量包含所述鉴权令牌和所述随机数。The authentication device according to claim 7 or 8, wherein the processing unit is specifically configured to include the resynchronization sequence in a sequence number by using a preset algorithm; using the sequence number and according to the random number The obtained anonymous key AK generates an authentication token, and the authentication vector includes the authentication token and the random number.
  10. 根据权利要求7-9任一项所述的鉴权设备,其特征在于,所述鉴权数据请求消息还包含所述用户设备存储的最大序列号的序列的信息。The authentication device according to any one of claims 7-9, wherein the authentication data request message further includes information of a sequence of a maximum sequence number stored by the user equipment.
  11. 一种核心网设备,其特征在于,包括:A core network device, comprising:
    发送单元,用于向鉴权设备发送鉴权数据请求消息,所述鉴权数据请求消息包含用户设备的身份标识和同步失败指示;a sending unit, configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
    获取单元,用于接收所述鉴权设备返回的鉴权向量;其中,所述鉴权向量为所述鉴权设备根据重同步序列而生成的,所述重同步序列为所述鉴权设备根据所述用户设备的身份标识所获取的所述用户设备的DIF值而生成的;An obtaining unit, configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to a resynchronization sequence, where the resynchronization sequence is The identity of the user equipment is generated by the DIF value of the user equipment acquired;
    所述发送单元还用于向所述用户设备发送鉴权请求消息,所述鉴权请求消息包含所述鉴权向量中的随机数和鉴权令牌。The sending unit is further configured to send an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
  12. 一种鉴权系统,其特征在于,包括如权利要求7-10任一项所述的鉴权设备和权利要求11所述的核心网设备。 An authentication system, comprising the authentication device according to any one of claims 7 to 10 and the core network device according to claim 11.
  13. 根据权利要求12所述的系统,其特征在于,还包括用户设备;The system of claim 12, further comprising a user equipment;
    所述用户设备用于向所述核心网设备发送鉴权失败消息,所述鉴权失败消息包含原因值,所述原因值为同步失败,以及接收所述核心网设备发送的鉴权请求消息,利用所述鉴权请求消息包含的鉴权向量中的随机数和鉴权令牌进行鉴权。The user equipment is configured to send an authentication failure message to the core network device, where the authentication failure message includes a cause value, the cause value is a synchronization failure, and an authentication request message sent by the core network device is received. The authentication is performed by using the random number and the authentication token in the authentication vector included in the authentication request message.
  14. 一种鉴权设备,其特征在于,包括处理器、存储器、总线和通信接口;An authentication device, comprising: a processor, a memory, a bus, and a communication interface;
    所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述鉴权设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述鉴权设备执行如权利要求1-5中任一项所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to The authentication device is caused to perform an authentication method in the wireless communication network according to any one of claims 1-5.
  15. 一种核心网设备,其特征在于,所述包括处理器、存储器、总线和通信接口;A core network device, characterized in that the processor comprises a processor, a memory, a bus and a communication interface;
    所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述核心网设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述核心网设备执行如权利要求6所述的无线通信网络中的鉴权方法。The memory is configured to store a computer to execute an instruction, the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to The core network device is caused to perform the authentication method in the wireless communication network according to claim 6.
  16. 一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行如权利要求1-5中任一项所述的无线通信网络中的鉴权方法。A computer readable medium, comprising: a computer executing instructions for execution by a processor of a computer to execute a wireless communication network according to any one of claims 1-5 The authentication method in the middle.
  17. 一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行如权利要求6所述的无线通信网络中的鉴权方法。 A computer readable medium, comprising: computer executable instructions for executing, by a processor of a computer, the method of authenticating in a wireless communication network of claim 6.
PCT/CN2014/092793 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system WO2016086356A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201480083607.9A CN107113610A (en) 2014-12-02 2014-12-02 Method for authenticating, relevant apparatus and system in a kind of cordless communication network
PCT/CN2014/092793 WO2016086356A1 (en) 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/092793 WO2016086356A1 (en) 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system

Publications (1)

Publication Number Publication Date
WO2016086356A1 true WO2016086356A1 (en) 2016-06-09

Family

ID=56090805

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092793 WO2016086356A1 (en) 2014-12-02 2014-12-02 Authentication method within wireless communication network, related apparatus and system

Country Status (2)

Country Link
CN (1) CN107113610A (en)
WO (1) WO2016086356A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112867001A (en) * 2019-11-26 2021-05-28 维沃移动通信有限公司 Authentication method, terminal equipment and network equipment

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111465007B (en) * 2019-01-18 2022-10-11 华为技术有限公司 Authentication method, device and system
CN112469043B (en) * 2019-09-09 2022-10-28 华为技术有限公司 Authentication method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030854A (en) * 2006-03-02 2007-09-05 华为技术有限公司 Method and apparatus for inter-verifying network between multi-medium sub-systems
CN101123778A (en) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 Network access authentication method and its USIM card
CN101466096A (en) * 2007-12-17 2009-06-24 大唐移动通信设备有限公司 Method and system for triggering synchronous failure of authentication process
CN101998395A (en) * 2009-08-27 2011-03-30 华为技术有限公司 Authentication vector acquisition method, home server and network system
CN103596176A (en) * 2013-10-18 2014-02-19 北京北方烽火科技有限公司 Authentication method and device of small-scale core network based on evolved packet system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101163326A (en) * 2006-10-12 2008-04-16 华为技术有限公司 Method, system and mobile terminal of preventing playback attack
CN102638794B (en) * 2007-03-22 2016-03-30 华为技术有限公司 Authentication and cryptographic key negotiation method, authentication method, system and equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030854A (en) * 2006-03-02 2007-09-05 华为技术有限公司 Method and apparatus for inter-verifying network between multi-medium sub-systems
CN101123778A (en) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 Network access authentication method and its USIM card
CN101466096A (en) * 2007-12-17 2009-06-24 大唐移动通信设备有限公司 Method and system for triggering synchronous failure of authentication process
CN101998395A (en) * 2009-08-27 2011-03-30 华为技术有限公司 Authentication vector acquisition method, home server and network system
CN103596176A (en) * 2013-10-18 2014-02-19 北京北方烽火科技有限公司 Authentication method and device of small-scale core network based on evolved packet system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112867001A (en) * 2019-11-26 2021-05-28 维沃移动通信有限公司 Authentication method, terminal equipment and network equipment
CN112867001B (en) * 2019-11-26 2022-07-15 维沃移动通信有限公司 Authentication method, terminal equipment and network equipment

Also Published As

Publication number Publication date
CN107113610A (en) 2017-08-29

Similar Documents

Publication Publication Date Title
CN109587688B (en) Security in inter-system mobility
CN106465106B (en) Method and system for providing security from a radio access network
US9654284B2 (en) Group based bootstrapping in machine type communication
US9189632B2 (en) Method for protecting security of data, network entity and communication terminal
US20200162913A1 (en) Terminal authenticating method, apparatus, and system
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
CN107005842B (en) Authentication method, related device and system in wireless communication network
CN112105021B (en) Authentication method, device and system
US11070376B2 (en) Systems and methods for user-based authentication
WO2018205148A1 (en) Data packet checking method and device
WO2020216338A1 (en) Parameter sending method and apparatus
US20230086032A1 (en) Key management method, device, and system
KR20150135032A (en) System and method for updating secret key using physical unclonable function
WO2015144042A1 (en) Method and device for network authentication certification
CN111831974A (en) Interface protection method and device, electronic equipment and storage medium
WO2016086356A1 (en) Authentication method within wireless communication network, related apparatus and system
JP6581221B2 (en) Method for replacing at least one authentication parameter for authenticating a security element and corresponding security element
CN111405016A (en) User information acquisition method and related equipment
WO2020147856A1 (en) Authentication processing method and device, storage medium, and electronic device
US20210258295A1 (en) Device and Method for Mediating Configuration of Authentication Information
WO2019192275A1 (en) Authentication method and network element
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN111132167B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN112400335B (en) Method and computing device for performing data integrity protection
CN106304061B (en) User authentication method under fault weakening state

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14907533

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14907533

Country of ref document: EP

Kind code of ref document: A1