CN101677440A - Method, system and safe gateway of access point authentication - Google Patents

Method, system and safe gateway of access point authentication Download PDF

Info

Publication number
CN101677440A
CN101677440A CN200810161209A CN200810161209A CN101677440A CN 101677440 A CN101677440 A CN 101677440A CN 200810161209 A CN200810161209 A CN 200810161209A CN 200810161209 A CN200810161209 A CN 200810161209A CN 101677440 A CN101677440 A CN 101677440A
Authority
CN
China
Prior art keywords
access point
authentication
security gateway
described access
auth
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200810161209A
Other languages
Chinese (zh)
Inventor
陈璟
刘晓寒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200810161209A priority Critical patent/CN101677440A/en
Publication of CN101677440A publication Critical patent/CN101677440A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the invention discloses a method, a system and a safe gateway of access point authentication, relating to the field of communication technology, which can effectively reduce menace that counterfeit access points pass the network authentication, and can ensure that legitimate access points pass the authentication to access network when the access points need to be authenticated for several times. The method provided by the embodiment of the invention comprises that the safe gateway acquires authentication types of access points and judges whether multi-time authentication processes of access points are initiated or not according to the required authentication types of the access points. Through the safe gateway actively judges whether multi-time authentication processes ofthe access points are initiated or not, the embodiment of the invention can effectively reduce that the counterfeit access points pass the network authentication, and simultaneously ensure that the legitimate access points pass the access network authentication.

Description

A kind of method of access point authentication, system and security gateway
Technical field
The present invention relates to communication technique field, particularly relate to a kind of method, system and security gateway of access point authentication.
Background technology
Home eNodeB (Home NodeB, HNB) be a kind of access point (Access Point, AP) equipment, it is a kind of femto cell of family expenses, the mobile subscriber can arrange this base station in hot spot coverage such as family, office spaces, by Internet or other IP network accessing mobile communication networks, obtain radio communication service.The introducing of Home eNodeB on the one hand, has solved the resource bottleneck problem of eating dishes without rice or wine in the wireless data service, makes the user can enjoy the network service of two-forty, high bandwidth; On the other hand, Home eNodeB inserts by Internet, has saved the transmission cost of mobile operator, has improved mobile network's capacity; And Home eNodeB is mainly used in hot spot regions such as family, office space, and the covering of backwoodsman blind spot, has improved mobile network's covering, has optimized the quality of network.
The auth type that on the 3GPP standard Home eNodeB is carried out has following several at present:
1) device authentication;
2) device authentication+independently side of having (HP, Hosting Party) authentication;
3) Bang Ding device authentication+HP authentication.
Wherein, device authentication can be realized by certificate (CERT) authentication to Home eNodeB, also can pass through EAP-AKA (Extensible Authentication Protocol-Authentication and KeyAgreement, Extensible Authentication Protocol-Authentication and Key Agreement) protocol authentication realizes; Can realize by certificate or EAP-AKA protocol authentication equally the HP authentication.For the Home eNodeB that will carry out the HP of device authentication+independently authentication, device authentication can adopt certificate to realize, the HP authentication can adopt the EAP-AKA agreement to realize.
After family's base station authentication success, Home eNodeB just can be used as a legal access point (AP) equipment access network.
In the prior art, at first, Home eNodeB HNB is to security gateway (Security Gateway, SeGW) send IKE (Internet Key Exchange, the Internet Key Exchange) initial exchange request message, security gateway returns IKE initial exchange response message to Home eNodeB, because security gateway need authenticate Home eNodeB based on the certificate of Home eNodeB, therefore in response message, comprise the certificate that CERTREQ asks Home eNodeB, and, can repeatedly authenticate (behind device authentication, carrying out the HP authentication) to Home eNodeB by its support of field MULTIPLE_AUTH_SUPPORTED indication Home eNodeB RFC4379 standard.
After IKE initial exchange flow process, Home eNodeB is to security gateway transmitting apparatus authentication request message, carry the device identification HNB ID of Home eNodeB in the request message, Home eNodeB certificate HNB CERT, authentication AUTH parameter, and,, in message, also need to carry configuration load CP (CFG_REQUEST) if the remote ip address of Home eNodeB needs dynamic-configuration by the certificate that CERTREQ asks security gateway; It supports the RFC4379 standard to Home eNodeB by field MULTIPLE_AUTH_SUPPORTED indication security gateway, can repeatedly authenticate, and it wishes to initiate next authentication by field ANOTHER_AUTH_FOLLOWS indication security gateway.
Security gateway is verified Home eNodeB certificate and the AUTH parameter in this message, and to Home eNodeB Returning equipment authentication response message, if the device authentication success, security gateway is gateway certificate SeGW CERT safe to carry in response message.
Home eNodeB to the security gateway certification authentication after, authenticate to the security gateway request next one: send the HP authentication request message to security gateway, in described HP authentication request message, carry the side's of having module (Hosting Party Module of Home eNodeB, HPM) address HPM ID begins independently HP identifying procedure.
In realizing process of the present invention, the inventor finds to exist at least in the prior art such problem:
In IKE initial exchange flow process, security gateway does not authenticate the identity of Home eNodeB, may exist the situation of the Home eNodeB of personation this moment, if the Home eNodeB of personation is in security gateway transmitting apparatus authentication request message, it wishes to initiate next authentication not send ANOTHER_AUTH_FOLLOWS field request security gateway to security gateway, this moment, security gateway was behind the Home eNodeB certificate of having verified personation, further authentication with finishing Home eNodeB can increase the threat of the Home eNodeB of personation by network authentication like this; And, also have such situation: legal Home eNodeB need carry out the HP authentication, but in security gateway transmitting apparatus authentication request message, do not carrying the ANOTHER_AUTH_FOLLOWS field, after legal Home eNodeB has passed through device authentication, might be no longer initiatively to the next authentication of security gateway request, no longer proceed the HP authentication, so just can't guarantee that legal Home eNodeB is by the authentication access network.
Summary of the invention
In view of this, be necessary to propose a kind of method, system and security gateway of access point authentication, can effectively reduce of the threat of the access point of personation by network authentication; When needs repeatedly authenticate access point, can guarantee that legal access point is by the authentication access network simultaneously.
For achieving the above object, the embodiment of the invention is achieved by the following technical solution:
On the one hand, provide a kind of method of access point authentication, comprising:
Security gateway obtains the auth type of access point;
Security gateway judges whether to initiate the repeatedly identifying procedure of described access point according to the auth type of the described access point that obtains.
On the other hand, provide a kind of security gateway, comprising:
The auth type acquiring unit is used to obtain the auth type of access point;
Judging unit is used for the auth type of the described access point that obtains according to the auth type acquiring unit, judges whether to initiate the repeatedly identifying procedure of described access point.
Again on the one hand, provide a kind of system of access point authentication, comprising:
Access point is used for to security gateway transmitting apparatus authentication request message;
Security gateway is used to receive the device authentication request message of access point, according to described device authentication request message access point is carried out device authentication; Obtain the auth type of described access point, and, judge whether to initiate the repeatedly identifying procedure of described access point according to the auth type of the described access point that obtains.
By above technical scheme as can be known, security gateway is by obtaining the auth type of access point, after the device authentication success of security gateway to access point, auth type according to the described access point that obtains, judge whether to initiate the repeatedly identifying procedure of described access point by security gateway, the access point that can avoid on the one hand palming off increases the threat of the access point of personation by network authentication by not sending the indication that repeatedly authenticates to security gateway, thereby can effectively reduce the threat of the access point of personation by network authentication; Can avoid on the other hand at legal access point by behind the device authentication, no longer initiatively to the next authentication of security gateway request, by initiatively initiating next identifying procedure by security gateway, thereby when legal access point need repeatedly authenticate, can guarantee that legal access point is by the authentication access network.
Description of drawings
The flow chart of the method for the access point authentication that Fig. 1 provides for the embodiment of the invention;
The identifying procedure figure that Fig. 2 provides for the embodiment of the invention one;
The identifying procedure figure that Fig. 3 provides for the embodiment of the invention two;
The identifying procedure figure that Fig. 4 provides for the embodiment of the invention three;
The identifying procedure figure that Fig. 5 provides for the embodiment of the invention four;
The structural representation of the security gateway that Fig. 6 provides for the embodiment of the invention;
The composition schematic diagram of the system of the access point authentication that Fig. 7 provides for the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing the technical scheme that the embodiment of the invention provides is described in further detail.
Referring to Fig. 1, the method for a kind of access point authentication that Fig. 1 provides for the embodiment of the invention comprises:
Step 101, security gateway are obtained the auth type of access point.
The auth type of access point is divided into two big classes: single authentication and repeatedly authentication.For example, single authentication can be: the device authentication of device authentication, binding+HP authentication; Repeatedly authentication can be: device authentication+independently HP authentication.In these three kinds of auth types, device authentication is essential, and (sign a contract with operator and to hold the people of access point, be called Host Party on the 3GPP standard, authentication HP) is optional to the side of having.Authentication to HP comprises two kinds: a kind of is to bind together with device authentication to access point to finish; A kind of is independently HP authentication.
Auth type can represent that for example, 00 indication equipment authenticates with two binary number, 01 indication equipment authentication+independently HP authentication, and the device authentication+HP of 11 expression bindings authenticates.Can certainly represent auth type with other forms.
Whether access point is supported repeatedly authenticates, and can represent with one binary number, and for example, 0 expression only need be carried out device authentication, and 1 expression also needs to carry out the HP authentication except that carrying out device authentication.Can certainly represent whether access point supports many authentications with other forms.
Security gateway can obtain the auth type of access point by the following method:
One of method is obtained from the certificate of access point, and the certificate of described access point comprises the property value of expression access point authentication type.This certificate may be that operator or manufacturer sign and issue to access point, increases a property value by operator or manufacturer in certificate, and this property value is used to identify the auth type of access point.
Two of method is obtained from the device identification of access point, and the device identification of described access point is carried out different names according to auth type.Security gateway can obtain the auth type of access point according to the device identification of its access point that receives, thereby whether decision needs access point is carried out the authentication of HP.
Three of method is obtained from the network side server of preserving described access point authentication type, and the device identification of described network side server and described access point has corresponding relation.Can to be index with the device identification of access point obtain from the network side server of the auth type of preserving access point security gateway, the server of this network side can be a security gateway itself, AAA Server (AAA server, Authentication, Authorization and Accountiong Server), HSS (home subscriber server, Home Subscriber Server), perhaps server of an auth type of independently preserving access point etc.
Need to prove, it is more flexible that security gateway obtains the time ratio of auth type of access point, can be before access point be carried out device authentication, from the certificate of access point, in the device identification of access point or from the network side server of preserving described access point authentication type, obtain; Can carry out from the certificate of access point, obtaining in the device authentication process to access point; Also can after device authentication success, obtain the auth type of access point again to access point.
Step 102, security gateway judge whether to initiate the repeatedly identifying procedure of described access point according to the auth type of the described access point that obtains.
This step can have multiple implementation:
One of implementation, security gateway receives the device authentication request message of access point, device identification, certificate and the AUTH parameter of carrying described access point in the described request message;
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, then after security gateway is to described access point apparatus authentication success, security gateway is to the response message of described access point Returning equipment authentication success, and in described response message, carry EAP message (EAPRequest/Identity), initiate the HP authentication of described access point by security gateway.
Two of implementation, security gateway receives the device authentication request message of access point, device identification, certificate, AUTH parameter and the MULTIPLE_AUTH_SUPPORTED field of carrying described access point in the described request message;
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, then after security gateway is to described access point apparatus authentication success, security gateway is to the response message of described access point Returning equipment authentication success, and in described response message, carry the ANOTHER_AUTH_FOLLOWS field, ask described access point to initiate the HP authentication.
Three of implementation, security gateway receives the device authentication request message of access point, device identification, certificate, AUTH parameter and MULTIPLE_AUTH_SUPPORTED field and the ANOTHER_AUTH_FOLLOWS field of carrying described access point in the described request message;
Whether described security gateway receives described ANOTHER_AUTH_FOLLOWS field according to it from described device authentication request message, compare with the auth type of the described access point that obtains, and decides its next step behavior according to comparison result:
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, and from described device authentication request message, receive described ANOTHER_AUTH_FOLLOWS field, then after security gateway is to described access point apparatus authentication success, security gateway is to the response message of described access point Returning equipment authentication success, by the authentication of described access point initiation to HP; Perhaps security gateway is to the response message of described access point Returning equipment authentication success, and carries EAP message (EAP Request/Identity) in described response message, asks described access point to initiate the HP authentication;
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, but from described device authentication request message, do not receive described ANOTHER_AUTH_FOLLOWS field, then security gateway finishes the identifying procedure of described access point directly to the message of described access point Returning equipment authentification failure; Perhaps security gateway carried out the device authentication success to described access point after, security gateway finished the identifying procedure of described access point to the message of described access point Returning equipment authentification failure; Perhaps after security gateway is to described access point apparatus authentication success, security gateway is to the response message of described access point Returning equipment authentication success, and carries EAP Request/Identity in described response message, asks described access point to initiate the HP authentication.
Four of implementation, security gateway receives the device authentication request message of access point, carries device identification, certificate, the AUTH parameter of described access point in the described request message, and carry the identify label HPM ID of the side of the having HP of described access point in CP;
Whether described security gateway receives described HPM ID according to it from described device authentication request message, compare with the auth type of the described access point that obtains, and decides its next step behavior according to comparison result:
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, and from described device authentication request message, receive described HPM ID, then after security gateway is to described access point apparatus authentication success, security gateway sends the HP authentication request message to AAA Server, in described message, carry described HPM ID, directly carry out the HP identifying procedure of described access point;
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, but from described device authentication request message, do not receive described HPM ID, then security gateway finishes the identifying procedure of described access point directly to the message of described access point Returning equipment authentification failure; Perhaps security gateway carried out the device authentication success to described access point after, security gateway finished the identifying procedure of described access point to the message of described access point Returning equipment authentification failure; Perhaps after security gateway is to described access point apparatus authentication success, security gateway is to the response message of described access point Returning equipment authentication success, and in described response message, carry EAP message (EAP Request/Identity), ask described access point to initiate the HP authentication.
The method of the access point authentication that the embodiment of the invention provides, by obtaining the auth type of access point, after the device authentication success of security gateway to access point, auth type according to the described access point that obtains, judge whether to initiate the next identifying procedure of described access point by security gateway, the access point that can avoid on the one hand palming off increases the threat of the access point of personation by network authentication by not sending the indication that repeatedly authenticates to security gateway, thereby can effectively reduce the threat of the access point of personation by network authentication; Can avoid on the other hand at legal access point by behind the device authentication, no longer initiatively to the next authentication of security gateway request, by initiatively initiating next identifying procedure by security gateway, thereby when legal access point need repeatedly authenticate, can guarantee that legal access point is by the authentication access network.
Need to prove, one of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, this program can be stored in the computer read/write memory medium, when this program is carried out, can comprise flow process as the embodiment of above-mentioned each side method.Wherein, this storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Be example Home eNodeB is carried out the HP of device authentication+independently authentication below, the method for the access point authentication that the embodiment of the invention is provided elaborates.
Embodiment one
Referring to Fig. 2, Fig. 2 is the identifying procedure figure of the embodiment of the invention one:
Step 201, Home eNodeB sends IKE initial exchange request message to security gateway.
Step 202, security gateway returns IKE initial exchange request responding message to Home eNodeB.
Because security gateway need authenticate Home eNodeB based on the certificate of Home eNodeB, therefore in response message, carry the certificate that CERTREQ asks Home eNodeB.
Step 203, Home eNodeB is to security gateway transmitting apparatus authentication request message.
In request message, carry the device identification HNB ID of Home eNodeB, Home eNodeB certificate HNBCERT, AUTH parameter, the CERTREQ of request security gateway certificate, if the remote ip address of Home eNodeB needs dynamic-configuration, in request message, also carry configuration load CP (CFG_REQUEST).
Step 204, security gateway are obtained the auth type of Home eNodeB.
The mode that security gateway obtains the auth type of Home eNodeB comprises: 1) obtain from the certificate of Home eNodeB; 2) from the network side server of preserving the Home eNodeB auth type, obtain; 3) the device identification judgement according to Home eNodeB itself obtains.
Step 205, security gateway carries out device authentication to Home eNodeB.
Security gateway carries out device authentication by the certificate and the AUTH parameter of checking Home eNodeB to Home eNodeB.
Need to prove, security gateway obtains the auth type of Home eNodeB can be before Home eNodeB carries out the device authentication step, among or carry out afterwards.If the device authentication success, security gateway will judge whether to initiate the next identifying procedure of Home eNodeB according to the auth type that obtains.
Step 206, security gateway is to the response message of Home eNodeB Returning equipment authentication request.
The certificate SeGWGERT and the AUTH parameter of the identify label SeGW ID of gateway safe to carry, security gateway in response message, if security gateway is wished the next authentication of Home eNodeB initiation, in response message, also carry EAP message (EAP Request/Identity), the request Home eNodeB sends the identify label HPM ID of its side of having, thereby initiates the HP authentication.
Step 207, Home eNodeB is verified security gateway.
Home eNodeB is verified security gateway by the certificate SeGW GERT and the AUTH parameter of authenticating security gateway.When the authentication security gateway need be come in the family base station based on the certificate of security gateway, Home eNodeB need detect the AUTH parameter.
Step 208, Home eNodeB sends the HP authentication request message to security gateway.
After Home eNodeB passed through security gateway checking, Home eNodeB sent independently HP authentication request message to security gateway, carries the identify label HPM ID of the side of having of Home eNodeB in the described request message.Not carrying the AUTH parameter in the request message and be for what indicate its initiation to security gateway is the EAP-AKA identifying procedure.
Step 209, security gateway sends the EAP authentication request message to aaa server.
In described request message, carry empty EAP property value to (AVP), only be carried at the identify label HPM ID of the side of having of the Home eNodeB that receives in the previous step in the request message.
Step 210, aaa server obtains user profile and Ciphering Key on HSS (Home Subscriber Sever, home subscriber server) or HLR (Home Location Register, attaching position register).
Step 211, aaa server is initiated the EAP authentication challenge to security gateway.
In described EAP authentication challenge, carry EAP-Request/AKA-Challenge message.
Step 212, security gateway is transmitted the EAP authentication challenge to Home eNodeB.
In this EAP authentication challenge, carried the authentication challenge EAP-Request/AKA-Challenge message that aaa server is initiated to security gateway.
Step 213, Home eNodeB sends the response of EAP authentication challenge to security gateway.
In this EAP authentication challenge response message, carry EAP Response/AKA-Challenge.
Step 214, security gateway is transmitted the response of EAP authentication challenge to aaa server.
Step 215, aaa server returns EAP authentication success message to security gateway.
Carry key material (key material) in described EAP authentication success message, described key material is included in the master key (MSK) that generates in the authentication.
Step 216, security gateway use MSK to generate the AUTH parameter.
In order to authenticate IKE initial exchange request message, security gateway uses MSK to generate the AUTH parameter.
Step 217, security gateway returns EAP authentication success message to Home eNodeB.
So far, the HP authentication of Home eNodeB is finished.
Step 218, Home eNodeB use the MSK of self to generate the AUTH parameter.
Step 219, Home eNodeB sends AUTH parameter checking request message to security gateway.
Home eNodeB sends to security gateway with the AUTH parameter that self generates.
Step 220, security gateway checking AUTH parameter.
In this step, security gateway uses the correctness of the AUTH parameter that the AUTH parameter checking that self generates receives from Home eNodeB.
Step 221, security gateway returns AUTH parameter authentication response information to Home eNodeB.
After the AUTH parameter is proved to be successful, security gateway returns AUTH parameter authentication response information to Home eNodeB, in described response message remote I P, security association and remaining IKE parameter of Home eNodeB request are issued Home eNodeB together, so far entire I KE consults to finish.
The embodiment of the invention one is a replacement scheme of prior art, at Home eNodeB in security gateway transmitting apparatus authentication request message, it supports the RFC4379 standard not carry field MULTIPLE_AUTH_SUPPORTED indication security gateway, and it wishes to initiate repeatedly authentication also not carry field ANOTHER_AUTH_FOLLOWS indication security gateway.Determine whether initiating the HP authentication by security gateway according to the Home eNodeB type of obtaining, after the device authentication success of security gateway to Home eNodeB, whether the auth type decision that the security gateway basis is obtained is to the next authentication of Home eNodeB request.
Embodiment two
Referring to Fig. 3, Fig. 3 is the identifying procedure figure of the embodiment of the invention two:
Step 301, Home eNodeB sends IKE initial exchange request message to security gateway.
Step 302, security gateway returns IKE initial exchange request responding message to Home eNodeB.
Because security gateway need authenticate Home eNodeB based on the certificate of Home eNodeB, therefore in response message, carry the certificate that CERTREQ asks Home eNodeB; It supports the RFC4379 standard to security gateway by MULTIPLE_AUTH_SUPPORTED field indication Home eNodeB in response message.
Step 303, Home eNodeB is to security gateway transmitting apparatus authentication request message.
In request message, carry the device identification HNB ID of Home eNodeB, Home eNodeB certificate HNBCERT, AUTH parameter, the CERTREQ of request security gateway certificate, if the remote ip address of Home eNodeB needs dynamic-configuration, in request message, also carry configuration load CP (CFG_REQUEST); It supports the RFC4379 standard to Home eNodeB by MULTIPLE_AUTH_SUPPORTED field indication security gateway.
Step 304, security gateway are obtained the auth type of Home eNodeB.
The mode that security gateway obtains the auth type of Home eNodeB comprises: 1) obtain from the certificate of Home eNodeB; 2) from the network side server of preserving the Home eNodeB auth type, obtain; 3) the device identification judgement according to Home eNodeB itself obtains.
Step 305, security gateway carries out device authentication to Home eNodeB.
Security gateway carries out device authentication by the certificate and the AUTH parameter of checking Home eNodeB to Home eNodeB.
Need to prove, security gateway obtains the auth type of Home eNodeB can be before Home eNodeB carries out the device authentication step, among or carry out afterwards.If the device authentication success, security gateway will judge whether to initiate the next identifying procedure of Home eNodeB also according to the auth type that obtains.
Step 306, security gateway is to the response message of Home eNodeB Returning equipment authentication request.
The certificate SeGWGERT and the AUTH parameter of the identify label SeGW ID of gateway safe to carry, security gateway in response message, if security gateway is wished the next authentication of Home eNodeB initiation, in response message, also carry the ANOTHER_AUTH_FOLLOWS field, the request Home eNodeB sends the identify label HPM ID of its side of having, thereby initiates the HP authentication.
Step 307, Home eNodeB is verified security gateway.
Home eNodeB is verified security gateway by the certificate SeGW GERT and the AUTH parameter of authenticating security gateway.When the authentication security gateway need be come in the family base station based on the certificate of security gateway, Home eNodeB need detect the AUTH parameter.
Step 308, Home eNodeB sends the HP authentication request message to security gateway.
After Home eNodeB passed through security gateway checking, Home eNodeB sent independently HP authentication request message to security gateway, carries the identify label HPM ID of the side of having of Home eNodeB in the described request message.Not carrying the AUTH parameter in the request message and be for what indicate its initiation to security gateway is the EAP-AKA identifying procedure.
Security gateway and Home eNodeB are finished the EAP-AKA verification process with the step 209~step 221 among the embodiment one by aaa server and HSS/HLR, do not repeat them here.
The embodiment of the invention two is improvement projects of prior art, it wishes to initiate next authentication not carry ANOTHER_AUTH_FOLLOWS field indication security gateway in the device authentication request of Home eNodeB, is judged whether to initiate the next one authentication of Home eNodeB according to the auth type that obtains by security gateway.After the device authentication success of security gateway to Home eNodeB, whether security gateway passes through field ANOTHER_AUTH_FOLLOWS to the next authentication of Home eNodeB request according to the auth type decision of obtaining.
Embodiment three
Referring to Fig. 4, Fig. 4 is the identifying procedure figure of the embodiment of the invention three:
Step 401, Home eNodeB sends IKE initial exchange request message to security gateway.
Step 402, security gateway returns IKE initial exchange request responding message to Home eNodeB.
Because security gateway need authenticate Home eNodeB based on the certificate of Home eNodeB, therefore in response message, carry the certificate that CERTREQ asks Home eNodeB; It supports the RFC4379 standard to security gateway by MULTIPLE_AUTH_SUPPORTED field indication Home eNodeB in response message.
Step 403, Home eNodeB is to security gateway transmitting apparatus authentication request message.
In request message, carry the device identification HNB ID of Home eNodeB, Home eNodeB certificate HNBCERT, AUTH parameter, the CERTREQ of request security gateway certificate, if the remote ip address of Home eNodeB needs dynamic-configuration, in request message, also carry configuration load CP (CFG_REQUEST); It supports the RFC4379 standard to Home eNodeB by MULTIPLE_AUTH_SUPPORTED field indication security gateway, and it wishes to initiate next authentication by ANOTHER_AUTH_FOLLOWS field indication security gateway.
Step 404, security gateway are obtained the auth type of Home eNodeB.
The mode that security gateway obtains the auth type of Home eNodeB comprises: 1) obtain from the certificate of Home eNodeB; 2) from the network side server of preserving the Home eNodeB auth type, obtain; 3) the device identification judgement according to Home eNodeB itself obtains.
Step 405, security gateway carries out device authentication to Home eNodeB.
Security gateway carries out device authentication by the certificate and the AUTH parameter of checking Home eNodeB to Home eNodeB.
Need to prove that the auth type that security gateway obtains Home eNodeB can carry out before Home eNodeB carries out the device authentication step.In this case, whether the auth type that the indication that security gateway at first repeatedly authenticates according to the carrying out of carrying in the device authentication request message (field ANOTHER_AUTH_FOLLOWS) and security gateway obtain is consistent judges, if inconsistent, then security gateway may no longer carry out device authentication and direct response message to Home eNodeB Returning equipment authentification failure to Home eNodeB; Perhaps, after to the household base station device authentication success, security gateway judges whether to initiate the next identifying procedure of Home eNodeB according to the auth type that obtains at security gateway.Certainly, security gateway obtains the auth type of Home eNodeB also can be among Home eNodeB carries out device authentication or carry out afterwards, in both cases, at security gateway after to the household base station device authentication success, to judge whether to initiate the next identifying procedure of Home eNodeB according to the auth type that obtains.
Step 406, security gateway receive ANOTHER_AUTH_FOLLOWS field with whether in the slave unit authentication request message with the auth type that obtains compares, and decides its next step behavior according to comparison result:
If the auth type that security gateway obtains is device authentication+independently HP authentication, and receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway is to the response message of Home eNodeB Returning equipment authentication success, by the authentication of Home eNodeB initiation to HP; Remaining flow process is same as prior art fully.
Perhaps, if the auth type that security gateway obtains is device authentication+independently HP authentication, and receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway is to the response message of Home eNodeB Returning equipment authentication success, and in described response message, carry EAPRequest/Identity message, the request Home eNodeB is initiated the HP authentication, and the step 206~step 221 among all the other flow processs such as the embodiment one does not repeat them here;
If the auth type that security gateway obtains is device authentication+independently HP authentication, but do not receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway finishes the identifying procedure of Home eNodeB to the response message of Home eNodeB Returning equipment authentification failure; The Home eNodeB that such operation can be avoided palming off increases the threat of the Home eNodeB of personation by network authentication by not sending the next indication that authenticates to security gateway, thereby can effectively reduce the threat of the Home eNodeB of personation by network authentication.
Perhaps, if the auth type that security gateway obtains is device authentication+independently HP authentication, but do not receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway is to the response message of Home eNodeB Returning equipment authentication success, and in described response message, carrying the EAPRequest/Identity field, the request Home eNodeB is initiated the HP authentication; Such operation can be avoided at legal Home eNodeB by behind the device authentication, no longer initiatively can't guarantee that to the next authentication of security gateway request legal Home eNodeB is by the authentication access network, by initiatively initiating next identifying procedure by security gateway, thereby when legal Home eNodeB need carry out the HP of device authentication+independently authentication, can guarantee that legal Home eNodeB is by the authentication access network.
The embodiment of the invention three also is an improvement project of prior art, after the device authentication success of security gateway to Home eNodeB, whether security gateway receives the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request with the auth type that obtains and its compares, and determines whether initiating the next identifying procedure of Home eNodeB according to comparison result.
Embodiment four
Referring to Fig. 5, Fig. 5 is the identifying procedure figure of the embodiment of the invention four:
Step 501, Home eNodeB sends IKE initial exchange request message to security gateway.
Step 502, security gateway returns IKE initial exchange request responding message to Home eNodeB.
Because security gateway need authenticate Home eNodeB based on the certificate of Home eNodeB, therefore in response message, carry the certificate that CERTREQ asks Home eNodeB.
Step 503, Home eNodeB is to security gateway transmitting apparatus authentication request message.
In request message, carry the device identification HNB ID of Home eNodeB, Home eNodeB certificate HNBCERT, AUTH parameter, the CERTREQ of request security gateway certificate, if the remote ip address of Home eNodeB needs dynamic-configuration, in request message, also carry configuration load CP (CFG_REQUEST); If the Home eNodeB support authenticates more, identify label HPM ID that also will the side of having HP is carried in the CP load.
Step 504, security gateway are obtained the auth type of Home eNodeB.
The mode that security gateway obtains the auth type of Home eNodeB comprises: 1) obtain from the certificate of Home eNodeB; 2) from the network side server of preserving the Home eNodeB auth type, obtain; 3) the device identification judgement according to Home eNodeB itself obtains.
Step 505, security gateway carries out device authentication to Home eNodeB.
Security gateway carries out device authentication by the certificate and the AUTH parameter of checking Home eNodeB to Home eNodeB.
Need to prove that the auth type that security gateway obtains Home eNodeB can carry out before Home eNodeB carries out the device authentication step.In this case, whether security gateway has at first carried HPM ID according to the device authentication request message, if do not carry, then security gateway may no longer carry out device authentication and directly to Home eNodeB return authentication failure to Home eNodeB; Perhaps, after security gateway is to the household base station device authentication success, security gateway will judge whether to initiate the next identifying procedure of Home eNodeB according to the auth type that obtains.Certainly, security gateway obtains the auth type of Home eNodeB also can be among Home eNodeB carries out device authentication or carry out afterwards, in both cases, at security gateway after to the household base station device authentication success, to judge whether to initiate the next identifying procedure of Home eNodeB according to the auth type that obtains.
Step 506, security gateway receive HPM ID with whether in the slave unit authentication request message with the auth type that obtains compares, and decides its next step behavior according to comparison result:
If the auth type that security gateway obtains is device authentication+independently HP authentication, and receive HPM ID in the slave unit authentication request message, then security gateway sends the HP authentication request message to AAA Server, in described message, carry this HPM ID, directly carry out the HP identifying procedure of described access point, promptly continue the flow process of step 507.
If the auth type that security gateway obtains is device authentication+independently HP authentication, but does not receive HPM ID in the slave unit authentication request message, then security gateway finishes the identifying procedure of Home eNodeB to the response message of Home eNodeB Returning equipment authentification failure; The Home eNodeB that such operation can be avoided palming off increases the threat of the Home eNodeB of personation by network authentication by not sending the next indication that authenticates to security gateway, thereby can effectively reduce the threat of the Home eNodeB of personation by network authentication.
Perhaps, if the auth type that security gateway obtains is device authentication+independently HP authentication, but do not receive HPM ID in the slave unit authentication request message, then security gateway is to the response message of Home eNodeB Returning equipment authentication success, and in described response message, carrying EAP Request/Identity message, the request Home eNodeB is initiated the HP authentication; Such operation can be avoided at legal Home eNodeB by behind the device authentication, no longer initiatively can't guarantee that to the next authentication of security gateway request legal Home eNodeB is by the authentication access network, by initiatively initiating next identifying procedure by security gateway, thereby when legal Home eNodeB need carry out the HP of device authentication+independently authentication, can guarantee that legal Home eNodeB is by the authentication access network.
Step 507, security gateway sends the EAP authentication request message to aaa server.
In described request message, carry empty EAP property value to (AVP), only be carried at the identify label HPM ID of the side of having of the Home eNodeB that receives in the step 503 in the request message.
Step 508, aaa server obtains user profile and Ciphering Key on HSS (Home Subscriber Sever, home subscriber server) or HLR (Home Location Register, attaching position register).
Step 509, aaa server is initiated the EAP authentication challenge to security gateway.
In described EAP authentication challenge, carry EAP-Request/AKA-Challenge message.
Step 510, security gateway is transmitted the EAP authentication challenge to Home eNodeB.
In this EAP authentication challenge, carried the authentication challenge EAP-Request/AKA-Challenge message that aaa server is initiated to security gateway, and the certificate SeGW GERT and the AUTH parameter of the identify label SeGW ID of security gateway, security gateway.
Step 511, Home eNodeB are verified security gateway.
Home eNodeB is verified security gateway by the certificate SeGW GERT and the AUTH parameter of authenticating security gateway.When the authentication security gateway need be come in the family base station based on the certificate of security gateway, Home eNodeB need detect the AUTH parameter.
Step 512~step 520 is same as the step 213~step 221 among the embodiment one successively, does not repeat them here.
The embodiment of the invention four is replacement schemes of prior art, if the Home eNodeB support authenticates more, then at Home eNodeB in the device authentication request message that security gateway sends, the identify label HPMID of HP is carried in the CP load.Security gateway is after the device authentication success to Home eNodeB, whether security gateway receives HPM ID in the slave unit authentication request according to the auth type that obtains and its compares, and determines whether initiating the next identifying procedure of Home eNodeB according to comparison result.
Need to prove that the method for the access point authentication that provides in the embodiment of the invention is equally applicable to the situation of device authentication+HP authentication that access point only carries out device authentication or bind.In above embodiment, if the auth type of the access point that security gateway obtains (Home eNodeB) is the device authentication that only carries out device authentication or bind+HP authentication, security gateway (step 205, step 305 among the above embodiment) after obtaining the auth type step of Home eNodeB then, directly, finish authentication to Home eNodeB to the response message of Home eNodeB Returning equipment authentication request.
Perhaps, if the auth type of the access point that security gateway obtains (Home eNodeB) is the device authentication that only carries out device authentication or bind+HP authentication, and do not receive the indication (ANOTHER_AUTH_FOLLOWS field or HMP ID) of further authentication in the slave unit authentication, (the step 406 among the above embodiment security gateway receives with whether the auth type that obtains the step that next step authentication indication compares in the slave unit authentication request message after then, step 506), directly, finish authentication to Home eNodeB to the response message of Home eNodeB Returning equipment authentication request.
Perhaps, if the auth type of the access point that security gateway obtains (Home eNodeB) is the device authentication that only carries out device authentication or bind+HP authentication, but receive the indication (ANOTHER_AUTH_FOLLOWS field or HMP ID) of further authentication in the slave unit authentication, (the step 406 among the above embodiment security gateway receives with whether the auth type that obtains the step that next step authentication indication compares in the slave unit authentication request message after then, step 506), security gateway determines whether that according to operator or some regulations of itself needs carry out device authentication to access point (Home eNodeB), still take other behavior.
The embodiment of the invention also provides a kind of security gateway, and referring to Fig. 6, the structural representation of the security gateway that Fig. 6 provides for the embodiment of the invention comprises:
Auth type acquiring unit 601 is used to obtain the auth type of described access point;
Judging unit 602 is used for the auth type of the described access point that obtains according to auth type acquiring unit 601, judges whether to initiate the repeatedly identifying procedure of described access point.
Described auth type acquiring unit 601 comprises:
Acquisition module one is used for obtaining from the certificate of described access point, and the certificate of described access point comprises the property value of expression access point authentication type;
Acquisition module two is used for obtaining from the device identification of described access point, and the device identification of described access point is carried out different names according to auth type;
Acquisition module three is used for obtaining from the network side server of preserving described access point authentication type, and the device identification of described network side server and described access point has corresponding relation.
The security gateway that the embodiment of the invention provides also comprises:
Ask receiving element 603, be used to receive the device authentication request message of access point;
Device authentication unit 604 is used for according to described device authentication request message access point being carried out device authentication;
Response transmitting element 605 is used for sending described device authentication request responding message according to described judging unit 602 to access point.
Wherein, request receiving element 603 can have multiple reception request message mode, comprising:
Ask receiver module one, be used to receive the device authentication request message of access point, carry the device identification, certificate and the AUTH parameter that comprise described access point in the described request message;
Ask receiver module two, be used to receive the device authentication request message of access point, carry the device identification, certificate, AUTH parameter and the MULTIPLE_AUTH_SUPPORTED field that comprise described access point in the described request message;
Request receiver module three, be used to receive the device authentication request message of access point, carry device identification, certificate, AUTH parameter and the MULTIPLE_AUTH_SUPPORTED field and the ANOTHER_AUTH_FOLLOWS field that comprise described access point in the described request message;
Request receiver module four, be used to receive the device authentication request message of access point, carry the device identification, certificate, the AUTH parameter that comprise described access point in the described request message, and in configuration load CP, carry the identify label HPM ID of the side of the having HP of described access point.
In a kind of optimization embodiment, described judging unit 602 also is used for whether receiving the indication that repeatedly authenticates from described device authentication request message according to it, compare with the auth type of the described access point that obtains, judge whether to initiate the repeatedly identifying procedure of described access point.
Correspondingly, response transmitting element 605 also has multiple response send mode, comprising:
Response sending module one is used for the response message to described access point transmitting apparatus authentication success, and carries EAP message in described response message, is initiated the HP authentication of described access point by security gateway;
Response sending module two is used for the response message to described access point transmitting apparatus authentication success, and carries the ANOTHER_AUTH_FOLLOWS field in described response message, asks described access point to initiate the HP authentication;
Response sending module three is used for the response message to described access point transmitting apparatus authentication success, by the authentication of described access point initiation to HP;
Response sending module four is used for the response message to described access point transmitting apparatus authentification failure, finishes the identifying procedure of described access point.
Described security gateway also comprises:
HP authentication request unit 606 is used for carrying described HPM ID according to sending the HP authentication request message to AAA server AAA Server in described message, directly carries out the HP identifying procedure of described access point.
For example, request receiver module one receives the device authentication request message of access point, if the auth type that auth type acquiring unit 601 gets access to is the HP of device authentication+independently authentication, judging unit 602 or send described device authentication request responding message then by response sending module one or by response sending module three-dimensional access point.
For another example, request receiver module two receives the device authentication request message of access point, if the auth type that auth type acquiring unit 601 gets access to is device authentication+independently HP authentication, then judging unit 602 can send described device authentication request responding message to access point by response sending module two.
For another example, request receiver module three receives the device authentication request message of access point, if the auth type that auth type acquiring unit 601 gets access to is device authentication+independently HP authentication, but do not receive described ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then judging unit 602 finishes the identifying procedure of access point by the response message of response sending module four-way access point transmitting apparatus authentification failure; The Home eNodeB that such operation can be avoided palming off increases the threat of the Home eNodeB of personation by network authentication by not sending the next indication that authenticates to security gateway, thereby can effectively reduce the threat of the Home eNodeB of personation by network authentication.
Perhaps, judging unit 602 passes through the response message of response sending module one to access point transmitting apparatus authentication success, and carries EAP Request/Identity field in described response message, asks described access point to initiate the HP authentication; Such operation can be avoided at legal Home eNodeB by behind the device authentication, no longer initiatively can't guarantee that to the next authentication of security gateway request legal Home eNodeB is by the authentication access network, by initiatively initiating next identifying procedure by security gateway, thereby when legal Home eNodeB need carry out the HP of device authentication+independently authentication, can guarantee that legal Home eNodeB is by the authentication access network.
For another example, request receiver module four receives the device authentication request message of access point, if the auth type that auth type acquiring unit 601 gets access to is device authentication+independently HP authentication, and receive described HPM ID in the slave unit authentication request message, then judging unit 602 sends the HP authentication request message by HP authentication request unit 606 to AAA Server, directly carries out the HP identifying procedure of access point.
The security gateway that the embodiment of the invention provides, obtain the auth type of access point by auth type acquiring unit 601, by the auth type of judging unit 602 according to the access point that obtains, judge whether to initiate the repeatedly identifying procedure of described access point, the access point that can avoid on the one hand palming off increases the threat of the access point of personation by network authentication by not sending the indication that repeatedly authenticates to security gateway, thereby can effectively reduce the threat of the access point of personation by network authentication; Can avoid on the other hand at legal access point by behind the device authentication, no longer initiatively to the next authentication of security gateway request, by initiatively initiating next identifying procedure by security gateway, thereby when legal access point need carry out the HP of device authentication+independently authentication, can guarantee that legal access point is by the authentication access network.
The embodiment of the invention also provides a kind of system of access point authentication, and referring to Fig. 7, the composition schematic diagram of the system of the access point authentication that Fig. 7 provides for the embodiment of the invention comprises:
Access point 710 is used for to security gateway 720 transmitting apparatus authentication request message;
Security gateway 720 is used to receive the device authentication request message of access point 710, according to described device authentication request message access point is carried out device authentication; Obtain the auth type of described access point, and, judge whether to initiate the repeatedly identifying procedure of described access point according to the auth type of the described access point that obtains.
Described security gateway 720 also is used for whether receiving the repeatedly indication of authentication from described device authentication request message according to it, compares with the auth type of the described access point that obtains, and judges whether to initiate the next identifying procedure of described access point.
For example, access point carries ANOTHER_AUTH_FOLLOWS field or HPM ID in the device authentication request message that security gateway sends, be used to indicate its hope of security gateway repeatedly to authenticate, then the auth type of the security gateway 720 described access point that will obtain is compared with the indication that whether receives repeatedly authentication from described device authentication request message, judges whether to initiate the next identifying procedure of described access point according to the result of comparison.
According to the judged result of security gateway, security gateway sends described device authentication request responding message to described access point, and described response message comprises following arbitrary situation:
To the response message of described access point transmitting apparatus authentication success, and in described response message, carry EAP Request/Identity message, ask described access point to initiate the HP authentication;
Or, to the response message of described access point transmitting apparatus authentication success, and in described response message, carry the ANOTHER_AUTH_FOLLOWS field, ask described access point to initiate the HP authentication;
Or, to the response message of described access point transmitting apparatus authentication success, by the authentication of described access point initiation to HP;
Or, to the response message of described access point transmitting apparatus authentification failure, finish the identifying procedure of described access point.
Described security gateway also is used for sending the HP authentication request message to AAA server AAA Server, carries described HPM ID in described message, directly carries out the HP identifying procedure of described access point.
For example, if the auth type that security gateway obtains is device authentication+independently HP authentication, and receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway is to the response message of Home eNodeB Returning equipment authentication success, and in described response message, carrying the EAPRequest/Identity field, the request Home eNodeB is initiated the HP authentication.
For another example, if the auth type that security gateway obtains is device authentication+independently HP authentication, and receive HPM ID in the slave unit authentication request message, then security gateway sends the HP authentication request message to AAA Server, in described message, carry this HPM ID, directly carry out the HP identifying procedure of described access point.
For another example, if the auth type that security gateway obtains is device authentication+independently HP authentication, but do not receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway finishes the identifying procedure of described access point directly to described access point return authentication failure; Perhaps security gateway carried out the device authentication success to described access point after, security gateway finished the identifying procedure of Home eNodeB to the response message of Home eNodeB Returning equipment authentification failure; The Home eNodeB that such operation can be avoided palming off increases the threat of the Home eNodeB of personation by network authentication by not sending the indication that repeatedly authenticates to security gateway, thereby can effectively reduce the threat of the Home eNodeB of personation by network authentication.
For another example, if the auth type that security gateway obtains is device authentication+independently HP authentication, but do not receive the ANOTHER_AUTH_FOLLOWS field in the slave unit authentication request message, then security gateway is to the response message of Home eNodeB Returning equipment authentication success, and in described response message, carrying the EAPRequest/Identity field, the request Home eNodeB is initiated the HP authentication; Such operation can be avoided at legal Home eNodeB by behind the device authentication, no longer initiatively can't guarantee that to the next authentication of security gateway request legal Home eNodeB is by the authentication access network, by initiatively initiating next identifying procedure by security gateway, thereby when legal Home eNodeB need carry out the HP of device authentication+independently authentication, can guarantee that legal Home eNodeB is by the authentication access network.
In the system that the embodiment of the invention provides, access point is a Home eNodeB.
The system that the embodiment of the invention provides, obtain the auth type of described access point by security gateway, after device authentication success to access point, auth type according to the access point that obtains, judge whether to initiate the repeatedly identifying procedure of described access point by security gateway, the access point that can avoid on the one hand palming off increases the threat of the access point of personation by network authentication by not sending the indication that repeatedly authenticates to security gateway, thereby can effectively reduce the threat of the access point of personation by network authentication; Can avoid on the other hand at legal access point by behind the device authentication, no longer initiatively to the next authentication of security gateway request, by initiatively initiating next identifying procedure by security gateway, thereby when legal access point need carry out the HP of device authentication+independently authentication, can guarantee that legal access point is by the authentication access network.
More than method, system and the security gateway of the access point authentication that the embodiment of the invention provided is described in detail, the present invention mainly is the auth type that obtains access point by security gateway, auth type according to the described access point that obtains, judge whether to initiate the next identifying procedure of described access point by security gateway, reduce of the threat of the access point of personation by network authentication, when needs repeatedly authenticate access point, guarantee that legal access point is by the authentication access network simultaneously.The explanation of embodiment just is used for helping to understand method of the present invention and thought thereof; Anyly be familiar with those skilled in the art in the technical scope that the present invention discloses, can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by described protection range with claim.

Claims (20)

1, a kind of method of access point authentication is characterized in that, comprising:
Security gateway obtains the auth type of access point;
Security gateway judges whether to initiate the repeatedly identifying procedure of described access point according to the auth type of the described access point that obtains.
2, method according to claim 1 is characterized in that, the method that described security gateway obtains the auth type of access point comprises:
Obtain from the certificate of described access point, the certificate of described access point comprises the property value of expression access point authentication type;
Perhaps, obtain from the device identification of described access point, the device identification of described access point is carried out different names according to auth type;
Perhaps, obtain from the network side server of preserving described access point authentication type, the device identification of described network side server and described access point has corresponding relation.
3, method according to claim 1 is characterized in that, described security gateway obtains the step of the auth type of access point:
Can carry out obtaining before the device authentication to described access point at security gateway;
Perhaps described access point is carried out obtaining in the device authentication process at security gateway;
Perhaps carrying out the device authentication success to described access point after, obtains security gateway.
4, method according to claim 1 is characterized in that, the auth type step that described security gateway obtains access point also comprises before:
Security gateway receives the device authentication request message of described access point, carries the device identification, certificate and the parameters for authentication AUTH that comprise described access point in the described request message;
Described security gateway is according to the auth type of the described access point that obtains, and the step that judges whether to initiate the repeatedly identifying procedure of described access point comprises:
If the auth type of the access point that security gateway obtains is the device authentication+independently side of having HP authentication, then security gateway carries out the device authentication success to described access point after, response message to described access point Returning equipment authentication success, and in described response message, carry Extensible Authentication Protocol EAP message, initiate the side of the having HP authentication of described access point by security gateway.
5, method according to claim 1 is characterized in that, the auth type step that described security gateway obtains access point also comprises before:
Security gateway receives the device authentication request message of described access point, carry in the described request message device identification that comprises described access point, certificate, parameters for authentication AUTH and and the MULTIPLE_AUTH_SUPPORTED field;
Described security gateway is according to the auth type of the described access point that obtains, and the step that judges whether to initiate the repeatedly identifying procedure of described access point comprises:
If the auth type of the access point that security gateway obtains is the device authentication+independently side of having HP authentication, then security gateway carries out the device authentication success to described access point after, response message to described access point Returning equipment authentication success, and in described response message, carry the ANOTHER_AUTH_FOLLOWS field, ask described access point to initiate the side of having HP authentication.
6, method according to claim 1 is characterized in that, the auth type step that described security gateway obtains access point also comprises before:
Security gateway receives the device authentication request message of described access point, carries device identification, certificate, parameters for authentication AUTH and the MULTIPLE_AUTH_SUPPORTED field, the ANOTHER_AUTH_FOLLOWS field that comprise described access point in the described request message;
Described security gateway is according to the auth type of the described access point that obtains, and the step that judges whether to initiate the repeatedly identifying procedure of described access point comprises:
Whether described security gateway receives described ANOTHER_AUTH_FOLLOWS field according to it from described device authentication request message, compare with the auth type of the described access point that obtains, judge whether to initiate the side of the having HP identifying procedure of described access point.
7, method according to claim 6 is characterized in that,
Whether described security gateway receives described ANOTHER_AUTH_FOLLOWS field according to it from described device authentication request message, compare with the auth type of the described access point that obtains, judge whether to initiate the step of the side of the having HP identifying procedure of described access point, further comprise:
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, and from described device authentication request message, receive described ANOTHER_AUTH_FOLLOWS field, then security gateway carries out the device authentication success to described access point after, security gateway is initiated the HP authentication to the response message of described access point Returning equipment authentication success by described access point; Perhaps security gateway carries out the device authentication success to described access point after, security gateway is to the response message of described access point Returning equipment authentication success, and in described response message, carry Extensible Authentication Protocol EAP message, ask described access point to initiate the HP authentication;
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, but from described device authentication request message, do not receive described ANOTHER_AUTH_FOLLOWS field, then security gateway finishes the identifying procedure of described access point directly to the message of described access point Returning equipment authentification failure; Perhaps security gateway carried out the device authentication success to described access point after, security gateway finished the identifying procedure of described access point to the message of described access point Returning equipment authentification failure; Perhaps security gateway carries out the device authentication success to described access point after, security gateway is to the response message of described access point Returning equipment authentication success, and in described response message, carry Extensible Authentication Protocol EAP message, ask described access point to initiate the HP authentication.
8, method according to claim 1 is characterized in that, the auth type step that described security gateway obtains access point also comprises before:
Security gateway receives the device authentication request message of access point, carries the device identification, certificate and the parameters for authentication AUTH that comprise described access point in the described request message, and carries the identify label HPM ID of the side of the having HP of described access point in configuration load CP;
Described security gateway is according to the auth type of the described access point that obtains, and the step that judges whether to initiate the repeatedly identifying procedure of described access point comprises:
Whether described security gateway receives described HPM ID according to it from described device authentication request message, compare with the auth type of the described access point that obtains, and judges whether to initiate the HP identifying procedure of described access point.
9, method according to claim 8, it is characterized in that, whether described security gateway receives described HPM ID according to it from described device authentication request message, compare with the auth type of the described access point that obtains, judge whether to initiate the step of the HP identifying procedure of described access point, further comprise:
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, and from described device authentication request message, receive described HPM ID, then security gateway carries out the device authentication success to described access point after, security gateway sends the HP authentication request message to AAA server AAA Server, in described message, carry described HPM ID, directly carry out the HP identifying procedure of described access point;
If the auth type of the described access point that security gateway obtains is device authentication+independently HP authentication, but from described device authentication request message, do not receive described HPM ID, then security gateway finishes the identifying procedure of described access point directly to the message of described access point Returning equipment authentification failure; Perhaps security gateway carried out the device authentication success to described access point after, security gateway finished the identifying procedure of described access point to the response message of described access point Returning equipment authentification failure; Perhaps security gateway carries out the device authentication success to described access point after, security gateway is to the response message of described access point Returning equipment authentication success, and in described response message, carry Extensible Authentication Protocol EAP message, ask described access point to initiate the HP authentication.
10, a kind of security gateway is characterized in that, comprising:
The auth type acquiring unit is used to obtain the auth type of access point;
Judging unit is used for the auth type of the described access point that obtains according to the auth type acquiring unit, judges whether to initiate the repeatedly identifying procedure of described access point.
11, security gateway according to claim 10 is characterized in that, described auth type acquiring unit comprises:
Acquisition module one is used for obtaining from the certificate of described access point, and the certificate of described access point comprises the property value of expression access point authentication type;
Acquisition module two is used for obtaining from the device identification of described access point, and the device identification of described access point is carried out different names according to auth type;
Acquisition module three is used for obtaining from the network side server of preserving described access point authentication type, and the device identification of described network side server and described access point has corresponding relation.
12, security gateway according to claim 10 is characterized in that, also comprises:
Ask receiving element, be used to receive the device authentication request message of access point;
The device authentication unit is used for according to described device authentication request message access point being carried out device authentication;
The response transmitting element is used for sending described device authentication request responding message according to described judging unit to access point.
13, security gateway according to claim 12 is characterized in that, the described request receiving element comprises:
Ask receiver module one, be used to receive the device authentication request message of access point, carry the device identification, certificate and the parameters for authentication AUTH that comprise described access point in the described request message;
Ask receiver module two, be used to receive the device authentication request message of access point, carry the device identification, certificate, parameters for authentication AUTH and the MULTIPLE_AUTH_SUPPORTED field that comprise described access point in the described request message;
Request receiver module three, be used to receive the device authentication request message of access point, carry device identification, certificate, parameters for authentication AUTH and the MULTIPLE_AUTH_SUPPORTED field, the ANOTHER_AUTH_FOLLOWS field that comprise described access point in the described request message;
Request receiver module four, be used to receive the device authentication request message of access point, carry the device identification, certificate, the parameters for authentication AUTH that comprise described access point in the described request message, and in configuration load CP, carry the identify label HPM ID of the side of the having HP of described access point.
14, security gateway according to claim 13 is characterized in that,
Described judging unit also is used for whether receiving the indication that repeatedly authenticates from described device authentication request message according to it, compares with the auth type of the described access point that obtains, and judges whether to initiate the side of the having HP identifying procedure of described access point.
15, security gateway according to claim 12 is characterized in that, described response transmitting element comprises:
Response sending module one is used for the response message to described access point transmitting apparatus authentication success, and carries Extensible Authentication Protocol EAP message in described response message, is initiated the side of the having HP authentication of described access point by security gateway;
Response sending module two is used for the response message to described access point transmitting apparatus authentication success, and carries the ANOTHER_AUTH_FOLLOWS field in described response message, asks described access point to initiate the side of having HP authentication;
Response sending module three is used for the response message to described access point transmitting apparatus authentication success, initiates the side of having HP authentication by described access point;
Response sending module four is used for the response message to described access point transmitting apparatus authentification failure, finishes the identifying procedure of described access point.
16, security gateway according to claim 12 is characterized in that, also comprises:
HP authentication request unit is used for sending the HP authentication request message to AAA server AAA Server, carries described HPM ID in described message, directly carries out the side of the having HP identifying procedure of described access point.
17, a kind of system of access point authentication is characterized in that, comprising:
Access point is used for to security gateway transmitting apparatus authentication request message;
Security gateway is used to receive the device authentication request message of access point, according to described device authentication request message access point is carried out device authentication; Obtain the auth type of described access point, and, judge whether to initiate the repeatedly identifying procedure of described access point according to the auth type of the described access point that obtains.
18, system according to claim 17 is characterized in that,
Described security gateway also is used for whether receiving the indication that repeatedly authenticates from described device authentication request message according to it, compares with the auth type of the described access point that obtains, and judges whether to initiate the next identifying procedure of described access point.
19, according to claim 17 or 18 described systems, it is characterized in that,
Described security gateway also is used for sending described device authentication request responding message to described access point, and described response message comprises following arbitrary situation:
To the response message of described access point transmitting apparatus authentication success, and in described response message, carry Extensible Authentication Protocol EAP message, ask described access point to initiate the side of having HP authentication;
Or, to the response message of described access point transmitting apparatus authentication success, and in described response message, carry the ANOTHER_AUTH_FOLLOWS field, ask described access point to initiate the side of having HP authentication;
Or, to the response message of described access point transmitting apparatus authentication success, by the authentication of described access point initiation to the side of having HP;
Or, to the response message of described access point transmitting apparatus authentification failure, finish the identifying procedure of described access point;
Perhaps, described security gateway also is used for sending the side of having HP authentication request message to AAA server AAA Server, carries described HPM ID in described message, directly carries out the HP identifying procedure of described access point.
20, system according to claim 17 is characterized in that, described access point is a Home eNodeB.
CN200810161209A 2008-09-18 2008-09-18 Method, system and safe gateway of access point authentication Pending CN101677440A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810161209A CN101677440A (en) 2008-09-18 2008-09-18 Method, system and safe gateway of access point authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810161209A CN101677440A (en) 2008-09-18 2008-09-18 Method, system and safe gateway of access point authentication

Publications (1)

Publication Number Publication Date
CN101677440A true CN101677440A (en) 2010-03-24

Family

ID=42029807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810161209A Pending CN101677440A (en) 2008-09-18 2008-09-18 Method, system and safe gateway of access point authentication

Country Status (1)

Country Link
CN (1) CN101677440A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101827344A (en) * 2010-04-19 2010-09-08 中兴通讯股份有限公司 Method and device for processing emergency call
CN102845087A (en) * 2010-04-13 2012-12-26 阿尔卡特朗讯 A wireless telecommunications network, and a method of authenticating a message
CN105141585A (en) * 2015-07-31 2015-12-09 深信服网络科技(深圳)有限公司 Authentication method and device
CN106254378A (en) * 2016-09-09 2016-12-21 宇龙计算机通信科技(深圳)有限公司 The method of controlling security of a kind of short-range communication NFC mobile terminal and system
CN106817697A (en) * 2015-12-02 2017-06-09 中国电信股份有限公司 A kind of methods, devices and systems for device authentication
RU2633111C1 (en) * 2012-12-07 2017-10-11 Грегори Х. ЛИКЛЕЙ One-range content delivery network, method and control device
WO2018010396A1 (en) * 2016-07-11 2018-01-18 上海掌门科技有限公司 Method and device for realizing wireless access point connection authentication
WO2021185240A1 (en) * 2020-03-18 2021-09-23 华为技术有限公司 Internet key exchange protocol authentication method using certificate, and communication device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1486013A (en) * 2002-09-23 2004-03-31 华为技术有限公司 Method for network access user authentication
CN1848994A (en) * 2005-04-11 2006-10-18 华为技术有限公司 Method for realizing right discrimination of microwave cut-in global interoperating system
CN101009919A (en) * 2006-01-24 2007-08-01 华为技术有限公司 Authentication method based on the end-to-end communication of the mobile network
WO2008077794A1 (en) * 2006-12-22 2008-07-03 Nokia Corporation Authentication type selection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1486013A (en) * 2002-09-23 2004-03-31 华为技术有限公司 Method for network access user authentication
CN1848994A (en) * 2005-04-11 2006-10-18 华为技术有限公司 Method for realizing right discrimination of microwave cut-in global interoperating system
CN101009919A (en) * 2006-01-24 2007-08-01 华为技术有限公司 Authentication method based on the end-to-end communication of the mobile network
WO2008077794A1 (en) * 2006-12-22 2008-07-03 Nokia Corporation Authentication type selection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HUAWEI: "《3GPP TSG SA WG3 Security — S3#ad hoc S3-080966》", 16 September 2008 *
NETWORK WORKING GROUP: "《RFC4379》", 30 November 2006 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102845087A (en) * 2010-04-13 2012-12-26 阿尔卡特朗讯 A wireless telecommunications network, and a method of authenticating a message
US9473934B2 (en) 2010-04-13 2016-10-18 Alcatel Lucent Wireless telecommunications network, and a method of authenticating a message
CN101827344A (en) * 2010-04-19 2010-09-08 中兴通讯股份有限公司 Method and device for processing emergency call
CN101827344B (en) * 2010-04-19 2016-02-24 中兴通讯股份有限公司 A kind of processing method of urgent call and device
RU2633111C1 (en) * 2012-12-07 2017-10-11 Грегори Х. ЛИКЛЕЙ One-range content delivery network, method and control device
CN105141585B (en) * 2015-07-31 2019-04-02 深信服网络科技(深圳)有限公司 The method and device of certification
CN105141585A (en) * 2015-07-31 2015-12-09 深信服网络科技(深圳)有限公司 Authentication method and device
CN106817697A (en) * 2015-12-02 2017-06-09 中国电信股份有限公司 A kind of methods, devices and systems for device authentication
CN106817697B (en) * 2015-12-02 2019-06-07 中国电信股份有限公司 A kind of methods, devices and systems for equipment certification
WO2018010396A1 (en) * 2016-07-11 2018-01-18 上海掌门科技有限公司 Method and device for realizing wireless access point connection authentication
US10743183B2 (en) 2016-07-11 2020-08-11 Shanghai Zhangxian Network Technology Co., Ltd. Method and device for realizing wireless access point connection authentication
CN106254378A (en) * 2016-09-09 2016-12-21 宇龙计算机通信科技(深圳)有限公司 The method of controlling security of a kind of short-range communication NFC mobile terminal and system
CN106254378B (en) * 2016-09-09 2020-02-07 宇龙计算机通信科技(深圳)有限公司 Safety control method and system for Near Field Communication (NFC) mobile terminal
WO2021185240A1 (en) * 2020-03-18 2021-09-23 华为技术有限公司 Internet key exchange protocol authentication method using certificate, and communication device

Similar Documents

Publication Publication Date Title
CN101677440A (en) Method, system and safe gateway of access point authentication
CN105119939B (en) The cut-in method and device, providing method and device and system of wireless network
CN102843682B (en) Access point authorizing method, device and system
CA2736172C (en) Secure negotiation of authentication capabilities
CN101442402B (en) Method, system and apparatus for authenticating access point equipment
US20070180499A1 (en) Authenticating clients to wireless access networks
US20090100262A1 (en) Apparatus and method for detecting duplication of portable subscriber station in portable internet system
CN108848112A (en) Cut-in method, equipment and the system of user equipment (UE)
CN107026813B (en) Access authentication method and system of WiFi network and portal server
CN105072613A (en) Wireless network system and wireless network access method
CN101986598B (en) Authentication method, server and system
WO2007102702A2 (en) Fast re-authentication method in umts
CN106559785B (en) Authentication method, device and system, access device and terminal
CN101990211A (en) Method, device and system for network access
CN105763517A (en) Router security access and control method and system
Bauer et al. Mitigating evil twin attacks in 802.11
KR101718096B1 (en) Method and system for authenticating in wireless communication system
CN101616414A (en) Method, system and server that terminal is authenticated
CN101867912A (en) Authentication method of access network and terminal
Lamers et al. Securing home Wi-Fi with WPA3 personal
CN107707560B (en) Authentication method, system, network access equipment and Portal server
US9532218B2 (en) Implementing a security association during the attachment of a terminal to an access network
CN102752298A (en) Secure communication method, terminal, server and system
CN106412904B (en) Method and system for preventing counterfeit user authentication authority
CN102685742A (en) WLAN (Wireless Local Area Network ) access authentication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20100324