CN101822083A - Authentication method, trusted environment unit and home nodeb - Google Patents

Authentication method, trusted environment unit and home nodeb Download PDF

Info

Publication number
CN101822083A
CN101822083A CN200980000110A CN200980000110A CN101822083A CN 101822083 A CN101822083 A CN 101822083A CN 200980000110 A CN200980000110 A CN 200980000110A CN 200980000110 A CN200980000110 A CN 200980000110A CN 101822083 A CN101822083 A CN 101822083A
Authority
CN
China
Prior art keywords
authentication
home enodeb
dependable environment
hnb
dependable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200980000110A
Other languages
Chinese (zh)
Other versions
CN101822083B (en
Inventor
王绍斌
张宁
丁小燕
李茜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ma Zhenyu
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2009800001105A priority Critical patent/CN101822083B/en
Publication of CN101822083A publication Critical patent/CN101822083A/en
Application granted granted Critical
Publication of CN101822083B publication Critical patent/CN101822083B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An embodiment of the present invention discloses an authentication method, a reliable environment unit and a home base station, wherein the method comprises the following steps: executing apparatus identity authentication to an HNB, executing identity authentication to a TrE set on the HNB, authenticating an identity binging relationship between the HNB and the TrE, executing non-identity authentication to the HNB, and obtaining and storing the non-identity authentication data of the HNB in the TrE. The embodiment of the present invention fully uses the characteristic of the TrE, stores the firstly authenticated non-identity authentication data of the HNB in the TrE, when the HNB is restarted, the relevant non-identity authentication is executed by the TrE, thereby alleviating the burden of authenticating the HNB by a network side.

Description

Authentication method, trusted environment unit and home nodeb
Authentication method, dependable environment unit and Home eNodeB
This application claims Patent Office of the People's Republic of China, Application No. 200810175958.9, the priority of the Chinese patent application of entitled " identity identifying method, dependable environment unit and Home eNodeB " is submitted on November 03rd, 2008, entire contents are hereby incorporated by reference in the application.Technical field
The present embodiments relate to wireless communication technology field, more particularly to a kind of authentication method based on Home eNodeB dependable environment, dependable environment unit and Home eNodeB.Background technology
Home eNodeB(Home NodeB;Hereinafter referred to as:HNB femtocell base station) is also known as, is relative to 3G (Third Generation) Moblie(3rd Generation;Hereinafter referred to as:Macro base station that 3G) cell mobile communication systems is used and propose.HNB transmission power only+15db, 50 meters of indoor coverage areas.Its effect is similar to adopting wireless fidelity technology( Wireless Fidelity;Hereinafter referred to as:WiFi wireless access node)(Access Point;Hereinafter referred to as:AP) so that user can connect home broadband network by Ethernet.Mobile operator develops HNB, is that, in order to improve in-door covering, raising indoor broadband access speed meets the demand of the various multimedia services of user first;Have again is to alleviate the pressure of macro base station, macro base station is served primarily in outdoor user;It can in addition contain tackle the pressure of cellular carrier and MVNO.
User's identity module( Hosting Party Module;Hereinafter referred to as:HPM) it is a physical entity, the physical equipment with HNB is to be separated, and is included thereon for being proved and certification user to Mobile Network Operator(Hereinafter referred to as:Hosting Party) identity credential.User is similar to cellphone subscriber, and module(Module) it is similar to cellphone subscriber's identification module(Subscriber Identity Module;Hereinafter referred to as:SIM) block.HPM is to be supplied to user by Mobile Network Operator.HPM can be removed from HNB, that is to say, that can be without changing HPM when changing HNB.HPM allows HNB to possess the user identity based on user, without influenceing HNB The producer.The most important significance that HPM is present is, as HNB equipment manufacturer and the separation of HNB service suppliers, effectively to applying for that the user of business is authenticated.
Dependable environment( Trusted Enviroment;Hereinafter referred to as:TrE it is) a logically or physically independent entity being deployed on HNB, refers in particular to the storage environment of the upper safety of HNB, for storing some sensitive datas on HNB, such as the credential for representing HNB equipment identities.
During the embodiment of the present invention is realized, inventor has found that at least there are the following problems in the prior art:
In the prior art, HNB each restarting is required to perform verification process that is whole and being repetition with core net, and this undoubtedly adds the burden of network side server.The content of the invention
The embodiment of the present invention provides a kind of authentication method, dependable environment unit and Home eNodeB, to reduce burden of the network side to HNB certifications.
The embodiments of the invention provide a kind of authentication method based on Home eNodeB dependable environment, including:Equipment identities certification is carried out to HNB;
Authentication is carried out to the TrE being arranged on the HNB;
Identity binding relation to the HNB and the TrE is authenticated;
Non- authentication is carried out to the HNB;
Obtain and store the non-identification authentication data of the HNB in the TrE.
The embodiments of the invention provide another authentication method based on Home eNodeB dependable environment, including:Equipment identities certification is carried out to HNB;
Authentication is carried out to TrE;
Identity binding relation to the HNB and the TrE is authenticated;
Non- authentication is carried out to the HNB by the TrE.
The embodiments of the invention provide another authentication method based on Home eNodeB dependable environment, including:
TrE receives user equipment( User Equipment;Hereinafter referred to as:UE) the UE identity sent is recognized Card request;
Authentication is carried out to UE by the TrE.
The embodiments of the invention provide a kind of dependable environment unit, including:
Authentication data memory module, the non-identification authentication data for storing HNB;
Authentication module, for the HNB stored according to the authentication data memory module non-identification authentication data, performs HNB non-authentication.
The embodiment of the present invention additionally provides a kind of Home eNodeB, including a TrE units, is provided with the TrE units:
Authentication data memory module, the non-identification authentication data for storing HNB;
Authentication module, for the HNB stored according to the authentication data memory module non-identification authentication data, performs HNB non-authentication.
The embodiment of the present invention is by providing a kind of authentication method, dependable environment unit and Home eNodeB, take full advantage of TrE characteristic, TrE will be stored in the non-identification authentication data after HNB certifications first, when HNB restarts, related non-authentication can be performed by TrE, so as to alleviate burden of the network side to HNB certifications.Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, the required accompanying drawing used in embodiment or description of the prior art will be briefly described below, apparently, drawings in the following description are some embodiments of the present invention, for those of ordinary skill in the art, without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the authentication method first embodiment of the invention based on Home eNodeB dependable environment;
Fig. 2 is the signaling process figure of the authentication method second embodiment of the invention based on Home eNodeB dependable environment;
Fig. 3 is the signaling flow of the authentication method 3rd embodiment of the invention based on Home eNodeB dependable environment Cheng Tu;
Fig. 4 is the signaling process figure of the authentication method fourth embodiment of the invention based on Home eNodeB dependable environment;
Fig. 5 is the signaling process figure of authentication method the 5th embodiment of the invention based on Home eNodeB dependable environment;
Fig. 6 is the flow chart of the authentication method sixth embodiment of the invention based on Home eNodeB dependable environment;
Fig. 7 is the signaling process figure of authentication method the 7th embodiment of the invention based on Home eNodeB dependable environment;
Fig. 8 is the signaling process figure of authentication method the 8th embodiment of the invention based on Home eNodeB dependable environment;
Fig. 9 is the signaling process figure of authentication method the 9th embodiment of the invention based on Home eNodeB dependable environment.Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, the network type of present invention below embodiment can be:Global system for mobile communications( Global System for Mobile Communication;Hereinafter referred to as:GSM) network, CDMA( Code Division Multiple Access;Hereinafter referred to as:CDMA) network, WCDMA( Wideband CDMA;Hereinafter referred to as:WCDMA) network, worldwide interoperability for microwave accesses(Worldwide Interoperability for Microwave Access;Hereinafter referred to as:Wimax) the CDMA of network, time division synchronous(Time Division-Synchronous CDMA;Hereinafter referred to as:TD-SCDMA) network or Long Term Evolution( Long Term Evolution;Hereinafter referred to as:LTE) network etc..The type of radio reception device can be:Home eNodeB, femto cell(Pico), UMTS AP (Universal Mobile Telecommunications System AP;Hereinafter referred to as:UMTS AP), Wimax types(Femto) base station or Wimax macro base stations etc..The user device type of present invention below embodiment can be:Mobile phone, notebook computer or personal digital assistant( Personal Digital Assistant;Hereinafter referred to as:The mobile terminal such as PDA).
It is deployed in because HNB-aspect belongs to user equipment in user family, on the one hand belongs to the equipment of operator, is used to complete the access function to user as macro base station, such dual role make it that security requirement of the operator to HNB is very high.Therefore after Home eNodeB powers up operation and sets up physical connection with operator, operator needs to perform relevant authentication to HNB.Certification of the prior art to HNB non-identity is that, based on non-trusted environment, safe storage capacity is relatively low, does not make full use of TrE function, and TrE application space is reduced to a certain extent;And because TrE possesses independent identity information, and the identity information can be associated with HNB and HPM.After HNB is loading TrE, certification of the network side to HNB just will be related to the certification that TrE certification and TrE are associated with HNB, various embodiments of the present invention are the identifying procedures for the HNB for how realizing network side to being configured with TrE, and how to realize based on the TrE with compared with high safety storage performance the localization of HNB relevant authentications.
First embodiment
Fig. 1 is the flow chart of the authentication method first embodiment of the invention based on Home eNodeB dependable environment, and as shown in Fig. 1, described by the present embodiment is the identifying procedure when HNB is in initial start-up, is comprised the following steps:
Step 11, to HNB carry out equipment identities certification.
Network side is authenticated firstly the need of to the identity of HNB equipment in itself, authentication to HNB is mainly based upon the certification of identity credential, HNB identity credential has two kinds of presentation modes, one kind is to be based on certificate, and another is to be based on Authentication and Key Agreement agreement (Authentication and Key Agreement;Hereinafter referred to as:AKA) credential.Verification process is mainly the security gateway and Certificate Authority statistics (Authentication Authorization and Accounting of network side;Hereinafter referred to as: AAA) server is authenticated interacting for flow with HNB.
Step 12, the TrE progress authentications to being arranged on HNB.
Certification for TrE can equally use the authentication mode based on certificate, and verification process is mainly the security gateway and aaa server of network side(Checking, authorization and accounting server)Interacting for flow is authenticated with the TrE on HNB.
Step 13, the identity binding relation to HNB and TrE are authenticated.
The certification of binding relationship is mainly completed by aaa server, and aaa server inquires about its binding relationship being previously stored according to TrE identity, then the HNB identity sent by HNB compares, so as to demonstrate,prove binding relationship.
Step 14, non-authentication is carried out to HNB;Wherein, the HNB non-authentications carried out can be included:The authentication carried out to the HPM on HNB, the authentication carried out to the HNB location-authentications carried out and to UE.
Step 15, obtain and store HNB non-identification authentication data in TrE.Corresponding with above-mentioned non-authentication type, non-identification authentication data can include:HPM authentication data, HNB location-authentication data and UE authentication datas.
After non-authentication success, a part of authentication data that network side is safeguarded(Mainly about the associated authentication data of non-authentication)Download in the local TrE of HNB.When HNB is restarted or during re-authentication, non- authentication procedures can just be carried out in the local TrE of HNB, so give full play to TrE function, and also to restart or re-authentication process does not need the participation of core net, reduce the burden of network side.
Second embodiment
Fig. 2 is the signaling process figure of the authentication method second embodiment of the invention based on Home eNodeB dependable environment, as shown in Fig. 2 the present embodiment will be described in identifying procedures of the HNB in initial start-up, specifically includes following steps:
Step 101, HNB and security gateway(Secure Gateway;Hereinafter referred to as:SGW IKE_SA_INIT (IKE certifications initialization) connections are set up between). Step 102, HNB send IKE-AUTH-REQ certification requests to SGW(IKE authentication requests), HNB and TrE identity is carried in the request.Need exist for explanation is that HNB identity credential has two kinds of presentation modes, and one kind is to be based on certificate, and another is to be based on AKA credentials.The present embodiment describes the situation based on AKA credentials.If using the authentication mechanism based on certificate, needing to carry out certificate checking procedure between HNB and SGW.
Step 103, SGW are verified to TrE identity.Certification for TrE is to use the authentication mode based on certificate.
Step 104, SGW send Authentication Request/Identity to aaa server and ask (authentication request), HNB and TrE identity is carried in the request.
Step 105, aaa server are performed to HNB authentications;Specific authentication procedures can be with similar following process:Aaa server initiates AKA (Authentication and Key Agreement agreements)Authentication challenge is asked, and obtains AV (authentication vectors), AKA algorithms are run, receive the HNB war of authentication 4,000,000 response, so as to realize the two-way authentication between HNB and network side.
Step 106, aaa server are authenticated to HNB and TrE binding relationship;Verification process is closed in specific binding can be with similar following process:AAA is from related database network elements(Such as attaching position register( Home Location Register;Hereinafter referred to as:HLR HNB and TrE binding relationship)) is obtained, aaa server inquires about its binding relationship being previously stored according to the HNB TrE transmitted identity, compared with the HNB identity received, so as to verify its binding relationship.
Step 107, aaa server send TrE authentications success and binding relationship certification success response (Authentication Response/success) to SGW.
Step 108, SGW pass through IKE-AUTH-RES (IKE Authentication Responses)Message informing HNB certifications success.
Step 109, HNB are connected to the Platform integrity authentication that HNB is triggered after certification success message.The certification of HNB completeness of platform is carried out between step 110, HNB and integrated authentication server.Integrated authentication needs the reference metric of network side storing HNB integralities, and the data storage can for example increase store function, such as HLR newly on existing network element, can also store on existing network element On newly-increased network element.After integrated authentication terminates, corresponding escape way will be set up between HNB and SGW.
Step 111, HNB and network side carry out follow-up related non-authentication, such as the location-authentication of HNB, HPM certification, the process such as UE authentication.Aaa server needs to obtain the related data for carrying out non-authentication to authentication database simultaneously.
Step 112, when non-authentication success after, a part of authentication data (being mainly used for the data of non-authentication) that aaa server is safeguarded is downloaded in the local TrE of HNB.So, when HNB is restarted or during re-authentication, verification process is just carried out in the local TrE of HNB.
It should be noted that, in the present embodiment and following embodiment, in verification process of the network side to HNB, illustrated with the network element such as aaa server and SGW servers, but said network element is not limited to HNB verification process in the embodiment of the present invention, those skilled in the art are known that, the present embodiment is after HNB starts first, by being interacted with the SGW and aaa server of network side, complete the authentication of HNB equipment, TrE authentications, after both binding relationships and Platform integrity authentication, the non-authentication of correlation has been carried out again, after non-authentication success, just a part of authentication data network side safeguarded(Mainly about the associated authentication data of non-authentication)Download in the local TrE of HNB.When HNB is restarted or during re-authentication, non- authentication procedures can just be carried out in the local TrE of HNB, TrE function is so given full play to, and also to restart or re-authentication process need not be interacted with the network side server such as SGW and aaa server again, reduce the burden of network side.
3rd embodiment
Fig. 3 is the signaling process figure of the authentication method 3rd embodiment of the invention based on Home eNodeB dependable environment, as shown in Figure 3, the present embodiment focuses on description when HNB is in initial start-up, network side, to HPM authentication procedures, is the further details of illustration to the step 111 in above-mentioned second embodiment to step 112.
HPM certifications refer to certification of the Mobile Network Operator to HNB user.Generally there are two fields Scape:
Scenario A, HPM mutually bind scene with HNB equipment
In this scenario, HNB device authentication is completed, that is, completes HPM certification.The step of not needing extra certification, EAP-AKA (Extensible Authentication Protocols-key agreement protocol)And certificate verification, HPM certification is can be used as, the program is applied to the immovable scenes of HPM.
Two solutions are presently, there are under the certification scene that scenario B, HPM and HNB equipment are separated, the scene
B1, the HNB device authentication based on certificate and the HPM certifications based on EAP-AKA
The program carries out device authentication first between HNB and SGW using respective certificate, carries out EAP-AKA HPM certifications again afterwards.
The binding of B2, HPM ID and HNB device ids
HNB is the equipment that embedded in HPM.And each equipment has an EI (equipment number) to be used for representing oneself identity.HNB-EI is arranged in HNB by manufacturer when dispatching from the factory.The HLR of network side can store HNB-EI records corresponding with each HPM-ID, and this records the binding relationship for representing this HNB-EI and HPM-ID.Aaa server can perform the certification of binding relationship based on this record.
The certification scene being separated in the present embodiment based on HPM certifications and HNB device authentication, it may not be necessary to be authenticated to the binding relationship of HPM and HNB equipment.In the present embodiment, HPM authentication procedures are comprised the following steps:
Step 1110, TrE obtain HNB HPM identity, and the process can be realized by HNB and TrE interface.
Step 1111, HNB send IKE-AUTH-REQ certification requests to SGW(IKE authentication requests), HPM and TrE identity is carried in the request.
Step 1112, SGW send Authentication Request/Identity to aaa server and asked(Authentication request), will be by sending Authentication Request/Identity requests, wherein carrying HPM and TrE identity.
Step 1113, aaa server obtain multiple AV vectors to HLR(Authentication vector). Step 1114, aaa server initiate EAP Request/AKA (SIM) challenge to SGW asks(EAP Request/AKA challenges).
EAP Request/AKA (SIM) challenge requests are sent to HNB by step 1115, SGW by IKE-AUTH-RES (IKE Authentication Responses) message.
Step 1116, HNB pass through IKE-AUTH-REQ (IKE authentication requests)Message returns to EAP
Reponse/AKA (SIM) challenge (EAP responses/AKA challenges)To SGW.
EAP Reponse/AKA (SIM) challenge is returned to aaa server by step 1117, SGW.
In the step 1117 of step 1,114 one, EAP-AKA identifying procedures are performed between aaa server and HNB, so as to complete to be authenticated HPM.
Step 1118, aaa server carry out the checking of HPM and TrE binding relationships.The identity inquiry binding relationship that prestores of the aaa server based on HPM verifies TrE identity.
Step 1119, AAA servers send Authentication Response/EAP-AKA (SIM) success (HPM authentications success and binding relationship certification success response to SGW).
HPM authentications success and binding relationship certification success response are sent to HNB by step 1120, SGW by IKE-AUTH-RES message.
Step 1121, HNB are to AHR (AP home registration servers)Initiate HNB Boot request (initial start request).
(reed takes authentication data by retrieving authentication data by step 1122, AHR)Message asks for HPM Ciphering Key to AAA, and the Ciphering Key asked for can be multiple, for ensureing that each local authentication is all fresh.
Step 1123, aaa server respond the request, the untapped AV vectors stored(Parameter XRES (the desired responses included in Ciphering Key), RAND (random numbers), AUTN (authentication tokens))Return to AHR.
Step 1124, AHR send initial start response to HNB(Boot is responded), carry HPM authentication data. Step 1125, TrE store safely HPM authentication data, so as to realize the localization of authentication data.
The present embodiment is after HNB starts first, by being interacted with the SGW and aaa server of network side, the authentication to HPM in non-authentication is completed, and the HPM authentication datas for network side being safeguarded after certification success are downloaded in the local TrE of HNB.When HNB is restarted or during re-authentication, HPM authentication procedures can just be carried out in the local TrE of HNB, it need not be interacted again with the network side server such as SGW and aaa server, so give full play to TrE function, reduced the burden of network side.
Fourth embodiment
Fig. 4 is the signaling process figure of the authentication method fourth embodiment of the invention based on Home eNodeB dependable environment, as shown in figure 4, the present embodiment focuses on description when HNB is in initial start-up, flow of the network side to HNB location-authentication.Equally it is the further details of illustration to the step 111 in above-mentioned second embodiment to step 112.Specifically include following steps:
Step 2110, HNB initiate initial start request to AHR(Boot is asked), and carry HNB current location information.
Step 2111, AHR execution position certifications.
Step 2112, AHR send initial start response to HNB(Boot is responded), and carry the encrypted positional information by certification.
Step 2113, HNB can be transferred to TrE after the positional information is received.
Step 2114, TrE checking informations source, if by verification, just regarding the positional information as active user(Corresponding to current HPM) positional information reference value, and carry out safe storage.
The present embodiment is after HNB starts first, by being interacted with the SGW and aaa server of network side, the location-authentication of the HNB in non-authentication is completed, and the location-authentication data for the HNB for network side being safeguarded after certification success are downloaded in the local TrE of HNB.When HNB is restarted or during re-authentication, HNB location-authentication process can just be carried out in the local TrE of HNB, it is not necessary to interacted, so given full play to the network side server such as SGW, aaa server and AHR again TrE function, reduces the burden of network side.
5th embodiment
Fig. 5 is the signaling process figure of authentication method the 5th embodiment of the invention based on Home eNodeB dependable environment, as shown in figure 5, the present embodiment focuses on description in HNB after initial start-up, the handling process when UE initiates certification for the first time.Equally it is the further details of illustration to the step 111 in above-mentioned second embodiment to step 112.Specifically include following steps:
Step 3110, UE initiate ID authentication request by HNB, carry identification information in the request, the request is sent to aaa server.
Step 3111, aaa server can run AKA algorithms and perform authentication to UE.
UE authentication datas (can be the parameters such as RAND, AUTN, XRES in AAA in the AV that stores, can be multigroup) by encryption are sent to HNBo by step 3112, aaa server by authentication response
Step 3113, HNB send the successful response message of certification to UE.
The UE authentication datas of encryption are sent to TrE by step 3114, HNB.
Step 3115, TrE decrypt the authentication data, and store UE authentication datas safely.
The present embodiment is after HNB starts first, UE and HNB with SGW the and AAA servers of network side by interacting, the authentication of the UE in non-authentication is completed, and the identification authentication data for the UE for network side being safeguarded after certification success is downloaded in the local TrE of HNB.When HNB is restarted or during re-authentication or when UE needs re-authentication, UE authentication procedures can just be carried out in the local TrE of HNB, enter to need to interact between UE and HNB, it need not be interacted again with the network side server such as SGW, aaa server and AHR, TrE function has so been given full play to, the burden of network side is reduced.
Sixth embodiment
Fig. 6 is the flow chart of the authentication method sixth embodiment of the invention based on Home eNodeB dependable environment, as shown in Figure 6, the present embodiment focus on description HNB restart or re-authentication identifying procedure, pass through above-mentioned first embodiment to the 5th embodiment, in HNB after initial start-up, net have passed through After network side is to HNB certification, a part of authentication data that network side is safeguarded(Mainly about the associated authentication data of non-authentication)Download in the local TrE of HNB.So restarted or during re-authentication in HNB, related non-authentication just directly can carried out locally, without the participation with network side.The present embodiment specifically includes following steps:
Step 21, to HNB carry out authentication;
Step 22, to TrE carry out authentication;
Step 23, the identity binding relation to HNB and TrE are authenticated;
Step 21 can specifically use the flow in step 101 to the step 110 in second embodiment to step 23, will not be repeated here.
Step 24, non-authentication carried out to HNB by TrE.Non- authentication can include:It is right
HPM certification, the location-authentication data to HNB and the certification to UE.
In the present embodiment, stored in TrE in the identifying procedure in HNB initial start-ups, the non-identification authentication data of acquisition.When HNB is restarted or during re-authentication, related non-authentication can be performed based on the non-identification authentication data stored in local TrE.It need not be interacted again with the network side server such as SGW, aaa server and AHR, so give full play to TrE function, reduced the burden of network side.
7th embodiment
Fig. 7 is the signaling process figure of authentication method the 7th embodiment of the invention based on Home eNodeB dependable environment, as shown in Figure 7, the present embodiment is focused on description and restarted in HNB or flow for authenticating ID during re-authentication to HPM, identifying procedure described by the present embodiment is the specific exemplary description to the step 24 in sixth embodiment, and step 21 in sixth embodiment is equally also undergone when HNB is again started up to step 23.The present embodiment comprises the following steps:
Step 4110, HPM initiate ID authentication request to TrE, can be completed by the interface between HNB and TrE.
Step 4111, TrE, which inquire about it, does not have used Ciphering Key( A V ) .
Step 4112, TrE initiate authentication challenge request to HPM, and AV is carried in the request (wherein, VRAND and AUTN parameters are included in AV).
Step 4113, HPM according to RAND the and AUTN parameters of reception and its store cipher key calculation RES (according to key and AUTN and RAND calculate come response).
Step 4114, HPM return authentication challenge responses, carry above-mentioned RES in the response.
Step 4115, TrE perform HPM authentications.The RES and the XRES of its storage that TrE contrasts are received (in HNB initial start-ups, the parameter in TrE are downloaded to after completing verification process)Value, if unanimously, TrE and generates the successful authentication result of certification to HPM certifications success, otherwise, generates the authentication result of authentification failure.
Authentication result is returned to HPM by step 4116, TrE.
Step 4117, TrE notify authentication result the aaa server of network side.
In the present embodiment, stored in TrE in the identifying procedure in HNB initial start-ups, the HPM of acquisition identification authentication data.When HNB is restarted or during re-authentication, can the identification authentication data based on the HPM stored in local TrE perform related HPM authentication.It need not be interacted again with the network side server such as SGW, aaa server and AHR, so give full play to TrE function, reduced the burden of network side.
8th embodiment
Fig. 8 is the signaling process figure of authentication method the 8th embodiment of the invention based on Home eNodeB dependable environment, as shown in Figure 8, the present embodiment is focused on description and restarted in HNB or location-authentication flow during re-authentication to HNB, identifying procedure described by the present embodiment is equally the specific exemplary description to the step 24 in sixth embodiment, and HNB restarts or equally also undergone during re-authentication step 21 in sixth embodiment to step 23.The present embodiment comprises the following steps:
Step 5110, HNB send location-authentication request to TrE, and HNB current location information is carried in location-authentication request.
Step 5111, TrE execution position certifications.Current location information and the positional information that is stored in TrE are compared by TrE, if unanimously, generating the successful location-authentication result of certification, otherwise generate the location-authentication result of authentification failure. Location-authentication result is notified HNB by step 5112, TrE.
Step 5113, TrE notify location-authentication result the AHR of network side.
In the present embodiment, stored in TrE in the identifying procedure in HNB initial start-ups, acquisition
HNB location-authentication data.When HNB is restarted or during re-authentication, can the location-authentication data based on the HNB stored in local TrE perform related HNB location-authentication.Need not again with SGW,
The interaction of the network side server such as aaa server and AHR, has so given full play to TrE function, reduces the burden of network side.
9th embodiment
Fig. 9 is the signaling process figure of authentication method the 9th embodiment of the invention based on Home eNodeB dependable environment, as shown in figure 9, the present embodiment focuses on description after the authentication when UE first pass network sides, identifying procedure when UE is authenticated again.After HNB initial start-up, if the authentication with network side has been carried out in a certain UE, then the UE authentication data related to the UE has been had stored in local TrE, so when HNB is connected to same UE ID authentication request again, just certification can be done directly by TrE.The authentication again that UE is carried out can be after HNB initial start-ups or HNB is restarted or during re-authentication.The identifying procedure of the present embodiment is as follows:
Step 6110, TrE receive the UE ID authentication requests that UE is sent, and UE identity is carried in the request.
The UE stored in the UE carried in UE ID authentication requests identity and TrE identity is compared by step 6111, TrE, if consistent, the successful UE identity authentication results of certification are then generated, the UE identity authentication results of authentification failure are otherwise generated.
UE identity authentication results are notified UE by step 6112, TrE.
Step 6113, TrE notify UE identity authentication results the aaa server of network side.
In the present embodiment, stored in TrE in the identifying procedure in HNB initial start-ups, the HNB of acquisition UE identification authentication datas.When HNB is restarted or during re-authentication, related UE authentications can be performed based on the UE identification authentication datas stored in local TrE.It need not be interacted again with the network side server such as SGW, AAA server and AHR, so give full play to TrE function, subtracted The burden of network side is lacked.
Tenth embodiment
The present embodiment is the embodiment of TrE units, and the TrE units include authentication data memory module and authentication module.Authentication data memory module is used for the non-identification authentication data for storing HNB;Authentication module is used for the HNB stored according to authentication data memory module non-identification authentication data, performs HNB non-authentication.
Wherein, authentication data memory module can include:HPM authentication datas memory module and/or UE authentication datas memory module and/or HNB location-authentication data memory modules.Authentication module includes:HPM authentication modules and/or HNB location-authentications module and/or UE authentication modules.Wherein, when HPM authentication modules perform the authentication to HPM, need to call the data stored in HPM authentication data memory modules, equally, HNB location-authentications module and HNB location-authentication data memory modules, UE authentication modules also have corresponding corresponding relation with UE authentication datas memory module.
11st embodiment
The embodiment of the present invention additionally provides a kind of Home eNodeB, and the Home eNodeB is included just like the TrE units shown in the tenth embodiment, no longer praises state herein.
By above-described embodiment it can be seen that, the embodiment of the present invention takes full advantage of TrE characteristic, TrE will be stored in the non-identification authentication data after HNB certifications first, when HNB restarts, related non-authentication can be performed by TrE, so as to alleviating burden of the network side to HNB certifications, while also without the binding that equipment and user identity are realized using HPM-ID and HNB-ID, it is to avoid operator will additionally set up the burden of database.
It should be noted that:Non- authentication in the embodiment of the present invention refers to:In addition to HNB equipment identities certification and TrE authentications, some certifications related to HNB, such as HNB location-authentications, HPM certifications and access HNB UE certification.
The unit and algorithm steps of each example described with reference to the embodiments described herein, it can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate the interchangeability of hardware and software, the composition and step of each example are generally described according to function in the above description. These functions are performed with hardware or software mode actually, and depending on application-specific and the function of setting description of technical scheme, but this realization is it is not considered that beyond the scope of this invention.
The step of method or algorithm for being described with reference to the embodiments described herein, can be implemented with hardware, the software module of computing device, or the combination of the two.Software module can be placed in random access memory
(RAM), internal memory, read-only storage(ROM in), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or any other form of storage mediums.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although the present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It can still modify to the technical scheme described in foregoing embodiments, or carry out equivalent substitution to which part technical characteristic;And these modifications or replacement, the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (19)

  1. Claim
    1st, a kind of authentication method based on Home eNodeB dependable environment, it is characterised in that including:Equipment identities certification is carried out to Home eNodeB;
    Authentication is carried out to the dependable environment being arranged on the Home eNodeB;
    Identity binding relation to the Home eNodeB and the dependable environment is authenticated;Non- authentication is carried out to the Home eNodeB;
    Obtain and store the non-identification authentication data of the Home eNodeB in the dependable environment.
    2nd, the authentication method according to claim 1 based on Home eNodeB dependable environment, it is characterized in that, non- authentication is carried out to the Home eNodeB, the non-identification authentication data for obtaining and storing the Home eNodeB is specially in the dependable environment:Authentication is carried out to user's identity module on the Home eNodeB, obtains and stores the authentication data of user's identity module in the dependable environment.
    3rd, the authentication method according to claim 2 based on Home eNodeB dependable environment, it is characterized in that, authentication is carried out to user's identity module on the Home eNodeB, the authentication data for obtaining and storing user's identity module is specially in the dependable environment:
    The identity of user's identity module is obtained by the dependable environment;
    User's identity module ID authentication request is sent to checking, authorization and accounting server, the identity of user's identity module and the dependable environment is carried in the request;
    Authentication to user's identity module and the binding relationship certification to user's identity module and the dependable environment are performed by the checking, authorization and accounting server;
    User's identity module authentication data is obtained from AP home registrations server, and is stored in the dependable environment.
    4th, the authentication method according to claim 1 based on Home eNodeB dependable environment, it is characterized in that, non- authentication is carried out to the Home eNodeB, the non-identification authentication data for obtaining and storing the Home eNodeB is specially in the dependable environment:Location-authentication is carried out to the Home eNodeB, obtains and stores the location-authentication data of the Home eNodeB in the dependable environment. 5th, the authentication method according to claim 4 based on Home eNodeB dependable environment, it is characterized in that, location-authentication is carried out to the Home eNodeB, the location-authentication data for obtaining and storing the Home eNodeB are specially in the dependable environment:
    Initial start request is initiated to AP home registrations server, the current location information of Home eNodeB is carried in the initial start request;
    Location-authentication to the Home eNodeB is performed by the AP home registrations server;The initial start response that the good business device of AP home registrations is returned is received, the positional information after certification is carried in the initial start response;
    Positional information after the certification is stored in the dependable environment.
    6th, the authentication method according to claim 1 based on Home eNodeB dependable environment, it is characterized in that, non- authentication is carried out to the Home eNodeB, the non-identification authentication data for obtaining and storing the Home eNodeB is specially in the dependable environment:Authentication is carried out to UE, obtains and stores the authentication data of the UE in the dependable environment.
    7th, the authentication method according to claim 6 based on Home eNodeB dependable environment, it is characterised in that to UE progress authentications, the authentication data for obtaining and storing the UE is specially in the dependable environment:
    Receive the UE and initiate UE certification requests, and be forwarded to the identification information that the UE is carried in checking, authorization and accounting server, the UE certification requests;
    Authentication is carried out to the UE by the checking, authorization and accounting server;
    Receive the checking, the UE authentication datas of authorization and accounting server return;
    The UE authentication datas are stored in the dependable environment.
    8th, the authentication method according to claim 1 based on Home eNodeB dependable environment, it is characterised in that after being authenticated to the identity binding relation of the Home eNodeB and the dependable environment, in addition to:The completeness of platform of Home eNodeB is authenticated.
    9th, a kind of authentication method based on Home eNodeB dependable environment, it is characterised in that including:Equipment identities certification is carried out to Home eNodeB; Authentication is carried out to dependable environment;
    Identity binding relation to the Home eNodeB and the dependable environment is authenticated;Non- authentication is carried out to the Home eNodeB by the dependable environment.
    10th, the authentication method according to claim 9 based on Home eNodeB dependable environment, it is characterised in that carrying out non-authentication to the Home eNodeB by the dependable environment is specially:Authentication is carried out to user's identity module on the Home eNodeB by the dependable environment.
    11st, the authentication method according to claim 10 based on Home eNodeB dependable environment, it is characterised in that carrying out authentication to user's identity module on the Home eNodeB by the dependable environment is specially:
    User's identity module initiates certification request to the dependable environment;
    The dependable environment initiates authentication challenge request to user's identity module, RAND and AUTN parameters are carried in the request;
    The cipher key calculation RES that user's identity module is stored according to it;
    User's identity module initiates authentication challenge response, and RES parameter is carried in the response;The dependable environment judges whether the RES is consistent with XRES value, if unanimously, generating the successful user's identity module identity authentication result of certification, otherwise generates user's identity module identity authentication result of authentification failure;
    User's identity module identity authentication result is returned to user's identity module by the dependable environment;
    User's identity module identity authentication result is notified checking, authorization and accounting server by the dependable environment.
    12nd, the authentication method according to claim 9 based on Home eNodeB dependable environment, it is characterised in that carrying out non-authentication to the Home eNodeB by the dependable environment is specially:Location-authentication is carried out to the Home eNodeB by the dependable environment.
    13rd, the authentication method according to claim 12 based on Home eNodeB dependable environment, its It is characterised by, carrying out location-authentication to the Home eNodeB by the dependable environment is specially:The Home eNodeB sends location-authentication request to the dependable environment, and the current location information of the Home eNodeB is carried in location-authentication request;
    The current location information and the positional information that is stored in the dependable environment are compared by the dependable environment, if unanimously, generating the successful location-authentication result of certification, otherwise generate the location-authentication result of authentification failure;
    The location-authentication result is notified AP home registration servers by the dependable environment.
    14th, the authentication method according to claim 9 based on Home eNodeB dependable environment, it is characterised in that carrying out non-authentication to the Home eNodeB by the dependable environment is specially:
    Authentication is carried out to UE by the dependable environment.
    15th, a kind of authentication method based on Home eNodeB dependable environment, it is characterised in that including:Dependable environment receives the UE ID authentication requests that UE is sent;
    Authentication is carried out to UE by the dependable environment.
    16th, the authentication method according to claim 15 based on Home eNodeB dependable environment, it is characterized in that, UE identity is carried in the UE ID authentication requests, it is described to be specially to UE progress authentications by the dependable environment:
    UE of the dependable environment by the UE carried in the UE ID authentication requests identity with being stored in dependable environment identity is compared, if consistent, the successful UE identity authentication results of certification are then generated, the UE identity authentication results of authentification failure are otherwise generated;
    The UE identity authentication results are notified checking, authorization and accounting server by the dependable environment.
    17th, a kind of dependable environment unit, it is characterised in that including:
    Authentication data memory module, the non-identification authentication data for storing Home eNodeB;
    Authentication module, for the non-identification authentication data of the Home eNodeB stored according to the authentication data memory module, performs the non-authentication of Home eNodeB.
    18th, dependable environment unit according to claim 17, it is characterised in that the authentication data memory module includes:User's identity module authentication data memory module and/or UE authentication datas are deposited Store up module and/or femtocell positions authentication data memory module.
    19th, dependable environment unit according to claim 17, it is characterised in that authentication module includes:User's identity module authentication module and/or femtocell positions authentication module and/or UE authentication modules.
    20th, a kind of Home eNodeB, it is characterised in that including a dependable environment unit, be provided with the dependable environment unit:
    Authentication data memory module, the non-identification authentication data for storing Home eNodeB;
    Authentication module, for the non-identification authentication data of the Home eNodeB stored according to the authentication data memory module, performs the non-authentication of Home eNodeB.
CN2009800001105A 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb Expired - Fee Related CN101822083B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009800001105A CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200810175958.9 2008-11-03
CN200810175958A CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell
CN2009800001105A CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb
PCT/CN2009/072108 WO2010060296A1 (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Publications (2)

Publication Number Publication Date
CN101822083A true CN101822083A (en) 2010-09-01
CN101822083B CN101822083B (en) 2012-10-17

Family

ID=42225224

Family Applications (2)

Application Number Title Priority Date Filing Date
CN200810175958A Active CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell
CN2009800001105A Expired - Fee Related CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN200810175958A Active CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell

Country Status (2)

Country Link
CN (2) CN101827361B (en)
WO (1) WO2010060296A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865592A (en) * 2020-09-21 2020-10-30 四川科锐得电力通信技术有限公司 Internet of things equipment fast access method and device, Internet of things platform and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019017835A1 (en) * 2017-07-20 2019-01-24 华为国际有限公司 Network authentication method and related device and system
WO2019196792A1 (en) 2018-04-12 2019-10-17 Oppo广东移动通信有限公司 Security control method and apparatus for application program, and mobile terminal and computer-readable storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100770928B1 (en) * 2005-07-02 2007-10-26 삼성전자주식회사 Authentication system and method thereofin a communication system
CN1933657B (en) * 2005-09-15 2010-10-06 华为技术有限公司 Method for resisting attack from pretended legal mobile station in RSA authentication process
MY147557A (en) * 2007-04-30 2012-12-31 Interdigital Tech Corp A home (e)node-b with new functionality

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865592A (en) * 2020-09-21 2020-10-30 四川科锐得电力通信技术有限公司 Internet of things equipment fast access method and device, Internet of things platform and storage medium

Also Published As

Publication number Publication date
WO2010060296A1 (en) 2010-06-03
CN101827361A (en) 2010-09-08
CN101827361B (en) 2012-10-17
CN101822083B (en) 2012-10-17

Similar Documents

Publication Publication Date Title
US10716002B2 (en) Method and system for authenticating access in mobile wireless network system
US11863982B2 (en) Subscriber identity privacy protection against fake base stations
KR102428262B1 (en) Method and apparatus for realizing security of connection through heterogeneous access network
EP4089977B1 (en) Key acquisition method and device
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
AU2005236981B2 (en) Improved subscriber authentication for unlicensed mobile access signaling
CN102396203B (en) According to the urgent call process of the verification process in communication network
CN109804651A (en) It is attached by the core network of independent non-3GPP access network
US20080108321A1 (en) Over-the-air (OTA) device provisioning in broadband wireless networks
CN108012264A (en) The scheme based on encrypted IMSI for 802.1x carriers hot spot and Wi-Fi call authorizations
WO2009065347A1 (en) Security communication method, system and apparatus for home base-station
US20220295276A1 (en) Mobile device authentication without electronic subscriber identity module (esim) credentials
WO2007097101A1 (en) Radio access system and radio access method
WO2007102702A2 (en) Fast re-authentication method in umts
CN110249648A (en) The system and method for session establishment executed by unauthenticated user equipment
MX2014015848A (en) Method, apparatus, and system for accessing mobile network.
CN101945390B (en) Admission control method and device
WO2019007476A1 (en) Secure communications using network access identity
CN113115300B (en) Electronic subscriber identity module transfer qualification
CN101822083A (en) Authentication method, trusted environment unit and home nodeb
US9532218B2 (en) Implementing a security association during the attachment of a terminal to an access network
CN102685742B (en) A kind of WLAN access authentication method and device
WO2008148348A1 (en) Communication method, system, and home bs
JP2024517897A (en) Method, device and storage medium for authentication of NSWO services
US20210021433A1 (en) Digital letter of approval (dloa) for device compliance

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170804

Address after: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee after: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

CB03 Change of inventor or designer information

Inventor after: Ma Zhenyu

Inventor before: Wang Shaobin

Inventor before: Zhang Ning

Inventor before: Ding Xiaoyan

Inventor before: Li Qian

CB03 Change of inventor or designer information
TR01 Transfer of patent right

Effective date of registration: 20170907

Address after: 056000, 23, south Ling Road, Fuxing District, Hebei, Handan

Patentee after: Ma Zhenyu

Address before: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee before: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121017

Termination date: 20180603

CF01 Termination of patent right due to non-payment of annual fee