CN101822083B - Authentication method, trusted environment unit and home nodeb - Google Patents

Authentication method, trusted environment unit and home nodeb Download PDF

Info

Publication number
CN101822083B
CN101822083B CN2009800001105A CN200980000110A CN101822083B CN 101822083 B CN101822083 B CN 101822083B CN 2009800001105 A CN2009800001105 A CN 2009800001105A CN 200980000110 A CN200980000110 A CN 200980000110A CN 101822083 B CN101822083 B CN 101822083B
Authority
CN
China
Prior art keywords
authentication
home enodeb
dependable environment
hnb
dependable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009800001105A
Other languages
Chinese (zh)
Other versions
CN101822083A (en
Inventor
王绍斌
张宁
丁小燕
李茜
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2009800001105A priority Critical patent/CN101822083B/en
Publication of CN101822083A publication Critical patent/CN101822083A/en
Application granted granted Critical
Publication of CN101822083B publication Critical patent/CN101822083B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Abstract

An embodiment of the present invention discloses an authentication method, a reliable environment unit and a home base station, wherein the method comprises the following steps: executing apparatus identity authentication to an HNB, executing identity authentication to a TrE set on the HNB, authenticating an identity binging relationship between the HNB and the TrE, executing non-identity authentication to the HNB, and obtaining and storing the non-identity authentication data of the HNB in the TrE. The embodiment of the present invention fully uses the characteristic of the TrE, stores the firstly authenticated non-identity authentication data of the HNB in the TrE, when the HNB is restarted, the relevant non-identity authentication is executed by the TrE, thereby alleviating the burden of authenticating the HNB by a network side.

Description

Authentication method, dependable environment unit and Home eNodeB
The application require on November 03rd, 2008 submit that Patent Office of the People's Republic of China, application number are 200810175958.9 to, denomination of invention is the priority of the one Chinese patent application of " identity identifying method, dependable environment unit and Home eNodeB ", its full content combines in this application by reference.
Technical field
The embodiment of the invention relates to wireless communication technology field, relates in particular to a kind of authentication method based on the Home eNodeB dependable environment, dependable environment unit and Home eNodeB.
Background technology
Home eNodeB (Home NodeB; Hereinafter to be referred as: HNB) claiming picocell again, is with respect to 3G (Third Generation) Moblie (3rd Generation; Hereinafter to be referred as: the macro base station that 3G) cell mobile communication systems adopted proposes.The transmitting power of HNB only+15db, 50 meters of indoor coverages.Its effect is similar to adopting wireless fidelity technology (Wireless Fidelity; Hereinafter to be referred as: (the Access Point of wireless access node WiFi); Hereinafter to be referred as: AP), make the user to connect family's broadband network through Ethernet.Mobile operator develops HNB, at first is in order to improve indoor covering, to improve indoor broadband access speed, satisfying the demand of the various multimedia services of user; Have is in order to alleviate the pressure of macro base station, to make macro base station mainly serve outdoor user again; Can also tackle the pressure of cellular carrier and MVNO in addition.
User's identity module (Hosting Party Module; Hereinafter to be referred as: HPM) be a physical entity, be separated with the physical equipment of HNB, include on it be used for to Mobile Network Operator proof and authentication user (below be called: the credential of identity Hosting Party).The user is similar to the cellphone subscriber, and module (Module) is similar to cellphone subscriber's identification module (SubscriberIdentity Module; Hereinafter to be referred as: SIM) card.HPM offers the user by Mobile Network Operator.HPM can remove from HNB, that is to say when changing HNB to change HPM.HPM makes HNB can possess the user identity based on the user, and need not influence the producer of HNB.The most important significance that HPM exists is, when the device fabrication merchant of HNB separates with the HNB service supplier, effectively to applying for that professional user carries out authentication.
Dependable environment (Trusted Enviroment; Hereinafter to be referred as: be an independent entity in logic or physically that is deployed on the HNB TrE), refer in particular to the storage environment of the last safety of HNB, be used for storing some sensitive datas on the HNB, for example represent the credential of HNB equipment identities etc.
In realizing embodiment of the invention process, the inventor finds to exist at least in the prior art following problem:
In the prior art, at every turn restarting all of HNB need be carried out whole and verification process that be repetition with core net, and this has increased the burden of network side server undoubtedly.
Summary of the invention
The embodiment of the invention provides a kind of authentication method, dependable environment unit and Home eNodeB, to reduce the burden of network side to the HNB authentication.
The embodiment of the invention provides a kind of authentication method based on the Home eNodeB dependable environment, comprising:
HNB is carried out the equipment identities authentication;
TrE to being arranged on the said HNB carries out authentication;
Identity binding relation to said HNB and said TrE is carried out authentication;
Said HNB is carried out non-authentication;
The non-identification authentication data of obtaining and storing said HNB is in said TrE.
The embodiment of the invention provides another kind of authentication method based on the Home eNodeB dependable environment, comprising:
HNB is carried out the equipment identities authentication;
TrE is carried out authentication;
Identity binding relation to said HNB and said TrE is carried out authentication;
Through said TrE said HNB is carried out non-authentication.
The embodiment of the invention provides another authentication method based on the Home eNodeB dependable environment, comprising:
TrE receives subscriber equipment (User Equipment; Hereinafter to be referred as: the UE ID authentication request of UE) sending;
Through said TrE UE is carried out authentication.
The embodiment of the invention provides a kind of dependable environment unit, comprising:
The verify data memory module, the non-identification authentication data that is used to store HNB;
Authentication module is used for the non-identification authentication data according to the HNB of said verify data memory module storage, carries out the non-authentication of HNB.
The embodiment of the invention also provides a kind of Home eNodeB, comprises a TrE unit, and said TrE unit is provided with:
The verify data memory module, the non-identification authentication data that is used to store HNB;
Authentication module is used for the non-identification authentication data according to the HNB of said verify data memory module storage, carries out the non-authentication of HNB.
The embodiment of the invention is through providing a kind of authentication method, dependable environment unit and Home eNodeB; Made full use of the characteristic of TrE; With first the non-identification authentication data after the HNB authentication being stored in TrE; When HNB restarts, can carry out relevant non-authentication through TrE, thereby alleviate the burden of network side the HNB authentication.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart that the present invention is based on authentication method first embodiment of Home eNodeB dependable environment;
Fig. 2 is the signaling process figure that the present invention is based on authentication method second embodiment of Home eNodeB dependable environment;
Fig. 3 is the signaling process figure that the present invention is based on authentication method the 3rd embodiment of Home eNodeB dependable environment;
Fig. 4 is the signaling process figure that the present invention is based on authentication method the 4th embodiment of Home eNodeB dependable environment;
Fig. 5 is the signaling process figure that the present invention is based on authentication method the 5th embodiment of Home eNodeB dependable environment;
Fig. 6 is the flow chart that the present invention is based on authentication method the 6th embodiment of Home eNodeB dependable environment;
Fig. 7 is the signaling process figure that the present invention is based on authentication method the 7th embodiment of Home eNodeB dependable environment;
Fig. 8 is the signaling process figure that the present invention is based on authentication method the 8th embodiment of Home eNodeB dependable environment;
Fig. 9 is the signaling process figure that the present invention is based on authentication method the 9th embodiment of Home eNodeB dependable environment.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, the network type of the following embodiment of the invention can be global system for mobile communications (Global System for MobileCommunication; Hereinafter to be referred as: GSM) network, code division multiple access (Code Division MultipleAccess; Hereinafter to be referred as: CDMA) network, WCDMA (Wideband CDMA; Hereinafter to be referred as: WCDMA) network, worldwide interoperability for microwave insert (Worldwide Interoperability forMicrowave Access; Hereinafter to be referred as: Wimax) network, synchronous code division multiple access (TimeDivision-Synchronous CDMA of time-division; Hereinafter to be referred as: TD-SCDMA) network or Long Term Evolution (LongTerm Evolution; Hereinafter to be referred as: LTE) network etc.The type of radio reception device can be Home eNodeB, femto cell (Pico), UMTS AP (Universal MobileTelecommunications System AP; Hereinafter to be referred as: UMTS AP), miniature (Femto) base station of Wimax or Wimax macro base station etc.The user device type of the following embodiment of the invention can be mobile phone, notebook computer or personal digital assistant (Personal Digital Assistant; Hereinafter to be referred as: PDA) wait portable terminal.
Because HNB belongs to subscriber equipment on the one hand and is deployed in the users home, belong to the equipment of operator on the one hand, equally with macro base station be used to accomplish access function to the user, such dual role makes operator very high to the security requirement of HNB.Therefore when the family base station power up move and set up physical connection with operator after, operator need carry out relevant authentication to HNB.Prior art is based on non-trusted environment to the authentication of the non-identity of HNB, and the safe storage ability is lower, does not make full use of the function of TrE, has reduced the application space of TrE to a certain extent; And because TrE possesses independently identity information, and this identity information can be associated with HNB and HPM.After HNB is loading TrE; Network side just will relate to authentication and the TrE authentication related with HNB of TrE to the authentication of HNB; Various embodiments of the present invention are how to realize the identifying procedure of network side to the HNB that disposes TrE, and how to realize the localization of HNB relevant authentication based on the TrE with higher safe storage performance.
First embodiment
Fig. 1 is the flow chart that the present invention is based on authentication method first embodiment of Home eNodeB dependable environment, and is as shown in Figure 1, and present embodiment is described to be at the identifying procedure of HNB during in initial start-up, comprises the steps:
Step 11, HNB is carried out the equipment identities authentication.
Network side at first need carry out authentication to the identity of HNB equipment itself; The authentication of HNB mainly is based on the authentication of identity credential; The identity credential of HNB has two kinds of presentation modes; A kind of certificate that is based on, another kind are based on Authentication and Key Agreement agreement (Authentication and KeyAgreement; Hereinafter to be referred as: AKA) credential.Verification process mainly is the security gateway and Certificate Authority statistics (the Authentication Authorization and Accounting of network side; Hereinafter to be referred as: AAA) server and HNB carry out the mutual of identifying procedure.
Step 12, the TrE that is arranged on the HNB is carried out authentication.
Authentication for TrE can be adopted the authentication mode based on certificate equally, and verification process mainly is that the security gateway of network side and the TrE on aaa server (checking, authorization and accounting server) and the HNB carry out the mutual of identifying procedure.
Step 13, the identity binding of HNB and TrE relation is carried out authentication.
The authentication of binding relationship mainly is to accomplish through aaa server, and aaa server is inquired about its prior stored binding relationship according to the identify label of TrE, and the HNB identify label of sending through HNB is again compared, thus the checking binding relationship.
Step 14, HNB is carried out non-authentication; Wherein, the non-authentication of HNB being carried out can comprise: the authentication that the HPM on the HNB is carried out, the location-authentication that HNB is carried out and the authentication that UE is carried out.
Step 15, obtain and store HNB non-identification authentication data in TrE.Corresponding with above-mentioned non-authentication type, non-identification authentication data can comprise: the location-authentication data of the verify data of HPM, HNB and UE verify data.
After non-authentication success, a part of verify data (mainly being the relevant authentication data of relevant non-authentication) that network side is safeguarded downloads among the local TrE of HNB.When HNB restarts or during re-authentication, non-authentication process just can have been carried out in the local TrE of HNB, has given full play to the function of TrE like this, and also make and restart or the re-authentication process does not need the participation of core net, reduced the burden of network side.
Second embodiment
Fig. 2 is the signaling process figure that the present invention is based on authentication method second embodiment of Home eNodeB dependable environment, and is as shown in Figure 2, and present embodiment will be described the identifying procedure of HNB when initial start-up in detail, specifically comprise the steps:
Step 101, HNB and security gateway (Secure Gateway; Hereinafter to be referred as: set up IKE_SA_INIT (IKE authentication initialization) SGW) and connect.
Step 102, HNB send IKE_AUTH_REQ authentication request (IKE authentication request), the identify label of carrying HNB and TrE in this request to SGW.Here the identity credential that need to prove HNB has two kinds of presentation modes, a kind of certificate that is based on, and another kind is based on the AKA credential.The situation that is based on the AKA credential that present embodiment is described.If adopt authentication mechanism, then between HNB and SGW, need carry out the certificate checking procedure based on certificate.
Step 103, SGW verify the identity of TrE.Authentication for TrE is the authentication mode that adopts based on certificate.
Step 104, SGW send Authentication Request/Identity request (authentication request), the identify label of carrying HNB and TrE in this request to aaa server.
Step 105, aaa server are carried out the HNB authentication; Concrete authentication process can similar following process: aaa server is initiated AKA (Authentication and Key Agreement agreement) authentication challenge request; And obtain AV (authentication vector); Operation AKA algorithm; Accept the authentication challenge responses of HNB, thereby realize the two-way authentication between HNB and the network side.
Step 106, aaa server carry out authentication to the binding relationship of HNB and TrE; Concrete binding close verification process can similar following process: AAA from the Relational database network element (like attaching position register (Home Location Register; Hereinafter to be referred as: HLR)) obtain the binding relationship of HNB and TrE, its prior stored binding relationship is inquired about in the identify label of the TrE that aaa server transmits according to HNB, compares with the HNB identify label that receives, thereby verifies its binding relationship.
Step 107, aaa server send TrE authentication success and binding relationship authentication success response (Authentication Response/success) to SGW.
Step 108, SGW are through IKE_AUTH_RES (IKE Authentication Response) message informing HNB authentication success.
Step 109, HNB receive the completeness of platform authentication that triggers HNB after the authentication success message.
Carry out the authentication of HNB completeness of platform between step 110, HNB and the integrated authentication server.Integrated authentication needs the reference metric of network side storing HNB integrality, and this storage for example can increase memory function newly on existing elements on existing elements, such as HLR, also can be stored on the newly-increased network element.After integrated authentication finishes, just can set up corresponding escape way between HNB and the SGW.
Step 111, HNB and network side carry out follow-up relevant non-authentication, such as the location-authentication of HNB, and the authentication of HPM, processes such as the authentication of UE.Aaa server need obtain the related data that is used to carry out non-authentication to authentication database simultaneously.
Step 112, after non-authentication success, a part of verify data (mainly being the data that are used for non-authentication) that aaa server is safeguarded downloads to the local TrE of HNB.Like this, restart or during re-authentication, verification process just carries out in the local TrE of HNB as HNB.
Need to prove; In present embodiment and following embodiment; In the verification process of network side, specify with network elements such as aaa server and SGW servers, but the verification process to HNB is not limited to said network element in the embodiment of the invention HNB; Those skilled in the art can know, also can adopt with other similar network elements of said network element and carry out corresponding verification process.
Present embodiment is after HNB starts first; Mutual through with the SGW of network side and aaa server; After having accomplished authentication, TrE authentication, both binding relationships and the completeness of platform authentication of HNB equipment; Carried out relevant non-authentication again, after the non-authentication success, a part of verify data of just network side being safeguarded (mainly being the relevant authentication data of relevant non-authentication) downloads among the local TrE of HNB.When HNB restarts or during re-authentication; Non-authentication process just can have been carried out in the local TrE of HNB; Given full play to the function of TrE like this; And also make restart or the re-authentication process do not need again with network side servers such as SGW and aaa server alternately, reduced the burden of network side.
The 3rd embodiment
Fig. 3 is the signaling process figure that the present invention is based on authentication method the 3rd embodiment of Home eNodeB dependable environment; As shown in Figure 3; Present embodiment is described in HNB emphatically when initial start-up; Network side is further detailed the illustrating to step 111 to the step 112 among above-mentioned second embodiment to the authentication process of HPM.
The HPM authentication is meant the authentication of Mobile Network Operator to the user of HNB.Two scenes are arranged usually:
Scenario A, HPM bind scene mutually with HNB equipment
In this scene, the HNB device authentication is accomplished, and promptly accomplishes the authentication of HPM.The step that does not need extra authentication, EAP-AKA (Extensible Authentication Protocol-key agreement protocol) and certificate verification can be as the authentications of HPM, and this scheme is applicable to the immovable scene of HPM.
There are two solutions at present in the authentication scene that scenario B, HPM and HNB equipment are separated under this scene
B1, based on the HNB device authentication of certificate with based on the HPM authentication of EAP-AKA
This scheme utilizes between HNB and SGW at first separately that certificate carries out device authentication, carries out the HPM authentication of EAP-AKA afterwards again.
The binding of B2, HPM ID and HNB device id
HNB is an equipment that embeds HPM.And each equipment has an EI (equipment number) to be used for representing own identity.HNB-EI is arranged among the HNB when dispatching from the factory by the manufacturer.The HLR of network side can store the HNB-EI record corresponding with each HPM-ID, and the binding relationship of this HNB-EI and HPM-ID represented in this record.Aaa server can be carried out the authentication of binding relationship based on this record.
In the authentication scene that present embodiment is separated based on HPM authentication and HNB device authentication, can not need the binding relationship of HPM and HNB equipment be carried out authentication.In the present embodiment, the authentication process of HPM is comprised the steps:
Step 1110, TrE obtain the identify label of the HPM of HNB, and this process can realize through the interface of HNB and TrE.
Step 1111, HNB send IKE_AUTH_REQ authentication request (IKE authentication request), the identify label of carrying HPM and TrE in this request to SGW.
Step 1112, SGW send Authentication Request/Identity request (authentication request) to aaa server, will be through sending Authentication Request/Identity request, the identify label of wherein carrying HPM and TrE.
Step 1113, aaa server obtain a plurality of AV vectors (authentication vector) to HLR.
Step 1114, aaa server are initiated EAP Request/AKA (SIM) challenge request (EAP request/AKA challenge) to SGW.
Step 1115, SGW send to HNB through IKE_AUTH_RES (IKE Authentication Response) message with EAPRequest/AKA (SIM) challenge request.
Step 1116, HNB return EAPReponse/AKA (SIM) challenge (EAP response/AKA challenge) through IKE_AUTH_REQ (IKE authentication request) message and give SGW.
Step 1117, SGW return to aaa server with EAP Reponse/AKA (SIM) challenge.
In step 1114-step 1117, carry out the EAP-AKA identifying procedure between aaa server and the HNB, thereby accomplish HPM is carried out authentication.
Step 1118, aaa server carry out HPM and the checking of TrE binding relationship.Aaa server is inquired about the identify label that stored binding relationship is in advance verified TrE based on the identify label of HPM.
Step 1119, aaa server send Authentication Response/EAP-AKA (SIM) success (HPM authentication success and the response of binding relationship authentication success) to SGW.
Step 1120, SGW send to HNB through IKE_AUTH_RES message with HPM authentication success and the response of binding relationship authentication success.
Step 1121, HNB initiate the Boot request (initial start request) of HNB to AHR (AP home registration server).
Step 1122, AHR are asked for the Ciphering Key of HPM through retrieving authentication data (obtaining verify data) message to AAA, and the Ciphering Key of asking for can be a plurality of, is used to guarantee that each local authentication all is fresh.
The response of step 1123, aaa server should request, and the untapped AV vector (the parameter X RES that comprises in the Ciphering Key (response of expectation), RAND (random number), AUTN (authentication token)) of its storage is returned to AHR.
Step 1124, AHR send initial start response (Boot response), the verify data of carrying HPM to HNB.
The verify data of step 1125, TrE safe storage HPM, thereby the localization of realization verify data.
Present embodiment is after HNB starts first, and mutual through with the SGW of network side and aaa server accomplished the authentication to HPM in the non-authentication, and a HPM verify data of behind the authentication success network side being safeguarded downloads among the local TrE of HNB.When HNB restarts or during re-authentication, the authentication process of HPM just can have been carried out in the local TrE of HNB, do not need again with network side servers such as SGW and aaa server alternately, given full play to the function of TrE like this, reduced the burden of network side.
The 4th embodiment
Fig. 4 is the signaling process figure that the present invention is based on authentication method the 4th embodiment of Home eNodeB dependable environment, and is as shown in Figure 4, and present embodiment is described in HNB emphatically when initial start-up, and network side is to the flow process of the location-authentication of HNB.Be further detailed illustrating equally to step 111 to the step 112 among above-mentioned second embodiment.Specifically comprise the steps:
Step 2110, HNB initiate initial start request (Boot request) to AHR, and carry the current location information of HNB.
Step 2111, the authentication of AHR executing location.
Step 2112, AHR send initial start response (Boot response) to HNB, and carry the positional information of passing through authentication of encrypting.
Step 2113, HNB can send it to TrE after receiving this positional information.
If safe storage through verification, just with the reference value of this positional information as active user's (corresponding to current HPM) positional information, and is carried out in step 2114, TrE authorization information source.
Present embodiment is after HNB starts first, and mutual through with the SGW of network side and aaa server accomplished the location-authentication of the HNB in the non-authentication, and the location-authentication data of a HNB who behind the authentication success network side is safeguarded download among the local TrE of HNB.When HNB restarts or during re-authentication; The location-authentication process of HNB just can have been carried out in the local TrE of HNB; Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 5th embodiment
Fig. 5 is the signaling process figure that the present invention is based on authentication method the 5th embodiment of Home eNodeB dependable environment, and is as shown in Figure 5, and present embodiment is described in HNB emphatically after initial start-up, the handling process when UE initiates authentication for the first time.Be further detailed illustrating equally to step 111 to the step 112 among above-mentioned second embodiment.Specifically comprise the steps:
Step 3110, UE initiate ID authentication request through HNB, in this request, carry identification information, and this request is sent to aaa server.
Step 3111, aaa server can move the AKA algorithm UE is carried out authentication.
Step 3112, aaa server send to HNB through the UE verify data (can be parameters such as the RAND among the AV that stores among the AAA, AUTN, XRES, can be many groups) that authentication response will pass through encryption.
Step 3113, HNB send the response message of authentication success to UE.
Step 3114, HNB send to TrE with the UE verify data of encrypting.
Step 3115, TrE decipher this verify data, and safe storage UE verify data.
Present embodiment is after HNB starts first; Mutual through with the SGW of network side and aaa server of UE and HNB; Accomplished the authentication of the UE in the non-authentication, the identification authentication data of a UE who behind the authentication success network side is safeguarded downloads among the local TrE of HNB.When HNB restarts or during during re-authentication or when UE needs authentication again; The authentication process of UE just can have been carried out in the local TrE of HNB; Advance to need to carry out between UE and the HNB mutual; Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 6th embodiment
Fig. 6 is the flow chart that the present invention is based on authentication method the 6th embodiment of Home eNodeB dependable environment; As shown in Figure 6; Present embodiment is described in emphatically that HNB restarts or the identifying procedure of re-authentication, can know through above-mentioned first embodiment to the, five embodiment, at HNB after initial start-up; After having passed through the authentication of network side to HNB, a part of verify data (mainly being the relevant authentication data of relevant non-authentication) that network side is safeguarded downloads among the local TrE of HNB.Restart or during re-authentication, relevant non-authentication just can directly be carried out in this locality at HNB like this, and not need with the participation of network side.Present embodiment specifically comprises the steps:
Step 21, HNB is carried out authentication;
Step 22, TrE is carried out authentication;
Step 23, the identity binding of HNB and TrE relation is carried out authentication;
Step 21 to step 23 specifically can adopt the flow process in step 101 to the step 110 among second embodiment, repeats no more at this.
Step 24, HNB is carried out non-authentication through TrE.Non-authentication can comprise: to the authentication of HPM, to the location-authentication data of HNB and to the authentication of UE.
In the present embodiment, stored in the identifying procedure when the HNB initial start-up the non-identification authentication data of obtaining among the TrE.When HNB restarts or during re-authentication, can carry out relevant non-authentication based on the non-identification authentication data of storing among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 7th embodiment
Fig. 7 is the signaling process figure that the present invention is based on authentication method the 7th embodiment of Home eNodeB dependable environment; As shown in Figure 7; Present embodiment be described in emphatically that HNB restarts or during re-authentication to the flow for authenticating ID of HPM; The described identifying procedure of present embodiment is the concrete exemplary description to the step 24 among the 6th embodiment, equally also will experience step 21 to the step 23 among the 6th embodiment when HNB starts once more.Present embodiment comprises the steps:
Step 4110, HPM initiate ID authentication request to TrE, can accomplish through the interface between HNB and the TrE.
It does not have used Ciphering Key (AV) step 4111, TrE inquiry.
Step 4112, TrE initiate the authentication challenge request to HPM, carry AV (wherein, comprising vRAND and AUTN parameter among the AV) in this request.
Step 4113, HPM are according to the key calculation RES (according to key and the AUTN response that calculating gets with RAND) of the RAND that receives and AUTN parameter and its storage.
Step 4114, HPM return authentication challenge responses are carried above-mentioned RES in this response.
Step 4115, TrE carry out the HPM authentication.If the value of the RES that the TrE contrast receives and the XRES of its storage (when the HNB initial start-up, downloading to the parameter among the TrE behind the completion verification process) is consistent; Then TrE is to the HPM authentication success; And the authentication result of generation authentication success, otherwise, the authentication result of generation authentification failure.
Step 4116, TrE return to HPM with authentication result.
Step 4117, TrE are with the aaa server of authentication result informing network side.
In the present embodiment, stored in the identifying procedure when the HNB initial start-up identification authentication data of the HPM that obtains among the TrE.When HNB restarts or during re-authentication, can carry out the authentication of relevant HPM based on the identification authentication data of the HPM that stores among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 8th embodiment
Fig. 8 is the signaling process figure that the present invention is based on authentication method the 8th embodiment of Home eNodeB dependable environment; As shown in Figure 8; Present embodiment be described in emphatically that HNB restarts or during re-authentication to the location-authentication flow process of HNB; The described identifying procedure of present embodiment is the concrete exemplary description to the step 24 among the 6th embodiment equally, and HNB restarts or equally also will experience step 21 to the step 23 among the 6th embodiment during re-authentication.Present embodiment comprises the steps:
Step 5110, HNB send the location-authentication request to TrE, carry the current location information of HNB in this location-authentication request.
Step 5111, the authentication of TrE executing location.TrE compares the positional information of storing among current location information and the TrE, if consistent, then generates the location-authentication result of authentication success, otherwise generates the location-authentication result of authentification failure.
Step 5112, TrE are with location-authentication result notification HNB.
Step 5113, TrE are with the AHR of location-authentication result notification network side.
In the present embodiment, the location-authentication data of the HNB that obtains have been stored in the identifying procedure when the HNB initial start-up among the TrE.When HNB restarts or during re-authentication, can carry out the location-authentication of relevant HNB based on the location-authentication data of the HNB that stores among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The 9th embodiment
Fig. 9 is the signaling process figure that the present invention is based on authentication method the 9th embodiment of Home eNodeB dependable environment, and is as shown in Figure 9, and present embodiment is described in emphatically after the authentication of UE first pass network side, the identifying procedure when UE carries out authentication once more.After the initial start-up of HNB; If a certain UE has carried out the authentication with network side; Then relevant with this UE UE verify data has been stored among the local TrE, when HNB receives the ID authentication request of same UE once more, just can directly accomplish authentication through TrE like this.The authentication once more that UE carries out can be after the HNB initial start-up, also can be that HNB restarts or during re-authentication.The identifying procedure of present embodiment is following:
Step 6110, TrE receive the UE ID authentication request that UE sends, and carry the identify label of UE in this request.
Step 6111, TrE compare the identify label of the UE that stores among the identify label of the UE that carries in the UE ID authentication request and the TrE, if consistent, then generate the UE identity authentication result of authentication success, otherwise generate the UE identity authentication result of authentification failure.
Step 6112, TrE are with UE identity authentication result notice UE.
Step 6113, TrE are with the aaa server of UE identity authentication result informing network side.
In the present embodiment, stored in the identifying procedure when the HNB initial start-up UE identification authentication data of the HNB that obtains among the TrE.When HNB restarts or during re-authentication, can carry out relevant UE authentication based on the UE identification authentication data of storing among the local TrE.Do not need again mutual with network side servers such as SGW, aaa server and AHR, given full play to the function of TrE like this, reduced the burden of network side.
The tenth embodiment
Present embodiment is the embodiment of TrE unit, and this TrE unit comprises verify data memory module and authentication module.The verify data memory module is used to store the non-identification authentication data of HNB; Authentication module is used for the non-identification authentication data according to the HNB of verify data memory module storage, carries out the non-authentication of HNB.
Wherein, the verify data memory module can comprise: HPM verify data memory module and/or UE verify data memory module and/or HNB location-authentication data memory module.Authentication module comprises: HPM authentication module and/or HNB location-authentication module and/or UE authentication module.Wherein, When the HPM authentication module is carried out the authentication of HPM; Need call the data of storing in the HPM verify data memory module; Equally, HNB location-authentication module and HNB location-authentication data memory module, UE authentication module and UE verify data memory module also have corresponding corresponding relation.
The 11 embodiment
The embodiment of the invention also provides a kind of Home eNodeB, and this Home eNodeB comprises just like the TrE unit shown in the tenth embodiment, repeats no more at this.
Can find out through the foregoing description; The embodiment of the invention has made full use of the characteristic of TrE, with first the non-identification authentication data after the HNB authentication being stored in TrE, when HNB restarts; Can carry out relevant non-authentication through TrE; Thereby alleviated the burden of network side to the HNB authentication, the binding that also need not utilize HPM-ID and HNB-ID to come realization equipment and user identity has simultaneously avoided operator to want the extra burden of setting up database.
Need to prove: the non-authentication in the embodiment of the invention is meant: except the equipment identities authentication of HNB and TrE authentication, and some authentications relevant with HNB, like the HNB location-authentication, HPM authentication and insert the authentication of the UE of HNB.
The unit and the algorithm steps of each example of describing in conjunction with embodiment disclosed herein; Can realize with electronic hardware, computer software or the combination of the two; For the interchangeability of hardware and software clearly is described, the composition and the step of each example described prevailingly according to function in above-mentioned explanation.These functions still are that software mode is carried out with hardware actually, depend on the application-specific and the design constraint of technical scheme.The professional and technical personnel can use distinct methods to realize described function to each certain applications, but this realization should not thought and exceeds scope of the present invention.
The software module that the method for describing in conjunction with embodiment disclosed herein or the step of algorithm can use hardware, processor to carry out, perhaps the combination of the two is implemented.Software module can place random asccess memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or the storage medium of other form arbitrarily.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.

Claims (18)

1. the authentication method based on the Home eNodeB dependable environment is characterized in that, comprising:
Home eNodeB is carried out the equipment identities authentication;
Dependable environment to being arranged on the said Home eNodeB carries out authentication;
Identity binding relation to said Home eNodeB and said dependable environment is carried out authentication;
Said Home eNodeB is carried out non-authentication, and said non-authentication is: except the equipment identities authentication of said Home eNodeB and said dependable environment authentication, the authentication relevant with said Home eNodeB;
The non-identification authentication data of obtaining and storing said Home eNodeB is in said dependable environment.
2. the authentication method based on the Home eNodeB dependable environment according to claim 1; It is characterized in that; Said Home eNodeB is carried out non-authentication; The non-identification authentication data of obtaining and storing said Home eNodeB is specially in said dependable environment: the user's identity module on the said Home eNodeB carries out authentication, and the verify data of obtaining and storing said user's identity module is in said dependable environment.
3. the authentication method based on the Home eNodeB dependable environment according to claim 2; It is characterized in that; User's identity module on the said Home eNodeB carries out authentication, and the verify data of obtaining and storing said user's identity module is specially in said dependable environment:
Obtain the identify label of said user's identity module through said dependable environment;
Send user's identity module ID authentication request to checking, authorization and accounting server, carry the identify label of said user's identity module and said dependable environment in this request;
Carry out to the authentication of said user's identity module and to the binding relationship authentication of said user's identity module and said dependable environment through said checking, authorization and accounting server;
Obtain user's identity module verify data from AP home registration server, and be stored in the said dependable environment.
4. the authentication method based on the Home eNodeB dependable environment according to claim 1; It is characterized in that; Said Home eNodeB is carried out non-authentication; The non-identification authentication data of obtaining and storing said Home eNodeB is specially in said dependable environment: said Home eNodeB is carried out location-authentication, and the location-authentication data of obtaining and storing said Home eNodeB are in said dependable environment.
5. the authentication method based on the Home eNodeB dependable environment according to claim 4 is characterized in that, said Home eNodeB is carried out location-authentication, and the location-authentication data of obtaining and storing said Home eNodeB are specially in said dependable environment:
Initiate the initial start request to AP home registration server, carry the current location information of Home eNodeB in the said initial start request;
Carry out location-authentication through said AP home registration server to said Home eNodeB;
Receive the initial start response that AP home registration server returns, carry through the positional information after the authentication in the said initial start response;
Positional information after the said authentication is stored in the said dependable environment.
6. the authentication method based on the Home eNodeB dependable environment according to claim 1; It is characterized in that; Said Home eNodeB is carried out non-authentication; The non-identification authentication data of obtaining and storing said Home eNodeB is specially in said dependable environment: UE is carried out authentication, and the verify data of obtaining and storing said UE is in said dependable environment.
7. the authentication method based on the Home eNodeB dependable environment according to claim 6 is characterized in that, UE is carried out authentication, and the verify data of obtaining and storing said UE is specially in said dependable environment:
Receive said UE and initiate the UE authentication request, and be forwarded to checking, authorization and accounting server, carry the identification information of said UE in the said UE authentication request;
Through said checking, authorization and accounting server said UE is carried out authentication;
Receive the UE verify data that said checking, authorization and accounting server are returned;
Said UE verify data is stored in the said dependable environment.
8. the authentication method based on the Home eNodeB dependable environment according to claim 1; It is characterized in that; After the identity binding relation of said Home eNodeB and said dependable environment was carried out authentication, also comprise: the completeness of platform to Home eNodeB carried out authentication.
9. the authentication method based on the dependable environment of Home eNodeB is characterized in that, said dependable environment stores the non-identification authentication data of said Home eNodeB, comprising:
Home eNodeB is carried out the equipment identities authentication;
Dependable environment is carried out authentication;
Identity binding relation to said Home eNodeB and said dependable environment is carried out authentication;
Through the non-identification authentication data of said dependable environment according to the Home eNodeB of storage; Said Home eNodeB is carried out non-authentication; Said non-authentication is: except the equipment identities authentication of said Home eNodeB and said dependable environment authentication, the authentication relevant with said Home eNodeB.
10. the authentication method based on the Home eNodeB dependable environment according to claim 9 is characterized in that, through said dependable environment said Home eNodeB is carried out non-authentication and is specially:
Through said dependable environment the user's identity module on the said Home eNodeB is carried out authentication.
11. the authentication method based on the Home eNodeB dependable environment according to claim 10 is characterized in that, through said dependable environment the user's identity module on the said Home eNodeB is carried out authentication and is specially:
Said user's identity module is initiated authentication request to said dependable environment;
Said dependable environment is initiated the authentication challenge request to said user's identity module, carries random number RA ND and authentication token AUTN parameter in this authentication challenge request;
Said user's identity module is according to the key calculation response RES of the RAND that receives and AUTN parameter and its storage;
Said user's identity module is initiated the authentication challenge response, carries said response RES in this response;
Said dependable environment judges whether the value of response XRES of said response RES and expectation is consistent; If it is consistent; Then generate user's identity module identity authentication result of authentication success, otherwise generate user's identity module identity authentication result of authentification failure;
Said dependable environment returns to said user's identity module with said user's identity module identity authentication result;
Said dependable environment is with the checking of said user's identity module identity authentication result notice, authorization and accounting server.
12. the authentication method based on the Home eNodeB dependable environment according to claim 9; It is characterized in that, through said dependable environment said Home eNodeB is carried out non-authentication and be specially: said Home eNodeB is carried out location-authentication through said dependable environment.
13. the authentication method based on the Home eNodeB dependable environment according to claim 12 is characterized in that, through said dependable environment said Home eNodeB is carried out location-authentication and is specially:
Said Home eNodeB sends the location-authentication request to said dependable environment, carries the current location information of said Home eNodeB in this location-authentication request;
Said dependable environment compares the positional information of storing in said current location information and the said dependable environment, if consistent, then generates the location-authentication result of authentication success, otherwise generates the location-authentication result of authentification failure;
Said dependable environment is with said location-authentication result notification AP home registration server.
14. the authentication method based on the Home eNodeB dependable environment according to claim 9 is characterized in that, through said dependable environment said Home eNodeB is carried out non-authentication and is specially:
Through said dependable environment UE is carried out authentication.
15. a dependable environment unit is characterized in that, said dependable environment unit is arranged on the Home eNodeB, comprising:
The verify data memory module, the non-identification authentication data that is used to store said Home eNodeB, said non-identification authentication data are after said Home eNodeB starts first, network side carries out the non-identification authentication data after the non-authentication to said Home eNodeB;
Authentication module; If being used for said Home eNodeB restarts or re-authentication; Non-identification authentication data according to the Home eNodeB of said verify data memory module storage; Carry out the non-authentication of Home eNodeB, said non-authentication is: except the equipment identities authentication of said Home eNodeB and said dependable environment authentication, the authentication relevant with said Home eNodeB.
16. dependable environment unit according to claim 15; It is characterized in that said verify data memory module comprises: user's identity module verify data memory module and/or UE verify data memory module and/or femtocell positions verify data memory module.
17. dependable environment unit according to claim 15 is characterized in that, authentication module comprises: user's identity module authentication module and/or femtocell positions authentication module and/or UE authentication module.
18. a Home eNodeB is characterized in that, comprises a dependable environment unit, said dependable environment unit is provided with:
The verify data memory module, the non-identification authentication data that is used to store said Home eNodeB, said non-identification authentication data are after said Home eNodeB starts first, network side carries out the non-identification authentication data after the non-authentication to said Home eNodeB;
Authentication module; If being used for said Home eNodeB restarts or re-authentication; Non-identification authentication data according to the Home eNodeB of said verify data memory module storage; Carry out the non-authentication of Home eNodeB, said non-authentication is: except the equipment identities authentication of said Home eNodeB and said dependable environment authentication, the authentication relevant with said Home eNodeB.
CN2009800001105A 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb Expired - Fee Related CN101822083B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009800001105A CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200810175958.9 2008-11-03
CN200810175958A CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell
CN2009800001105A CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb
PCT/CN2009/072108 WO2010060296A1 (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Publications (2)

Publication Number Publication Date
CN101822083A CN101822083A (en) 2010-09-01
CN101822083B true CN101822083B (en) 2012-10-17

Family

ID=42225224

Family Applications (2)

Application Number Title Priority Date Filing Date
CN200810175958A Active CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell
CN2009800001105A Expired - Fee Related CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN200810175958A Active CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell

Country Status (2)

Country Link
CN (2) CN101827361B (en)
WO (1) WO2010060296A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019017835A1 (en) * 2017-07-20 2019-01-24 华为国际有限公司 Network authentication method and related device and system
WO2019196792A1 (en) 2018-04-12 2019-10-17 Oppo广东移动通信有限公司 Security control method and apparatus for application program, and mobile terminal and computer-readable storage medium
CN111865592A (en) * 2020-09-21 2020-10-30 四川科锐得电力通信技术有限公司 Internet of things equipment fast access method and device, Internet of things platform and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1933657A (en) * 2005-09-15 2007-03-21 华为技术有限公司 Method for resisting attack from pretended legal mobile station in RSA authentication process
US20080267114A1 (en) * 2007-04-30 2008-10-30 Interdigital Technology Corporation HOME (e)NODE-B WITH NEW FUNCTIONALITY

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100770928B1 (en) * 2005-07-02 2007-10-26 삼성전자주식회사 Authentication system and method thereofin a communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1933657A (en) * 2005-09-15 2007-03-21 华为技术有限公司 Method for resisting attack from pretended legal mobile station in RSA authentication process
US20080267114A1 (en) * 2007-04-30 2008-10-30 Interdigital Technology Corporation HOME (e)NODE-B WITH NEW FUNCTIONALITY

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Huawei.Dual Roles of HNB in PLMN network.《3GPP TSG SA WG5 & RAN WG3 LTE Adhoc R3-071242》.2007,全文.
Huawei.Dual Roles of HNB in PLMN network.《3GPP TSG SA WG5 &amp *
Huawei.Editorial changes to H(e)NB TR.《3GPP TSG SA WG3 Seurity- S3# ad hoc S3-080966》.2008,全文. *
RAN WG3 LTE Adhoc R3-071242》.2007,全文. *

Also Published As

Publication number Publication date
WO2010060296A1 (en) 2010-06-03
CN101827361B (en) 2012-10-17
CN101827361A (en) 2010-09-08
CN101822083A (en) 2010-09-01

Similar Documents

Publication Publication Date Title
US11863982B2 (en) Subscriber identity privacy protection against fake base stations
KR102428262B1 (en) Method and apparatus for realizing security of connection through heterogeneous access network
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
US8923813B2 (en) System and method for securing a base station using SIM cards
US20220377540A1 (en) Key obtaining method and apparatus
US10462667B2 (en) Method of providing mobile communication provider information and device for performing the same
US20080108321A1 (en) Over-the-air (OTA) device provisioning in broadband wireless networks
CN107835204B (en) Security control of profile policy rules
US11405788B2 (en) Wireless network service access control with subscriber identity protection
CN109922474B (en) Method for triggering network authentication and related equipment
US11129014B2 (en) Methods and apparatus to manage inactive electronic subscriber identity modules
CN108012264A (en) The scheme based on encrypted IMSI for 802.1x carriers hot spot and Wi-Fi call authorizations
US9693332B2 (en) Identification of a wireless device in a wireless communication environment
US20220295276A1 (en) Mobile device authentication without electronic subscriber identity module (esim) credentials
CN101822083B (en) Authentication method, trusted environment unit and home nodeb
CN113115300A (en) Electronic subscriber identity module transfer eligibility checking
Abdelkader et al. A novel advanced identity management scheme for seamless handoff in 4G wireless networks
Lin et al. Authentication schemes based on the EAP-SIM mechanism in GSM-WLAN heterogeneous mobile networks
WO2012174884A1 (en) Access control method and device, interface and security gateway
KR20110108680A (en) Authentication method and apparatus
JP2017017571A (en) Access point, server, communication system, radio communication method, connection control method, radio communication program, and connection control program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20170804

Address after: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee after: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

TR01 Transfer of patent right
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Ma Zhenyu

Inventor before: Wang Shaobin

Inventor before: Zhang Ning

Inventor before: Ding Xiaoyan

Inventor before: Li Qian

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170907

Address after: 056000, 23, south Ling Road, Fuxing District, Hebei, Handan

Patentee after: Ma Zhenyu

Address before: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee before: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121017

Termination date: 20180603