CN102056154B

CN102056154B - IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment

Info

Publication number: CN102056154B
Application number: CN200910207794.8A
Authority: CN
Inventors: 蔡安宁; 高晓峰; 武二华
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2009-10-30
Filing date: 2009-10-30
Publication date: 2014-05-07
Anticipated expiration: 2029-10-30
Also published as: CN102056154A

Abstract

The invention discloses an IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment. The method comprises the following steps of: receiving a first authentication request sent by the IKE initiating equipment, wherein the first authentication request carries access information; acquiring an authentication-free condition, and determining the IKE initiating equipment as authentication-free equipment when the access information meets the authentication-free condition; and returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information. The embodiment of the invention can simplify authentication flow, reduces access delay and mitigates the load of the equipment.

Description

IKE authentication method, system, IKE response apparatus and IKE initiating equipment

Technical field

The present invention relates to mobile communication technology, particularly a kind of cipher key change (Internet KeyExchange, IKE) authentication method, system, IKE response apparatus and IKE initiating equipment.

Background technology

WLAN (wireless local area network) (Wireless Local Area network, WLAN), as the wireless access network of subscriber equipment (UserEquipment, UE), can realize the intercommunication of UE and core net, so that UE core network access.UE, in access procedure, first needs to access WLAN, and then core network access.In prior art, UE all needs authentication and authorization charging (Authentication Authorization and Accounting in the process of access WLAN and core network access, AAA) server authenticates, under normal circumstances, the aaa server of double probate is same aaa server.In order to set up secure tunnel, in the verification process of WLAN UE core network access, can adopt IKE technology, WLAN UE is as IKE initiator, packet data gateway (Packet Data Gateway, PDG), or grouped data interworking function entity (Packet Data Interworking Function, PDIF) is as IKE responder.

At least there are the following problems for prior art: adopt the verification process of IKE, for example, and the verification process of WLAN UE core network access, its verification process complexity, causes access delay long, high to equipment performance requirement.

Summary of the invention

The embodiment of the present invention provides a kind of IKE authentication method, system, IKE response apparatus and IKE initiating equipment, solves the access delay length existing in prior art and equipment performance is required to high problem.

The embodiment of the present invention provides a kind of cipher key change IKE authentication method, comprising:

Receive the first authentication request that IKE initiating equipment sends, in described the first authentication request, carry access information;

Obtain authentication-exempt condition, when described access information meets described authentication-exempt condition, determine that described IKE initiating equipment is authentication-exempt equipment;

To described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carry authentication success message.

To IKE response apparatus, send the first authentication request, in described the first authentication request, carry access information;

Receive the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message, to be described IKE response apparatus send described the first authentication response when described access information meets the authentication-exempt condition that described IKE response apparatus obtains.

The embodiment of the present invention provides a kind of cipher key change IKE response apparatus, comprising:

The first receiver module, the first authentication request sending for receiving IKE initiating equipment, carries access information in described the first authentication request;

Determination module, for obtaining authentication-exempt condition, when described access information meets described authentication-exempt condition, determines that described IKE initiating equipment is authentication-exempt equipment;

The first sending module, for returning to the first authentication response to described authentication-exempt equipment, carries authentication success message in described the first authentication response.

The embodiment of the present invention provides a kind of cipher key change IKE initiating equipment, comprising:

The 3rd sending module, for sending the first authentication request to IKE response apparatus, carries access information in described the first authentication request,

The 3rd receiver module, for receiving the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message, to be described IKE response apparatus send described the first authentication response when described access information meets the authentication-exempt condition that described IKE response apparatus obtains.

The embodiment of the present invention provides a kind of cipher key change IKE Verification System, comprising:

IKE initiating equipment, for sending the first authentication request to IKE response apparatus, carries access information in described the first authentication request;

IKE response apparatus, be used for obtaining authentication-exempt condition, when described access information meets described authentication-exempt condition, determine that described IKE initiating equipment is authentication-exempt equipment, and return to the first authentication response to described authentication-exempt equipment, in described the first authentication response, carry authentication success message.

As shown from the above technical solution, the embodiment of the present invention, by obtaining authentication-exempt condition, can make the IKE initiating equipment that meets authentication-exempt condition without authenticating, and reduces access delay, alleviates the burden of authenticating device.

Accompanying drawing explanation

Fig. 1 is the method flow schematic diagram of first embodiment of the invention;

Fig. 2 is the method flow schematic diagram of second embodiment of the invention;

Fig. 3 is the method flow schematic diagram of third embodiment of the invention;

Fig. 4 is the method flow schematic diagram of fourth embodiment of the invention;

Fig. 5 is the method flow schematic diagram of fifth embodiment of the invention;

Fig. 6 is the method flow schematic diagram of sixth embodiment of the invention;

Fig. 7 is the method flow schematic diagram of seventh embodiment of the invention;

Fig. 8 is the structural representation of the IKE response apparatus of eighth embodiment of the invention;

Fig. 9 is the structural representation of the IKE response apparatus of ninth embodiment of the invention;

Figure 10 is the structural representation of the IKE response apparatus of tenth embodiment of the invention;

Figure 11 is the structural representation of the IKE response apparatus of eleventh embodiment of the invention;

Figure 12 is the method flow schematic diagram of twelveth embodiment of the invention;

Figure 13 is the structural representation of the IKE initiating equipment of thriteenth embodiment of the invention;

Figure 14 is the structural representation of the IKE Verification System of fourteenth embodiment of the invention.

Embodiment

Fig. 1 is the method flow schematic diagram of first embodiment of the invention, comprising:

Step 11:IKE response apparatus receives the first authentication request that IKE initiating equipment sends, and in described the first authentication request, carries access information;

The embodiment of the present invention describes as an example of IKEv2 example.In IKEv2 flow process, the equipment of initiating authentication is IKE initiating equipment, and the equipment of response authentication is IKE response apparatus.Following embodiment will be take WLAN UE as IKE initiating equipment, gateway device (for example PDG or PDIF) for IKE response apparatus be that example describes.Be understandable that, the embodiment of the present invention also can be applied in other the equipment of employing IKEv2.

First UE, in the process of core network access, need to access WLAN, afterwards core network access again.In prior art, UE all needs to authenticate to aaa server in the process of access WLAN and core net.In access WLAN process, the UE authenticating by aaa server is called WLAN UE.Afterwards, in prior art, WLAN UE also needs to carry out to aaa server by gateway device the authentication of core network access, and flow process and step that the authentication of core network access relates to are more, can increase the burden of aaa server.The problem that verification process when solving WLAN UE core network access is comparatively complicated, the embodiment of the present invention is improved the process of WLAN UE core network access, introduces authentication-exempt mechanism, and still adopts existing techniques in realizing for the process of UE access WLAN.Be understandable that, the embodiment of the present invention not only can be applied to the verification process of WLAN UE core network access, also can be applied to the scene of other employing IKE agreement.

Core net is with 3-G (Generation Three mobile communication system) (3 ^rdgeneration, 3G) be example, comprise 3GPP and 3GPP2,3GPP is Wideband Code Division Multiple Access (WCDMA) (Wideband Code Division Multiple Access, WCDMA), TD SDMA (Time Division Synchronous Code DivisionMultiple Access, TD-SCDMA) standard, 3GPP2 is the standard of code division multiple access (Code DivisionMultiple Access, CDMA) 2000.Under two kinds of standards, corresponding gateway device is respectively the PDG under 3GPP, the PDIF under 3GPP2.

Access information comprises at least one in following: the sign of the user ID (ID) of WLAN UE, WLANUE access point to be accessed, be APN (Access Point Name, APN) domain identifier or under WLAN UE, represents with Realm or domain.Access information can also comprise other identification information, for example, network access Identifier (Network Access Identity, NAI) or IMSI International Mobile Subscriber Identity (Internet Mobile Subscriber Identity, IMSI) etc.

Step 12:IKE response apparatus obtains authentication-exempt condition, when described access information meets described authentication-exempt condition, determines that described IKE initiating equipment is authentication-exempt equipment;

Wherein, authentication-exempt condition can be authentication-exempt set, for example, and at least one item in following set: the realm set of the user ID set of authentication-exempt, the APN of authentication-exempt set, authentication-exempt or the domain set of authentication-exempt etc.

When at least one item in access information belongs to corresponding authentication-exempt set, corresponding WLAN UE is authentication-exempt subscriber equipment.For example, when comprising user ID in access information, and this user ID is while belonging to the user ID set of authentication-exempt, and this WLAN UE is authentication-exempt subscriber equipment; Or when comprising APN in access information, and this APN belongs to APN when set of authentication-exempt, this WLAN UE is authentication-exempt subscriber equipment; Or when comprising realm in access information, and this realm belongs to realm when set of authentication-exempt, this WLAN UE is authentication-exempt subscriber equipment; Or when comprising domain in access information, and this domain belongs to domain when set of authentication-exempt, this WLAN UE is authentication-exempt subscriber equipment.

Or authentication-exempt condition can be also authentication-exempt strategy, for example, in external equipment, corresponding each user ID is preserved user's CAMEL-Subscription-Information, and this CAMEL-Subscription-Information comprises user's authentication-exempt strategy.When gateway device receives user ID, according to this user ID, obtain corresponding authentication-exempt strategy, authentication-exempt strategy can be complete authentication-exempt, can be also authentication-exempt with good conditionsi.During complete authentication-exempt, to should user ID not authenticating; The authentication-exempt of having ready conditions is, for user ID, certain condition is set, and for example, under this user ID, remaining access information (as APN and/or realm and/or domain) needs satisfied condition, when meeting this condition, WLAN UE is carried out to authentication-exempt.For example, when having ready conditions authentication-exempt, the APN set of authentication-exempt can respective user ID be further set.Now, when obtaining corresponding authentication-exempt strategy according to the user ID in access information, the APN set that comprises authentication-exempt in this authentication-exempt strategy, when the APN in access information belongs to the APN set of the authentication-exempt in this authentication-exempt strategy, this WLAN UE is authentication-exempt subscriber equipment.Be understandable that, can adopt equally the mode of the above-mentioned APN of setting to arrange remaining access information (realm or domain).Further, also can the condition that in access information, plural parameter need to be satisfied be set respective user ID, for example, in authentication-exempt strategy, comprise the APN set of authentication-exempt and the realm set of authentication-exempt, or other modes.Described external equipment can be aaa server, strategy and charging regulation function entity (Policy andCounting Rules Function, PCRF), attaching position register (Home Location Register, HLR), home subscriber server (Home Subscriber Server, HSS) etc.Above-mentioned authentication-exempt condition is described, but, it should be appreciated by those skilled in the art that the mode that authentication-exempt condition is set is not limited to described above, the embodiment of the present invention focuses on arranging authentication-exempt condition, and how authentication-exempt condition is set particularly, can combine according to actual needs.

Wherein, above-mentioned authentication-exempt condition can be arranged in IKE response apparatus, also can be arranged on outside IKE response apparatus, in external equipment.Therefore, " obtaining " in the embodiment of the present invention comprises from self and obtaining, also comprise from external equipment and obtaining.

Step 13: when IKE response apparatus determines that IKE initiating equipment is authentication-exempt equipment, described IKE response apparatus returns to the first authentication response to described authentication-exempt equipment (IKE initiating equipment), carries authentication success message in described the first authentication response.

That is, take the process of WLAN UE core network access as example, for authentication-exempt subscriber equipment without authenticating to aaa server again, directly return authentication success message.

The present embodiment, by obtaining authentication-exempt condition, can not authenticate for the IKE initiating equipment of authentication-exempt, reduces authentication time delay, alleviates the burden of authenticating device.

The embodiment of the present invention is take IKEv2 agreement as example, first IKEv2 agreement is briefly described:

IKEv2 agreement is designed to set up secure tunnel between two equipment, and function comprises to be set up signaling plane secure tunnel, realize mutually authentication, negotiation data face tunnel relevant parameter (IPsec agreement, algorithm, key etc.), sets up tunnel to protect the safety of the transfer of data between two ends between two-end-point.Wherein, authentication mode comprises public key signature, shared key and Extensible Authentication Protocol (ExtensibleAuthentication Protocol, EAP).Initiator therefrom chooses one, in the Article 3 message of IKEv2, to responder, initiates authentication request.Wherein, when not carrying AUTH parameter in Article 3 message, show the authentication mode by employing EAP.

The flow process of IKEv2 standard definition is as follows: 1st, 2 articles of message are used for consulting IKE Security Association (Security Association, SA) parameter (parameter is set up in tunnel), the tunnel using to set up IKE signaling.Some the message that Article 3 message starts are for verification process, if do not carry authentication (Authentication in Article 3 message, AUTH) load, show that initiator wishes to use EAP verification process, verification process is until responder returns to an EAP message of carrying authentication success or authentification failure.After EAP verification process finishes, initiator can initiate the 1st, 2 articles of message that message authenticates to responder, and parameter is set up to initiator in the tunnel that responder transmits for setting up secure tunnel between initiator and responder.

The embodiment of the present invention is to determine according to the Article 3 message of IKEv2 agreement whether corresponding IKE initiating equipment is authentication-exempt equipment, and the embodiment of the present invention is take the verification process of WLAN UE core network access as example.

Further, when implementing, whether the embodiment of the present invention can also arrange needs the 1st, 2 of IKEv2 agreement articles of message to authenticate.When not needing the 1st, 2 articles of message to authenticate, IKE responder can, after IKE initiator being authenticated according to Article 3 message, return to tunnel simultaneously and set up parameter; When needs authenticate the 1st, 2 articles of message, IKE initiator is receiving after the authentication result that IKE responder authenticates IKE initiator according to Article 3 message, then initiates the verification process to the 1st, 2 articles of message to IKE responder.Fig. 2 in following embodiment authenticates as example the 1st, 2 articles of message not needing, and Fig. 3 authenticates as example the 1st, 2 articles of message take needs.

Fig. 2 is the method flow schematic diagram of second embodiment of the invention, comprising:

Step 21-22:WLAN UE (initiator) and PDG/PDIF (responder) interaction message, this message is for consulting tunnel, to set up the negotiation message of parameter, this message is the 1st, 2 articles of message in IKEv2 standard;

Wherein, the 1st, 2 articles of message are the message representing with IKE_SA_INIT in IKEv2 agreement, and the parameter of carrying in the 1st article of message comprises HDR, SAi1, and KEi, Ni, the parameter of carrying in the 2nd article of message comprises HDR, SAr1, KEr, Nr.

This step is the standard step in IKEv2 standard, can adopt existing techniques in realizing, and the implication of the parameter of wherein carrying in the 1st, 2 articles of message can be referring to existing IKEv2 standard.In subsequent step and embodiment, do not have the implication of the parameter of specified otherwise equally can be referring to existing IKEv2 standard.

Step 23:WLAN UE sends the first authentication request IKE_AUTH to PDG/PDIF, and the parameter of wherein carrying comprises HDR, SK{IDi, SAi2, [CP ,] TSi};

In the present embodiment, in the first authentication request IKE_AUTH, do not carry AUTH parameter, therefore according to the regulation of IKEv2 agreement, show the authentication mode by employing EAP.

Step 24:PDG/PDIF judges whether this WLAN UE checks by authentication-exempt, if so, performs step 25, otherwise, execution step 26;

Wherein, PDG/PDIF can carry out authentication-exempt inspection according to authentication-exempt set and/or the authentication-exempt strategy of configuration, specifically can be referring to subsequent embodiment.Wherein, authentication-exempt set and/or authentication-exempt strategy can be kept in self or external equipment, and external equipment includes but not limited to aaa server, PCRF, HLR, HSS etc.

Step 25: when pre-configured while not needing the 1st, 2 articles of message to authenticate in PDG/PDIF, PDG/PDIF sends the first authentication response (IKE_AUTH) that carries authentication success message and tunnel and set up parameter to WLAN UE.Afterwards, finish the verification process of WLAN UE core network access;

Wherein, in this first authentication response, carry tunnel and set up parameter information, so that WLAN UE and PDG/PDIF set up secure tunnel.

That is, the parameter of carrying in authentication response IKE_AUTH now at least comprises that authentication success message and tunnel set up parameter information, and the IKE_AUTH of authentication response shown in figure carries Parameter H DR, SK{EAP (SUCCESS), [IDr] }, SAr2, [CP ,] TSr.SK{EAP (SUCCESS) } represent authentication success message, IDr is responder ID, SAr2 and TSr represent that tunnel sets up parameter.

Step 26:PDG/PDIF sends authentication request to aaa server, carries out existing authentication processing;

The WLAN UE not checking by authentication-exempt is still processed compatibility standard IKEv2 agreement according to original standard agreement flow process.

The present embodiment can be realized in the process of WLAN UE core network access the not WLAN UE to authentication-exempt and authenticates to aaa server by carrying out authentication-exempt inspection, simplifies identifying procedure, reduces authentication time delay, alleviates the burden of aaa server.The present embodiment does not authenticate the 1st, 2 articles of message by arranging, further simple flow and raising performance.

Fig. 3 is the method flow schematic diagram of third embodiment of the invention, different from the second embodiment, and the responder of the present embodiment does not arrange without the 1st, 2 articles of message are authenticated.Referring to Fig. 3, the present embodiment comprises:

Step 31-33: corresponding identical with step 21-23, repeat no more;

Step 34:PDG/PDIF judges whether this WLAN UE checks by authentication-exempt, if so, performs step 35, otherwise, execution step 36;

Wherein, PDG/PDIF can carry out authentication-exempt inspection according to authentication-exempt set and/or the authentication-exempt strategy of configuration, wherein, authentication-exempt set and/or authentication-exempt strategy can be kept in self or external equipment, and external equipment includes but not limited to aaa server, PCRF, HLR, HSS.Specifically can be referring to subsequent embodiment.

Step 35: when in PDG/PDIF during pre-configured need to authentication the 1st, 2 articles of message, PDG/PDIF sends the first authentication response (IKE_AUTH) that carries authentication success message to WLAN UE; Wherein, when in PDG/PDIF during pre-configured need to authentication the 1st, 2 articles of message, in this authentication response, without carrying tunnel, set up parameter information,, the parameter of carrying in authentication response IKE_AUTH now comprises authentication success message, the IKE_AUTH of authentication response shown in figure carries Parameter H DR, SK{EAP (SUCCESS), [IDr] }.SK{EAP (SUCCESS) } represent authentication success message, IDr is responder ID.

Step 36:PDG/PDIF sends authentication request to aaa server, carries out existing authentication processing;

Step 37:WLAN UE sends the second authentication request IKE_AUTH for the 1st, 2 articles of message to PDG/PDIF, and the parameter of carrying comprises HDR, SK{AUTH};

Step 38:PDG/PDIF returns to the second authentication response IKE_AUTH to WLAN UE, and the parameter of carrying comprises HDR, SK{AUTH, SAr2, [CP ,] TSr}.Afterwards, finish the verification process of WLAN UE core network access;

Wherein, in order to distinguish with the above-mentioned verification process to WLAN UE, in the embodiment of the present invention, the authentication request that the verification process of WLAN UE is related to and authentication response are called to the first authentication request and the first authentication response, the authentication request that the verification process of the 1st, 2 articles of message is related to and authentication response are called to the second authentication request and the second authentication response.

Step 37-38 compatible existingly carries out identifying procedure to the 1st, 2 message, specifically can adopt existing techniques in realizing.

The present embodiment can be realized in the process of WLAN UE core network access the not WLAN UE to authentication-exempt and authenticates to aaa server by carrying out authentication-exempt inspection, simplifies identifying procedure, reduces authentication time delay, alleviates the burden of aaa server.The present embodiment, by the 1st, 2 articles of message are authenticated, can be realized the compatibility to prior art.

No matter whether the 1st, 2 articles of message are authenticated, when authentication-exempt checks, can adopt following embodiment to realize.

Fig. 4 is the method flow schematic diagram of fourth embodiment of the invention, comprising:

Step 41-42: corresponding identical with step 21-22, repeat no more;

Step 43:PDG/PDIF obtains pre-configured authentication-exempt set;

Wherein, PDG/PDIF can, in self pre-configured authentication-exempt set, can be also pre-configured authentication-exempt set in external equipment, and PDG/PDIF obtains authentication-exempt set from self or external equipment.Wherein, external equipment includes but not limited to aaa server, PCRF, HLR, HSS.

Step 44:WLAN UE sends the first authentication request to PDG/PDIF, in the first authentication request, carries access information, and access information is at least one in following: user ID, APN or realm/domain;

Step 45:PDG/PDIF judges whether at least one in access information belongs to authentication-exempt set, if so, performs step 46, otherwise, execution step 47;

When belonging to authentication-exempt set at least one in access information, show that this WLAN UE checks by authentication-exempt, otherwise do not pass through.For example, the authentication-exempt set of equipment is in advance the set of authentication-exempt user ID, authentication-exempt APN set, authentication-exempt realm/domain set, access information comprises user ID, APN, realm/domain, first PDG/PDIF can judge that the APN that carries in authentication request is whether in authentication-exempt APN set, or, whether the realm/domain carrying in authentication request is in authentication-exempt realm/domain set, afterwards, then judge that the user ID of carrying in authentication request is whether in the set of authentication-exempt user ID.When at least one item in above-mentioned access information is in authentication-exempt set, show by authentication.

Step 46:PDG/PDIF returns to the first authentication response to WLAN UE, wherein at least carries authentication success message;

Step 47:PDG/PDIF sends authentication request to aaa server, carries out existing authentication processing;

When PDG/PDIF is pre-configured while not needing the 1st, 2 articles of message to authenticate, in this first authentication response, also carry tunnel and set up parameter; When PDG/PDIF need to authenticate the 1st, 2 articles of message, in this first authentication response, can carry authentication success message and set up parameter information without carrying tunnel, afterwards, WLAN also needs to initiate the verification process to the 1st, 2 articles of message to PDG/PDIF.Specifically can be referring to Fig. 2 or 3 illustrated embodiments, that is, step 46-47 is now specially the step 25-26 in Fig. 2, or, be specially the step 35-38 in Fig. 3.

The present embodiment can be realized in the process of WLAN UE core network access the not WLAN UE to authentication-exempt by authentication-exempt inspection and authenticate to aaa server, simplifies identifying procedure, reduces authentication time delay, alleviates facility load.The present embodiment adopts the mode of pre-configured authentication-exempt set to carry out authentication-exempt inspection, can in gateway, preserve authentication-exempt set, accelerates obtaining of authentication-exempt information.

Fig. 5 is the method flow schematic diagram of fifth embodiment of the invention, comprising:

Step 51-52: corresponding identical with step 21-22, repeat no more;

Step 53:WLAN UE sends the first authentication request to PDG/PDIF, in the first authentication request, carries user ID;

Step 54:PDG/PDIF sends the inquiry request for inquiring user authentication-exempt strategy to external equipment (in figure take aaa server as example), in this inquiry request, carry user ID, wherein, in external equipment, preserve the CAMEL-Subscription-Information corresponding with user ID, this CAMEL-Subscription-Information comprises authentication-exempt strategy.Wherein, external equipment includes but not limited to aaa server, PCRF, HLR, HSS;

Step 55: external equipment returns to the authentication-exempt strategy corresponding with this user ID to PDG/PDIF, this authentication-exempt strategy is complete authentication-exempt;

Step 56: when authentication-exempt strategy is complete authentication-exempt, PDG/PDIF returns to the first authentication response to WLAN UE, wherein at least carries authentication success message;

When PDG/PDIF is pre-configured while not needing the 1st, 2 articles of message to authenticate, in this first authentication response, also carry tunnel and set up parameter information; When PDG/PDIF need to authenticate the 1st, 2 articles of message, in this first authentication response, can carry authentication success message and set up parameter information without carrying tunnel, afterwards, WLAN also needs to initiate the verification process to the 1st, 2 articles of message to PDG/PDIF.Specifically can be referring to Fig. 2 or 3 illustrated embodiments, that is, step 56 is now specially the step 25 in Fig. 2, or, be specially step 35,37-38 in Fig. 3.

The present embodiment can be realized in the process of WLAN UE core network access the not WLAN UE to authentication-exempt by authentication-exempt inspection and authenticate to aaa server, simplifies identifying procedure, reduces authentication time delay, alleviates facility load.The present embodiment adopts the mode of pre-configured authentication-exempt strategy to carry out authentication-exempt inspection, can be conducive to the unified management of operator to user.

Fig. 6 is the method flow schematic diagram of sixth embodiment of the invention, comprising:

Step 61-62: corresponding identical with step 51-52, repeat no more;

Step 63:WLAN UE sends the first authentication request to PDG/PDIF, carries user ID and other access information, for example APN or realm/domain in the first authentication request;

Step 64: identical with step 54, repeat no more;

Step 65: external equipment returns to the authentication-exempt strategy corresponding with this user ID to PDG/PDIF, this authentication-exempt strategy is the authentication-exempt of having ready conditions;

Step 66: when authentication-exempt strategy is when having ready conditions authentication-exempt, whether the access information carrying in the first authentication request that PDG/PDIF relatively receives meets the condition in this authentication-exempt strategy, when meeting, execution step 67, otherwise, execution step 68;

For example, the authentication-exempt strategy of having ready conditions can be that the WLAN UE that meets following condition can check by authentication-exempt: APN corresponding to this user ID belongs to specific APN; Or realm/domain corresponding to this user ID belongs to specific realm/domain; Or realm/domain corresponding to this user ID belongs to specific realm/domain, and APN corresponding to this user ID belongs to specific APN.Above-mentioned specific information is information pre-configured in authentication-exempt strategy.

Step 67:PDG/PDIF returns to the first authentication response to WLAN UE, wherein at least carries authentication success message;

Step 68:PDG/PDIF sends authentication request to aaa server, carries out existing authentication processing.

When PDG/PDIF is pre-configured while not needing the 1st, 2 articles of message to authenticate, in this first authentication response, also carry tunnel and set up parameter; When PDG/PDIF need to authenticate the 1st, 2 articles of message, in this first authentication response, can carry authentication success message and set up parameter information without carrying tunnel, afterwards, WLAN also needs to initiate the verification process to the 1st, 2 articles of message to PDG/PDIF.Specifically can be referring to Fig. 2 or 3 illustrated embodiments, that is, step 67-68 is now specially the step 25-26 in Fig. 2, or, be specially the step 35-38 in Fig. 3.

The present embodiment can be realized in the process of WLAN UE core network access the not WLAN UE to authentication-exempt by authentication-exempt inspection and authenticate to aaa server, simplifies identifying procedure, reduces authentication time delay, alleviates facility load.The present embodiment adopts the mode of pre-configured authentication-exempt strategy to carry out authentication-exempt inspection, can be conducive to the unified management of operator to user.The present embodiment, by equipment authentication-exempt condition, can be realized the diversity of authentication-exempt.

Fig. 7 is the method flow schematic diagram of seventh embodiment of the invention, comprising:

Step 701-704: corresponding identical with step 41-44, repeat no more;

Step 705:PDG/PDIF judges whether at least one in access information belongs to authentication-exempt set, if so, performs step 709, otherwise, execution step 706;

Step 706: identical with step 54, repeat no more;

Step 707: external equipment returns to the authentication-exempt strategy corresponding with this user ID to PDG/PDIF, this authentication-exempt strategy can be complete authentication-exempt, can be also the authentication-exempt of having ready conditions;

Step 708:PDG/PDIF judges whether access information meets the demand of authentication-exempt strategy, if so, performs step 709, otherwise, execution step 710;

Wherein, authentication-exempt strategy can be complete authentication-exempt, can be also the authentication-exempt of having ready conditions, and according to different authentication-exempt strategies, judges, specifically can be referring to the embodiment shown in Fig. 5 or Fig. 6.

Step 709-710: corresponding identical with step 67-68, repeat no more.

The present embodiment can be realized in the process of WLAN UE core network access the not WLAN UE to authentication-exempt by authentication-exempt inspection and authenticate to aaa server, simplifies identifying procedure, reduces authentication time delay, alleviates facility load.The present embodiment adopts the mode of the combination of pre-configured authentication-exempt set and authentication-exempt strategy to carry out authentication-exempt inspection, can improve the accuracy of authentication-exempt.

Above-described embodiment is take the IKEv2 verification process in PDG/PDIF as example, take EAP authentication method as example, authentication-exempt information is take user ID, APN, realm/domain as example, be understandable that, the embodiment of the present invention is not limited to foregoing, also can be applied in other equipment, authentication method, authentication-exempt information.

The embodiment of the present invention, by carrying out authentication-exempt inspection, can be carried out authentication-exempt to the UE that meets authentication-exempt condition, has reduced verification process Signalling exchange, the disposal ability of lifting means; When not meeting authentication-exempt condition, realize the compatibility with normal process.The embodiment of the present invention only need to be carried authentication success message in authentication response, has reduced message count when mutual with aaa server.The embodiment of the present invention, by reducing interaction message number, has reduced the computation requirement to aaa server, reduces the deployment requirements to aaa server, cuts operating costs.The embodiment of the present invention realizes the compatibility with existing standard agreement, supports the processing of standard agreement flow process.

Fig. 8 is the structural representation of the IKE response apparatus of eighth embodiment of the invention, comprises the first receiver module 81, determination module 82 and the first sending module 83.The first authentication request that the first receiver module 81 sends for receiving wireless local network user equipment, carries access information in described the first authentication request; Determination module 82, for obtaining authentication-exempt condition, when described access information meets described authentication-exempt condition, determines that described wireless local network user equipment is authentication-exempt subscriber equipment; The first sending module 83, for returning to the first authentication response to described authentication-exempt subscriber equipment, carries authentication success message in described the first authentication response.

Particularly, each module is carried out above-mentioned negotiations process and authentication-exempt process can, referring to above-described embodiment, repeat no more.

Fig. 9 is the structural representation of the IKE response apparatus of ninth embodiment of the invention, different from the 8th embodiment, and the present embodiment also comprises that the first negotiation module 94, the first sending modules 83 comprise first module 931.First module 931, for setting in advance when described negotiation message is authenticated, is returned to the first authentication response to described authentication-exempt subscriber equipment, carries authentication success message and parameter is set up in tunnel in described the first authentication response; The first negotiation module 94 for described IKE initiating equipment interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter.

The present embodiment can not realized authentication-exempt user is authenticated by carrying out authentication-exempt inspection, simplifies identifying procedure, reduces authentication time delay, the burden of authenticating device.The present embodiment does not authenticate the 1st, 2 articles of message by arranging, further simple flow and raising performance.

Figure 10 is the structural representation of the IKE response apparatus of tenth embodiment of the invention, different from the 8th embodiment is, the present embodiment also comprises that the first negotiation module 104, the second receiver module 105 and the second sending module 106, the first sending modules 83 comprise second unit 1032.Second unit 1032, for setting in advance need to authenticate described negotiation message time, returns to the first authentication response to described authentication-exempt subscriber equipment, in described the first authentication response, carries authentication success message; The first negotiation module 104 for described IKE initiating equipment interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter; The second receiver module 105 for receive that described IKE initiating equipment sends for authenticating the second authentication request of described negotiation message; The second sending module 106, for send the second authentication response of corresponding described the second authentication request to described IKE initiating equipment, carries tunnel in described the second authentication response and sets up parameter.

The present embodiment can not realized authentication-exempt user is authenticated by carrying out authentication-exempt inspection, simplifies identifying procedure, reduces authentication time delay, alleviates the burden of authentication.The present embodiment, by the 1st, 2 articles of message are authenticated, can be realized the compatibility to prior art.

Figure 11 is the structural representation of the IKE response apparatus of eleventh embodiment of the invention, different from the 8th embodiment, the determination module 82 of the present embodiment comprises the 3rd unit 1121 or the 4th unit 1122 or the 5th unit 1123 or the 6th unit 1124 and the 7th unit 1125.

The 3rd unit 1121, for obtaining from self or external equipment the authentication-exempt set setting in advance, when belonging to described authentication-exempt set at least one in described access information, determines that described wireless local network user equipment is authentication-exempt subscriber equipment.Now, in described access information, comprise at least one in following: user ID, APN, domain identifier; Described authentication-exempt set comprises at least one in following: the set of authentication-exempt user ID, the set of authentication-exempt APN, the set of authentication-exempt domain identifier.

The 4th unit 1122 is for obtaining the authentication-exempt strategy corresponding with described user ID from self or external equipment; When described authentication-exempt strategy is complete authentication-exempt, determine that described IKE initiating equipment is the user ID that authentication-exempt equipment now carries described IKE initiating equipment in access information.

The 5th unit 1123 is for obtaining the authentication-exempt strategy corresponding with described user ID from self or external equipment; When described authentication-exempt strategy is the authentication-exempt of having ready conditions, and when the parameter information comprising in described access information meets the condition of described authentication-exempt strategy, determine that described IKE initiating equipment is authentication-exempt equipment, the condition of described authentication-exempt strategy is for showing at least one the needs satisfied condition of following corresponding with described user ID: APN, domain identifier are now, the user ID that comprises described IKE initiating equipment in described access information, also comprises at least one in following parameter information: APN, domain identifier.

The 6th unit 1124, for obtaining from self or external equipment the authentication-exempt set setting in advance, when described access information does not all belong to described authentication-exempt set, obtains the authentication-exempt strategy corresponding with described user ID from self or external equipment; The 7th unit 1125 is for when described authentication-exempt strategy is complete authentication-exempt, or, when described authentication-exempt strategy is to have ready conditions the parameter information that carries in authentication-exempt and described access information while meeting the condition of described authentication-exempt strategy, determine that described IKE initiating equipment is authentication-exempt equipment, the condition of described authentication-exempt strategy is for showing at least one the needs satisfied condition of following corresponding with described user ID: APN, domain identifier.Now, the user ID that comprises described IKE initiating equipment in described access information, also comprises at least one in following parameter information: APN, domain identifier.

The equipment that the present embodiment can be realized right authentication-exempt by authentication-exempt inspection authenticates, and simplifies identifying procedure, reduces authentication time delay, alleviates facility load.The present embodiment adopts pre-configured authentication-exempt set or/and the mode of authentication-exempt strategy is carried out authentication-exempt inspection, can realize the variation that authentication-exempt checks.

Figure 12 is the method flow schematic diagram of twelveth embodiment of the invention, comprising:

Step 121:IKE initiating equipment sends the first authentication request to IKE response apparatus, in described the first authentication request, carries access information;

Further, before this step 121, can also comprise:

IKE initiating equipment and described IKE response apparatus interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter;

Step 122:IKE initiating equipment receives the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message, to be described IKE response apparatus send described the first authentication response when described access information meets the authentication-exempt condition that described IKE response apparatus obtains;

Wherein, IKE response apparatus can determine that whether described access information meets the authentication-exempt condition that described IKE response apparatus obtains, and repeats no more according to the method in above-described embodiment;

Particularly, this step 122 can comprise:

Setting in advance when described negotiation message is authenticated, receive the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message and parameter is set up in tunnel;

Or,

Setting in advance need to authenticate described negotiation message time, to described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carry authentication success message; Now, after step 122, also comprise: IKE initiating equipment sends the second authentication request for authenticating described negotiation message to described IKE response apparatus; The second authentication response that receives described second authentication request of correspondence of described IKE response apparatus transmission, carries tunnel in described the second authentication response and sets up parameter.

Above-mentioned negotiations process and authentication-exempt process can, referring to above-described embodiment, repeat no more.

The present embodiment can be realized in IKE verification process the not IKE initiating equipment to authentication-exempt and authenticates by carrying out authentication-exempt inspection, simplifies identifying procedure, reduces authentication time delay, alleviates the burden of authenticating device.

Figure 13 is the structural representation of the IKE initiating equipment of thriteenth embodiment of the invention, comprise the 3rd sending module 131 and the 3rd receiver module 132, the 3rd sending module 131, for sending the first authentication request to IKE response apparatus, carries access information in described the first authentication request; The first authentication response that the 3rd receiver module 132 returns for receiving described IKE response apparatus, in described the first authentication response, carry authentication success message, to be described IKE response apparatus send described the first authentication response when described access information meets the authentication-exempt condition that described IKE response apparatus obtains.

Further, the present embodiment can also comprise the second negotiation module 133, the second negotiation module 133 for described IKE response apparatus interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter.

Now, the 3rd receiver module 132 can comprise the 8th unit 1321, the 8th unit 1321 is for setting in advance when described negotiation message is authenticated, receive the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message and parameter is set up in tunnel;

Or, the 3rd receiver module can comprise the 9th unit 1322, the 9th unit 1322, for setting in advance need to authenticate described negotiation message time, returns to the first authentication response to described authentication-exempt equipment, in described the first authentication response, carries authentication success message; Now, the present embodiment also comprises that the 4th sending module 134 and the 4th receiver module 135, the four sending modules 134 are for sending the second authentication request for authenticating described negotiation message to described IKE response apparatus; The 4th receiver module 135, for the second authentication response of described the second authentication request of correspondence that receives described IKE response apparatus and send, carries tunnel in described the second authentication response and sets up parameter.

Figure 14 is the structural representation of the IKE Verification System of fourteenth embodiment of the invention, comprise IKE initiating equipment 141 and IKE response apparatus 142, IKE initiating equipment 141, for sending the first authentication request to IKE response apparatus, carries access information in described the first authentication request; IKE response apparatus 142 is for obtaining authentication-exempt condition, when described access information meets described authentication-exempt condition, determine that described IKE initiating equipment is authentication-exempt equipment, and return to the first authentication response to described authentication-exempt equipment, in described the first authentication response, carry authentication success message

Particularly, the IKE initiating equipment in the present embodiment can be specially the IKE initiating equipment shown in Figure 13, and IKE response apparatus can be specially the IKE response apparatus of Fig. 8-11 shown in arbitrary.

One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of program command, aforesaid program can be stored in a computer read/write memory medium, this program, when carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.

Finally it should be noted that: above embodiment is only in order to technical scheme of the present invention to be described but not be limited, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can be modified or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme depart from the spirit and scope of technical solution of the present invention.

Claims

1. a cipher key change IKE authentication method, is characterized in that, comprising:

To described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carry authentication success message;

Wherein, before the first authentication request that described reception IKE initiating equipment sends, also comprise: with described IKE initiating equipment interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter;

Describedly to described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carrying authentication success message comprises: setting in advance when described negotiation message is authenticated, to described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carry authentication success message and parameter is set up in tunnel.

2. method according to claim 1, is characterized in that, described in obtain authentication-exempt condition, when described access information meets described authentication-exempt condition, determine that described IKE initiating equipment is that authentication-exempt equipment comprises:

From self or external equipment, obtain the authentication-exempt set setting in advance, when belonging to described authentication-exempt set at least one in described access information, determine that described IKE initiating equipment is authentication-exempt equipment.

3. method according to claim 2, is characterized in that,

In described access information, comprise at least one in following: user ID, APN or domain identifier;

Described authentication-exempt set comprises at least one in following: the set of authentication-exempt user ID, the set of authentication-exempt APN or the set of authentication-exempt domain identifier.

4. method according to claim 1, is characterized in that,

The user ID that comprises described IKE initiating equipment in described access information;

The described authentication-exempt condition of obtaining, when described access information meets described authentication-exempt condition, determine that described IKE initiating equipment is that authentication-exempt equipment comprises:

From self or external equipment, obtain the authentication-exempt strategy corresponding with described user ID;

When authentication-exempt strategy corresponding to described user ID is complete authentication-exempt, determine that described IKE initiating equipment is authentication-exempt equipment.

5. method according to claim 1, is characterized in that,

The user ID that comprises described IKE initiating equipment in described access information, also comprises at least one in following parameter information: APN or domain identifier;

When authentication-exempt strategy corresponding to described user ID is the authentication-exempt of having ready conditions, and when the parameter information comprising in described access information meets the condition of described authentication-exempt strategy, determine that described IKE initiating equipment is authentication-exempt equipment, the condition of described authentication-exempt strategy is for showing at least one the needs satisfied condition of following corresponding with described user ID: APN or domain identifier.

6. method according to claim 1, is characterized in that,

From self or external equipment, obtain the authentication-exempt set setting in advance, when described access information does not all belong to described authentication-exempt set, from self or external equipment, obtain the authentication-exempt strategy corresponding with described user ID;

When authentication-exempt strategy corresponding to described user ID is complete authentication-exempt, or, when authentication-exempt strategy corresponding to described user ID is to have ready conditions the parameter information that comprises in authentication-exempt and described access information while meeting the condition of described authentication-exempt strategy, determine that described IKE initiating equipment is authentication-exempt equipment, the condition of described authentication-exempt strategy is for showing at least one the needs satisfied condition of following corresponding with described user ID: APN or domain identifier.

7. a cipher key change IKE authentication method, is characterized in that, comprising:

Describedly to described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carrying authentication success message comprises: setting in advance need to authenticate described negotiation message time, to described authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carry authentication success message;

Describedly after returning to the first authentication response, described authentication-exempt equipment also comprises:

Receive that described IKE initiating equipment sends for authenticating the second authentication request of described negotiation message;

The second authentication response that sends corresponding described the second authentication request to described IKE initiating equipment, carries tunnel in described the second authentication response and sets up parameter.

8. method according to claim 7, is characterized in that, described in obtain authentication-exempt condition, when described access information meets described authentication-exempt condition, determine that described IKE initiating equipment is that authentication-exempt equipment comprises:

9. method according to claim 8, is characterized in that,

10. method according to claim 7, is characterized in that,

11. methods according to claim 7, is characterized in that,

12. methods according to claim 7, is characterized in that,

13. 1 kinds of cipher key change IKE authentication methods, is characterized in that, comprising:

Receive the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message, to be described IKE response apparatus send described the first authentication response when described access information meets the authentication-exempt condition that described IKE response apparatus obtains;

Wherein, describedly to IKE response apparatus, send before the first authentication request and also comprise: with described IKE response apparatus interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter;

The first authentication response that the described IKE response apparatus of described reception returns, carries authentication success message in described the first authentication response and comprises:

Setting in advance when described negotiation message is authenticated, receive the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message and parameter is set up in tunnel.

14. 1 kinds of cipher key change IKE authentication methods, is characterized in that, comprising:

The first authentication response that the described IKE response apparatus of described reception returns, in described the first authentication response, carrying authentication success message comprises: setting in advance need to authenticate described negotiation message time, to authentication-exempt equipment, return to the first authentication response, in described the first authentication response, carry authentication success message;

After the first authentication response that the described IKE response apparatus of described reception returns, also comprise:

To described IKE response apparatus, send the second authentication request for authenticating described negotiation message;

The second authentication response that receives described second authentication request of correspondence of described IKE response apparatus transmission, carries tunnel in described the second authentication response and sets up parameter.

15. 1 kinds of cipher key change IKE response apparatus, is characterized in that, comprising:

The first sending module, for returning to the first authentication response to described authentication-exempt equipment, carries authentication success message in described the first authentication response;

Described cipher key change IKE response apparatus also comprises: the first negotiation module, for described IKE initiating equipment interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter;

Described the first sending module comprises first module, described first module is for setting in advance when described negotiation message is authenticated, to authentication-exempt subscriber equipment, return to the first authentication response, in described the first authentication response, carry authentication success message and parameter is set up in tunnel.

16. equipment according to claim 15, is characterized in that,

Described determination module comprises Unit the 3rd, described Unit the 3rd is for obtaining from self or external equipment the authentication-exempt set setting in advance, when belonging to described authentication-exempt set at least one in described access information, determine that described IKE initiating equipment is authentication-exempt equipment.

17. equipment according to claim 15, is characterized in that,

In described access information, carry the user ID of described IKE initiating equipment;

Described determination module comprises Unit the 4th, and described Unit the 4th is for obtaining the authentication-exempt strategy corresponding with described user ID from self or external equipment; When authentication-exempt strategy corresponding to described user ID is complete authentication-exempt, determine that described IKE initiating equipment is authentication-exempt equipment.

18. equipment according to claim 15, is characterized in that,

Described determination module comprises Unit the 5th, and described Unit the 5th is for obtaining the authentication-exempt strategy corresponding with described user ID from self or external equipment; When authentication-exempt strategy corresponding to described user ID is to have ready conditions the parameter information that comprises in authentication-exempt and described access information while meeting the condition of described authentication-exempt strategy, determine that described IKE initiating equipment is authentication-exempt equipment, the condition of described authentication-exempt strategy is for showing at least one the needs satisfied condition of following corresponding with described user ID: APN or domain identifier.

19. equipment according to claim 15, is characterized in that,

Described determination module comprises Unit the 6th and Unit the 7th;

Described Unit the 6th, for obtaining from self or external equipment the authentication-exempt set setting in advance, when described access information does not all belong to described authentication-exempt set, obtains the authentication-exempt strategy corresponding with described user ID from self or external equipment;

Described Unit the 7th is for when authentication-exempt strategy corresponding to described user ID is complete authentication-exempt, or, when authentication-exempt strategy corresponding to described user ID is to have ready conditions the parameter information that carries in authentication-exempt and described access information while meeting the condition of described authentication-exempt strategy, determine that described IKE initiating equipment is authentication-exempt equipment, the condition of described authentication-exempt strategy is for showing at least one the needs satisfied condition of following corresponding with described user ID: APN or domain identifier.

20. 1 kinds of cipher key change IKE response apparatus, is characterized in that, comprising:

Described the first sending module comprises second unit, and described second unit, setting in advance need to authenticate described negotiation message time, returns to the first authentication response to authentication-exempt subscriber equipment, in described the first authentication response, carries authentication success message;

Described cipher key change IKE response apparatus also comprises: the second receiver module, for receive that described IKE initiating equipment sends for authenticating the second authentication request of described negotiation message;

The second sending module, for send the second authentication response of corresponding described the second authentication request to described IKE initiating equipment, carries tunnel in described the second authentication response and sets up parameter.

21. equipment according to claim 20, is characterized in that,

22. equipment according to claim 20, is characterized in that,

23. equipment according to claim 20, is characterized in that,

24. equipment according to claim 20, is characterized in that,

Described determination module comprises Unit the 6th and Unit the 7th;

25. 1 kinds of cipher key change IKE initiating equipments, is characterized in that, comprising:

The 3rd sending module, for sending the first authentication request to IKE response apparatus, carries access information in described the first authentication request;

The 3rd receiver module, for receiving the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message, to be described IKE response apparatus send described the first authentication response when described access information meets the authentication-exempt condition that described IKE response apparatus obtains;

Described cipher key change IKE initiating equipment also comprises: the second negotiation module, for described IKE response apparatus interaction message, described message is for consulting tunnel, to set up the negotiation message of parameter;

Described the 3rd receiver module comprises Unit the 8th, described Unit the 8th is for setting in advance when described negotiation message is authenticated, receive the first authentication response that described IKE response apparatus returns, in described the first authentication response, carry authentication success message and parameter is set up in tunnel.

26. 1 kinds of cipher key change IKE initiating equipments, is characterized in that, comprising:

Described the 3rd receiver module comprises Unit the 9th, and described Unit the 9th, for setting in advance need to authenticate described negotiation message time, returns to the first authentication response to authentication-exempt equipment, in described the first authentication response, carries authentication success message;

Described cipher key change IKE initiating equipment also comprises:

The 4th sending module, for sending the second authentication request for authenticating described negotiation message to described IKE response apparatus;

The 4th receiver module, for receiving the second authentication response of described the second authentication request of correspondence that described IKE response apparatus sends, carries tunnel in described the second authentication response and sets up parameter.

27. 1 kinds of cipher key change IKE Verification Systems, is characterized in that, comprising:

Cipher key change IKE initiating equipment as described in claim as arbitrary in claim 25-26, and

IKE response apparatus as described in claim as arbitrary in claim 15-24.