CN102238484B - Based on the authentication method of group and system in the communication system of Machine To Machine - Google Patents
Based on the authentication method of group and system in the communication system of Machine To Machine Download PDFInfo
- Publication number
- CN102238484B CN102238484B CN201010153947.8A CN201010153947A CN102238484B CN 102238484 B CN102238484 B CN 102238484B CN 201010153947 A CN201010153947 A CN 201010153947A CN 102238484 B CN102238484 B CN 102238484B
- Authority
- CN
- China
- Prior art keywords
- mtc device
- group
- authentication
- auc
- security management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/16—Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
- H04W28/18—Negotiating wireless communication parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/06—Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/16—Interfaces between hierarchically similar devices
- H04W92/18—Interfaces between hierarchically similar devices between terminal devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses the authentication method based on group in a kind of communication system of Machine To Machine, comprising: AUC according to MTC device the group information of contracting, generation group parameters for authentication, and group parameters for authentication is sent to connection security management equipment; Connection security management equipment, according to the group parameters for authentication generated, generates the authentication parameter for each MTC device, and carries out authentication to the MTC device in this group.The present invention discloses the Verification System based on group in a kind of communication system of Machine To Machine, comprise MTC device, connection security management device A SME and AUC; AUC be used for according to machine type communication MTC device the group information of contracting, generation group parameters for authentication, and group parameters for authentication is sent to connection security management equipment; Connection security management equipment is used for, according to the group parameters for authentication generated, generating the authentication parameter for each MTC device, and carrying out authentication to the MTC device in this group.The present invention substantially increases the authentication efficiency to MTC device.
Description
Technical field
The present invention relates to the authentication techniques in the communication system of Machine To Machine, particularly relate in a kind of communication system of Machine To Machine (M2M, Machine-to-Machine) based on the authentication method of group and system.
Background technology
At the existing second generation (2G, 2ndGeneration) with the third generation (3G, 3rdGeneration) in mobile network, the user only with effective international mobile subscriber identity (IMSI, InternationalMobileSubscriberIdentificationNumber) just has the right to be served.
Authentication, namely identifies the process of effective international mobile subscriber identity IMSI number.This is a part for mobile network's security management, is used for realizing confidentiality, the data integrity of mobile network.Authentication and Key Agreement mechanism (AKA, the AuthenticationandKeyAgreement) verification process of brief description once universal mobile telecommunications system (UMTS, UniversalMobileTelecommunicationsSystem).In evolved packet system (EPS, EvolvedPacketSystem), EPS-AKA and UMTS-AKA is as broad as long in essence.Concrete verification process comprises following step:
(1) authentication five-tuple is generated: terminal sends access request to attaching position register (HLR, HomeLocationRegister)/AUC (AuC, TheAuthenticationCentre).After receiving authorization data request group, VLR/SGSN generates corresponding authentication vector, and each vector is made up of following 5 elements: random digit RAND, Expected Response XRES, ciphering key K, Integrity Key IK and authentication-tokens AUTN.
(2) authentication five-tuple is sent to the VLR/SGSN of request.
(3) from the multiple five-tuples obtained, select one, send RAND (i), AUTN (i) to user.
(4) universal subscriber identity module (USIM, UniversalSubscriberIdentityModule) card checks that AUTN (i) could accept, and such as AUTN (i) is made up of effective authentication-tokens.
(5), after terminal receives authentication request, first calculate message authentication code XMAC, and compare with the message authentication code MAC in authentication token AUTN, if different, then send refusal authentication message to SGSN/VLR, and abandon verification process.Simultaneously travelling carriage (MS, MobileStation) verify the sequence number SQN that receives whether in effective scope, if not in effective scope, MS then to SGSN/VLR transmission synchronization failure message, abandons verification process.
(6) after being verified above, just produce response RES (i), and be sent to VLR/SGSN; RES (i) and XRES (i) is compared by VLR/SGSN.Usim card calculates CK and IK simultaneously, for aloft interface ciphering and integrity protection.
But, existing mobile network optimization all designs based on Human To Human (human-to-human), and for machine-to-machine, machine to the application of people (machine-to-human) or Human-to-Machine (human-to-machine) and non-optimal.
Along with development increasingly and the maturation of M2M technology, the diversification of M2M purposes, the quantity of M2M terminal will there will be volatile growth, according to estimates, the number of terminals of M2M will reach two orders of magnitude of handheld terminal quantity, if each M2M terminal is independently with network authentication and transmission data, machine type communication MTC (MachineTypeCommunication) equipment for each access is generated corresponding authentication vector and sends to connection security management entity by user-subscribed database/AUC and HSS or HLR, will be very large to existing network pressure, thus to M2M service service quality and Consumer's Experience make a big impact.
When having many MTC device to be deployed as to belong to the MTC device group of same MTC user, maybe when all MTC device be in the same localities are in a group, the certification cost for MTC device all in group is also very high, but is also usually unnecessary.When not being optimized group, each MTC device must be certified individually, like this, because the signaling traffic load in system needed for certification can be increased by performing separately along with certification, even may cause network congestion.
Network authentication techniques due to current third generation partner program (3GPP, 3rdGenerationPartnershipProject) is difficult to meet the MTC device that quantity is more and more huger from now on.So need a kind of authentication mechanism of MTC device of optimization significantly to reduce required signaling quantity, especially reduce the pressure of core net.
Summary of the invention
In view of this, main purpose of the present invention is to provide in a kind of communication system of Machine To Machine based on the authentication method of group and system, improve the efficiency of MTC device certification, significantly can reduce the signaling quantity in existing network, alleviate the certification load of existing network simultaneously.
For achieving the above object, technical scheme of the present invention is achieved in that
Based on an authentication method for group in the communication system of Machine To Machine, AUC according to MTC device the group information of contracting, generation group parameters for authentication, and described group of parameters for authentication is sent to connection security management equipment;
Connection security management equipment, according to the described group of parameters for authentication generated, generates the authentication parameter for each described MTC device, and carries out authentication to the MTC device in this group.
Preferably, the group CAMEL-Subscription-Information of AUC belonging to machine type communication MTC device, before generation group parameters for authentication:
The group root key of the group belonging to the pre-configured MTC device of AUC and the root key of MTC device.
Preferably, AUC is according to the MTC device mark of carrying in the authentication request message received, inquire about the CAMEL-Subscription-Information of this MTC device, contract if this MTC device has group, the group root key that described AUC organizes belonging to described MTC device and group mark generate organizes Ciphering Key accordingly;
AUC, according to the root key of described MTC device and hash algorithm, generates the cryptographic Hash of the root key of described MTC device.
Preferably, described group of parameters for authentication comprises: the signing group belonging to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described MTC device and group membership's information.
Preferably, after receiving MTC device attachment request or service request, connection security management device A SME is according to the MTC device mark of carrying in described request message, and whether inquiry has existed group signing belonging to described MTC device and the group parameters for authentication of described signing group; If do not exist, initiate the authentication request to described MTC device to AUC; If exist, directly certification is carried out to described MTC device by connection security management equipment.
Preferably, connection security management equipment carries out verification process to described MTC device and is:
Described connection security management equipment generates random number, according to the random number that the cryptographic Hash of described group of Ciphering Key, described MTC device root key, described connection security management equipment generate, generate the Ciphering Key for described MTC device, certification is carried out to described MTC device.
Based on a Verification System for group in the communication system of Machine To Machine, comprise MTC device, ASME and AUC; Described AUC, for according to machine type communication MTC device the group information of contracting, generation group parameters for authentication, and described group of parameters for authentication is sent to described connection security management equipment;
Described connection security management equipment, for according to the described group of parameters for authentication generated, generates the authentication parameter for each described MTC device, and carries out authentication to the MTC device in this group.
Preferably, described AUC, for the group root key of the group belonging to pre-configured MTC device and the root key of MTC device; According to the MTC device mark of carrying in the authentication request message received, inquire about the CAMEL-Subscription-Information of this MTC device, contract if this MTC device has group, the group root key organized belonging to described MTC device and group mark generate organizes Ciphering Key accordingly; According to root key and the hash algorithm of described MTC device, generate the cryptographic Hash of the root key of described MTC device.
Preferably, described group of parameters for authentication comprises: the signing group belonging to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described MTC device and group membership's information.
Preferably, described connection security management equipment, after receiving MTC device attachment request or service request, according to the MTC device mark of carrying in described request message, whether inquiry has existed group signing belonging to described MTC device and the group parameters for authentication of described signing group; If do not exist, initiate the authentication request to described MTC device to AUC; If exist, certification is carried out to described MTC device;
Described connection security management equipment, for generating random number, according to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described random number, generating the Ciphering Key for described MTC device, carrying out certification to described MTC device.
In the present invention, the MTC device sharing same group of CAMEL-Subscription-Information is divided into one group, like this, when MTC device in same group carries out authentication first, when namely effectively not organizing parameters for authentication in ASME, ASME initiates authentication request to AUC, corresponding Ciphering Key can be sent to ASME by AUC, the authentication to MTC device is completed by ASME, and when there being corresponding group parameters for authentication in ASME, when MTC device in this group carries out authentication, directly corresponding Ciphering Key is utilized to carry out certification to other MTC device in belonging to same group by this ASME, AUC need not be allowed again to participate in certification to each MTC device, this improves the efficiency to MTC device certification undoubtedly, and, share the load of AUC to MTC device certification, save the process resource of network side, be conducive to the Business Processing efficiency improving core-network side.
Accompanying drawing explanation
Fig. 1 is the identifying procedure figure of the MTC device of first access in one group of MTC device in UMTS network;
Fig. 2 is that in UMTS network, in one group of MTC device, existing MTC device carried out the identifying procedure figure of certification;
Fig. 3 is the Key Infrastructure figure of LTE/SAE;
Fig. 4 be share same CAMEL-Subscription-Information in EPS network group in the identifying procedure figure of first MTC device;
Fig. 5 is that in EPS network, in one group of MTC device, existing MTC device carried out the identifying procedure figure of certification;
Fig. 6 is the composition structural representation based on the Verification System of group in the communication system of Machine To Machine of the present invention.
Embodiment
Basic thought of the present invention is: the MTC device sharing same group of CAMEL-Subscription-Information is divided into one group, like this, when MTC device in same group carries out authentication first, when namely effectively not organizing parameters for authentication in ASME, ASME initiates authentication request to AUC, corresponding Ciphering Key can be sent to ASME by AUC, the authentication to MTC device is completed by ASME, and when there being corresponding group parameters for authentication in ASME, when MTC device in this group carries out authentication, directly corresponding Ciphering Key is utilized to carry out certification to other MTC device in belonging to same group by this ASME, AUC need not be allowed again to participate in certification to each MTC device.
For making the object, technical solutions and advantages of the present invention clearly understand, by the following examples also with reference to accompanying drawing, the present invention is described in more detail.
Fig. 1 and Figure 2 shows that in 3G network share same CAMEL-Subscription-Information group in MTC device group identifying procedure, wherein network element AS ME is specially VLR/SGSN, and user-subscribed database/AUC is specially HLR/AuC.Pre-configured group of identification information, group root key Ksg information and MTC device root key Ksi information in each MTC device being signed up as a group; At signing center pre-configured be signed up as the MTC device of a group group root key information, the root key information of each MTC device and the CAMEL-Subscription-Information of group in group.
Fig. 1 is the identifying procedure figure of the MTC device of first access in one group of MTC device in UMTS network, and as shown in Figure 1, this example MTC device identifying procedure specifically comprises the following steps:
Step 101: the MTC device sharing the first access in the MTC device group of same CAMEL-Subscription-Information initiates access/business association requests, the identification information of this first MTC device is comprised in request message, concrete, the identification information of the MTC device in this example is the IMSI of MTC device.
Step 102:VLR/SGSN inquires about in self the signing group of information and group Ciphering Key thereof that whether have existed and comprised this MTC device.
Step 103: in this example, the MTC device due to current authentication is the certification that the first MTC device in this group is carried out, and therefore there is not the parameters for authentication information of the group that this MTC device is contracted.VLR/SGSN initiates authentication request to HLR/AuC, carries MTC device IMSI information in request.
Step 104:HLR/AuC, according to its CAMEL-Subscription-Information of MTC device identified query, contracts as this equipment has group, according to authentication policy, generates and organize Ciphering Key accordingly.Concrete, group Ciphering Key generates corresponding Ciphering Key according to corresponding authentication policy, comprises the algorithm that some generate corresponding secret key in authentication policy, as hash algorithm, also has the key schedule etc. generating Ciphering Key.Here, organize Ciphering Key and comprise group random parameter RAND g, group authentication-tokens AUTNg, group encryption keys CKg, group Integrity Key IKg, group Expected Response XRESg five metamessage.Here, the key schedule and the hash algorithm that generate Ciphering Key can be any one algorithms existing.Ciphering Key generates by organizing root key and organizing the relevant information of CAMEL-Subscription-Information as group identification information etc., because it is prior art, repeats no more the generating mode of each parameter here.
Step 105:HLR/AuC returns authentication vector data and responds to VLR/SGSN, this message comprises group authentication five-tuple: group random parameter RAND g, group authentication-tokens AUTNg, group encryption keys CKg, group Integrity Key IKg, group Expected Response XRESg, also carry the CAMEL-Subscription-Information of this group in message simultaneously, the CAMEL-Subscription-Information of group comprises this group mark, this group all MTC device marks IMSI.Send to the cryptographic Hash hash (Ksi) of the root key also comprising each MTC device in the message of VLR/SGSN.Concrete, HLR/AuC calculates the cryptographic Hash of the root key of each MTC device according to the hash algorithm of setting.In the present invention, by the unified cryptographic Hash generating the root key of above-mentioned MTC device of AUC, mainly ensure the fail safe of authentication, the present invention preferably adopts this mode.
Step 106:VLR/SGSN preserves the group parameters for authentication that HLR/AuC sends, as Ciphering Key and corresponding cryptographic Hash etc., hash corresponding to this MTC device (Ksi) is found in parameter, and generate random parameter RAND i, generate XRESi according to hash (Ksi), RANDi and XRESg.Concrete, the hash (Ksi) of its correspondence can be found out according to MTC device mark.
Step 107:VLR/SGSN sends subscription authentication request to MTC device, comprises RANDi in message, RANDg, AUTNg and group certification instruction GAIndicator.
The hash algorithm that step 108:MTC equipment use is identical with HLR/AuC calculates the cryptographic Hash hash (Ksi) of the Ksi of self MTC device root key, and based on this cryptographic Hash hash (Ksi) and RANDi, the group confidentiality key CKg utilizing existing key algorithm to calculate, group Integrity Key KIg and group Expected Response XRESg, calculate the confidentiality key CKi of MTC device respectively, the Integrity Key IKi of MTC device and the response RESi of MTC device.
Step 109:MTC equipment returns subscription authentication response to VLR/SGSN, comprises RESi in this response.
Step 110:VLR/SGSN compares RESi and XRESi, if unanimously, then by certification, otherwise authentification failure.
Step 111:VLR/SGSN is according to hash (Ksi) and RANDi, and CKg, KIg, generates CKi respectively, IKi, sends to radio network controller (RNC, RadioNetworkController) for data encryption.
Step 112:MTC equipment use CKi, IKi carry out confidentiality, integrity protection respectively to data.
Fig. 2 is that in UMTS network, in one group of MTC device, existing MTC device carried out the identifying procedure figure of certification, and as shown in Figure 2, this example MTC device identifying procedure specifically comprises the following steps:
Step 201:MTC equipment initiates access/business association requests, comprises this MTC device mark (being IMSI in this example) in request message.
Step 202:VLR/SGSN inquires about in self the signing group of information whether having existed and comprised this MTC device.
Step 203: in this example, VLR/SGSN finds the information of corresponding signing group that has this MTC device and the group Ciphering Key of this group, VLR/SGSN generates random parameter RAND i, generates XRESi according to RANDi, hash (Ksi) and XRESg.
Step 204:VLR/SGSN sends subscription authentication request to MTC device, comprises RANDi, RANDg in message, AUTNg and group certification instruction GAIndicator.
The hash algorithm that step 205:MTC equipment use is identical with HLR/AuC calculates the cryptographic Hash hash (Ksi) of the Ksi of self, and based on this cryptographic Hash hash (Ksi) and RANDi and CKg, IKg, RESg of calculating group with existing algorithm, calculate CKi, IKi and RESi of MTC device respectively.
Step 206:MTC equipment returns subscription authentication response to VLR/SGSN, comprises RESi in this response.
Step 207:VLR/SGSN compares RESi and XRESi, if unanimously, by certification.
Step 208:VLR/SGSN generates CKi, IKi according to hash (Ksi) and CKg, KIg, sends to RNC for data encryption.
Step 209:MTC equipment use CKi, IKi carries out confidentiality, integrity protection to data.
At Long Term Evolution (LTE, LongTermEvolution)/(SAE, SystemArchitechtureEvolution) in, because eNB is in an incomplete trust region, therefore the safety of LTE/SAE comprises two levels: Access Layer (AS, and the safety of Non-Access Stratum (NAS, NonAccessStratum) AccessStratum):
1) safety between Access Layer (AS) safety: UE and eNB, main encryption and the integrity protection performing AS signaling, the encryption protection of user face UP.
2) safety between Non-Access Stratum (NAS) safety: UE and MME, main encryption and the integrity protection performing NAS signaling.
Fig. 3 is the Key Infrastructure figure of LTE/SAE, as shown in Figure 3, comprises following key in the key hierarchy framework of LTE/SAE network:
1) key shared between UE and HSS:
K: be stored in the permanent key with AUC AuC in the USIM of MTC device, genus group root key.
The double secret key that CK/IK:AuC and USIM generates in AKA verification process.Compared with UMTS, CK/IK should not leave HSS.
2) intermediate key shared of administrative unit (ME, ManagementElement) and ASME:
K
aSME: UE and HSS deduces the key obtained according to CK/IK, for deducing lower floor's key.
3) shared key of UE and eNB and MME:
K
nASint: UE and MME is according to K
aSMEdeduce the key obtained, for the protection of the integrality of NAS flow between UE and MME.
K
nASenc: UE and MME is according to K
aSMEdeduce the key obtained, for the protection of the confidentiality of NAS flow between UE and MME.
K
eNB: UE and MME is according to K
aSMEdeduce the key obtained.K
eNBfor AS layer key of deriving.
K
uPenc: UE and eNB is according to K
eNBdeduce with the identifier of cryptographic algorithm and obtain, for the protection of the confidentiality of UP between UE and eNB.
K
rRCint: UE and eNB is according to K
eNBdeduce with the identifier of integral algorithm and obtain, for the protection of the integrality of RCC between UE and eNB.
K
rRCenc: UE and eNB is according to K
eNBdeduce with the identifier of cryptographic algorithm and obtain, for the protection of the confidentiality of RCC between UE and eNB.
Fig. 4 and Figure 5 shows that in EPS network share same CAMEL-Subscription-Information group in MTC device identifying procedure, wherein network element AS ME is specially MME, and user-subscribed database/AUC is specially HSS.Pre-configured group of identification information, group root key Ksg information and MTC device root key Ksi information in each MTC device being signed up as a group; At signing center pre-configured be signed up as the MTC device of a group group root key information, the root key information of each MTC device and the CAMEL-Subscription-Information of group in group.
Fig. 4 be share same CAMEL-Subscription-Information in EPS network group in the identifying procedure figure of first MTC device, as shown in Figure 4, this example MTC device identifying procedure specifically comprises the following steps:
Step 401: the MTC device of access initiates access/business association requests, comprises this user ID (IMSI) in request message.
Step 402:MME inquires about in self the signing group of information and group Ciphering Key thereof that whether have existed and comprised this MTC device.
Step 403: in this example, the MTC device due to current authentication is the certification that the first MTC device in this group is carried out, and therefore there is not the information of group signing belonging to this MTC device.MME initiates authentication request, and in request, Portable device mark, is the IMSI of equipment in this example.
Step 404:HSS, according to its CAMEL-Subscription-Information of MTC device identified query, contracts as this equipment has group, according to authentication policy, generates and organize Ciphering Key accordingly.In this example, it is signing that MTC device has group, then HSS generation group Ciphering Key.Concrete, generate according to group root key and corresponding key schedule and include group random parameter RAND g, group authentication-tokens AUTNg, group key collection identification code KSI
aSMEg, access network element key K
aSME, group Expected Response XRESg Ciphering Key.
Step 405:HSS returns authentication vector data and responds to MME, and this message comprises group random parameter RAND g, group authentication-tokens AUTNg, group key collection identification code KSI
aSMEg, access network element key K
aSME, group Expected Response XRESg, the CAMEL-Subscription-Information of group comprises this group mark, all MTC device marks of this group.Send to the cryptographic Hash hash (Ksi) of the root key also comprising each MTC device in the message of MME; Concrete, HSS calculates according to the root key of hash algorithm to each MTC device of setting.
Step 406:MME preservation group parameters for authentication, finds hash corresponding to this MTC device (Ksi) in parameter, generates random parameter RAND i, according to hash (Ksi), RANDi and K
aSMEgenerate K
aSMEi, generate XRESi according to hash (Ksi), RANDi and XRESg.
Step 407:MME sends subscription authentication request to MTC device, comprises RANDi, RANDg, AUTNg, KSI in message
aSMEg and group certification instruction GAIndicator.
The hash algorithm that step 408:MTC equipment use is identical with HSS calculates the cryptographic Hash hash (Ksi) of the Ksi of this MTC device self MTC device root key, and based on this cryptographic Hash hash (Ksi), RANDi and utilize existing algorithm to calculate group response RESg and K
aSME, calculate response RESi, K of MTC device respectively
aSMEi.。
Step 409:MTC equipment returns subscription authentication response to MME, comprises RESi in this response.
Step 410:MME compares RESi and XRESi, if unanimously, by certification, otherwise authentification failure.
Step 411:MME is according to hash (Ksi), RANDi and K
aSMEgenerate K
aSMEi, based on K
aSMEi generates K
nASenci, K
nASinti, K
eNBi.Wherein, K
nASenci, K
nASinti for the protection of the NAS signaling between user and MME, K
eNBi is handed down to eNB, and eNB is based on K
eNBigenerate K
uPenci, K
rRCinti and K
rRCenci.
Step 412:MTC equipment is based on K
aSMEi generates K
nASenci, K
nASinti, K
eNBi, wherein, K
nASenci, K
nASinti carries out confidentiality, integrity protection to data respectively.
Fig. 5 is that in EPS network, in one group of MTC device, existing MTC device carried out the identifying procedure figure of certification, and as shown in Figure 5, this example MTC device identifying procedure specifically comprises the following steps:
Step 501:MTC equipment initiates access/business association requests, comprises this user ID (IMSI) in request message.
Step 502:MME inquires about in self the signing group of information whether having existed and comprised this MTC device.。
Step 503: in this example, MME finds information and this group Ciphering Key information of signing group belonging to this MTC device existing, and MME generates random parameter RAND i, generates XRESi according to RANDi, hash (Ksi) and XRESg.
Step 504:MME sends subscription authentication request to MTC device, comprises RANDi, RANDg, AUTNg, KSI in message
aSMEg and group certification instruction GAIndicator.
The hash algorithm that step 505:MTC equipment use is identical with HSS calculates the cryptographic Hash hash (Ksi) of the Ksi of oneself, and based on this cryptographic Hash and RANDi and calculate RESi with the RESg that existing algorithm calculates.
Step 506:MTC equipment returns subscription authentication response to MME, comprises RESi in this response.
Step 507:MME compares RESi and XRESi, if unanimously, by certification.
Step 508:MME is according to RANDi, hash (Ksi) and K
aSMEgenerate K
aSMEi, based on K
aSMEi generates K
nASenci, K
nASinti, K
eNBi.Wherein, K
nASenci, K
nASinti user protects the NAS signaling between user and MME, K
eNBi is handed down to eNB, and eNB is based on K
eNBi generates K
uPenci, K
rRCinti and K
rRCenci.
Step 509:MTC equipment is based on K
aSMEi generates K
nASenci, K
nASinti, K
uPenci, K
rRCinti and K
rRCenci carries out confidentiality, integrity protection to data.
Fig. 6 is the composition structural representation based on the Verification System of group in the communication system of Machine To Machine of the present invention, as shown in Figure 6, MTC device 60, connection security management equipment 61 and AUC 62 is comprised based on the Verification System of group in the communication system of Machine To Machine of the present invention, other network elements are also had in system, identical with network configuration of the prior art, wherein, described AUC 62, for according to MTC device the group information of contracting, generation group parameters for authentication, and described group of parameters for authentication is sent to described connection security management equipment;
Connection security management equipment 61, for according to the described group of parameters for authentication generated, generates the authentication parameter for each described MTC device, and carries out authentication to the MTC device in this group.
Further, AUC 62, for the group root key of the group belonging to pre-configured MTC device and the root key of MTC device; According to the MTC device mark of carrying in the authentication request message received, inquire about the CAMEL-Subscription-Information of this MTC device, contract if this MTC device has group, the group root key organized belonging to described MTC device and group mark generate organizes Ciphering Key accordingly; According to root key and the hash algorithm of described MTC device, generate the cryptographic Hash of the root key of described MTC device.
Further, described group of parameters for authentication comprises: the signing group belonging to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described MTC device and group membership's information.
Further, connection security management equipment 61, after receiving MTC device attachment request or service request, according to the MTC device mark of carrying in described request message, whether inquiry has existed group signing belonging to described MTC device and the group parameters for authentication of described signing group; If do not exist, initiate the authentication request to described MTC device to AUC; If exist, certification is carried out to described MTC device;
Further, connection security management equipment 61, for generating random number, according to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described random number, generating the Ciphering Key for described MTC device, carrying out certification to described MTC device.
Above-mentioned ASME is VLR/SGSN, or MME; Described AUC is HLR/AuC, or is HSS.
Those skilled in the art are to be understood that, those skilled in the art are to be understood that, be design based on the authentication method of group in communication system for realizing aforesaid Machine To Machine based on the Verification System of group in the communication system of Machine To Machine of the present invention, the practical function of above-mentioned each network element can refer to the associated description of preceding method and understands.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (8)
1., based on an authentication method for group in the communication system of Machine To Machine, it is characterized in that,
After receiving MTC device attachment request or service request, connection security management device A SME is according to the MTC device mark of carrying in described request, and whether inquiry has existed group signing belonging to described MTC device and the group parameters for authentication of described signing group; If do not exist, initiate the authentication request to described MTC device to AUC; If exist, directly authentication is carried out to described MTC device by connection security management equipment; Described to after AUC initiates authentication request to MTC device, comprising: AUC according to machine type communication MTC device the group information of contracting, generation group parameters for authentication, and described group of parameters for authentication is sent to connection security management equipment;
Connection security management equipment, according to the described group of parameters for authentication generated, generates the authentication parameter for each described MTC device, and carries out authentication to the MTC device in this group.
2. method according to claim 1, is characterized in that, AUC according to machine type communication MTC device the group information of contracting, before generation group parameters for authentication:
The group root key of the group belonging to the pre-configured MTC device of AUC and the root key of MTC device;
AUC is according to the MTC device mark of carrying in the authentication request message received, inquire about this MTC device the group information of contracting, if it is signing that this MTC device has group, the group root key that described AUC organizes belonging to described MTC device and group mark generate organizes Ciphering Key accordingly;
AUC, according to the root key of described MTC device and hash algorithm, generates the cryptographic Hash of the root key of described MTC device.
3. method according to claim 2, is characterized in that, described group of parameters for authentication comprises: the signing group belonging to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described MTC device and group membership's information.
4. according to the method in claim 2 or 3, it is characterized in that, connection security management equipment carries out authentication process to described MTC device and is:
Described connection security management equipment generates random number, according to the random number that the cryptographic Hash of described group of Ciphering Key, described MTC device root key, described connection security management equipment generate, generate the Ciphering Key for described MTC device, authentication is carried out to described MTC device.
5., based on a Verification System for group in the communication system of Machine To Machine, comprise MTC device, connection security management device A SME and AUC; It is characterized in that,
Described connection security management equipment, after receiving MTC device attachment request or service request, according to the MTC device mark of carrying in described request, whether inquiry has existed group signing belonging to described MTC device and the group parameters for authentication of described signing group; If do not exist, initiate the authentication request to described MTC device to AUC; If exist, certification is carried out to described MTC device;
Described AUC, for after the authentication request to described MTC device receiving the initiation of connection security management equipment, according to machine type communication MTC device the group information of contracting, generation group parameters for authentication, and described group of parameters for authentication is sent to described connection security management equipment;
Described connection security management equipment, also for according to the described group of parameters for authentication generated, generates the authentication parameter for each described MTC device, and carries out authentication to the MTC device in this group.
6. Verification System according to claim 5, is characterized in that,
Described AUC, for the group root key of the group belonging to pre-configured MTC device and the root key of MTC device; According to the MTC device mark of carrying in the authentication request message received, inquire about this MTC device the group information of contract, if to have group signing for this MTC device, the group root key organized belonging to described MTC device and the generation of group mark organize Ciphering Key accordingly; According to root key and the hash algorithm of described MTC device, generate the cryptographic Hash of the root key of described MTC device.
7. Verification System according to claim 6, it is characterized in that, described group of parameters for authentication comprises: described group of Ciphering Key, the cryptographic Hash of described MTC device root key, signing group belonging to described MTC device and group membership's information.
8. Verification System according to claim 6, is characterized in that,
Described connection security management equipment, for generating random number, according to described group of Ciphering Key, the cryptographic Hash of described MTC device root key, described random number, generating the Ciphering Key for described MTC device, carrying out certification to described MTC device.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010153947.8A CN102238484B (en) | 2010-04-22 | 2010-04-22 | Based on the authentication method of group and system in the communication system of Machine To Machine |
| PCT/CN2011/071068 WO2011131052A1 (en) | 2010-04-22 | 2011-02-17 | Method and system for group-based authentication in machine to machine communication systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010153947.8A CN102238484B (en) | 2010-04-22 | 2010-04-22 | Based on the authentication method of group and system in the communication system of Machine To Machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102238484A CN102238484A (en) | 2011-11-09 |
| CN102238484B true CN102238484B (en) | 2016-03-30 |
Family
ID=44833687
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010153947.8A Active CN102238484B (en) | 2010-04-22 | 2010-04-22 | Based on the authentication method of group and system in the communication system of Machine To Machine |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102238484B (en) |
| WO (1) | WO2011131052A1 (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103096309B (en) * | 2011-11-01 | 2016-08-10 | 华为技术有限公司 | Generate method and the relevant device of group key |
| WO2013120225A1 (en) * | 2012-02-16 | 2013-08-22 | Nokia Siemens Networks Oy | Method and system for group based service bootstrap in m2m environment |
| CN103297224B (en) * | 2012-02-23 | 2016-05-25 | 中国移动通信集团公司 | Key information distribution method and relevant device |
| FR2990094A1 (en) | 2012-04-26 | 2013-11-01 | Commissariat Energie Atomique | METHOD AND SYSTEM FOR AUTHENTICATING NODES IN A NETWORK |
| CN103841082B (en) * | 2012-11-22 | 2017-05-31 | 中国电信股份有限公司 | Safety ability consultation method and system, service server, user terminal |
| WO2015035640A1 (en) * | 2013-09-16 | 2015-03-19 | 华为技术有限公司 | Network access method, device and system |
| WO2015165250A1 (en) * | 2014-04-30 | 2015-11-05 | 华为技术有限公司 | Method, device and communication system for terminal to access communication network |
| CN105813201B (en) * | 2014-12-30 | 2019-04-09 | 中兴通讯股份有限公司 | Data transmission method and device in a kind of cordless communication network |
| US10887295B2 (en) * | 2016-10-26 | 2021-01-05 | Futurewei Technologies, Inc. | System and method for massive IoT group authentication |
| CN108112012A (en) * | 2016-11-24 | 2018-06-01 | 中国移动通信有限公司研究院 | The method for network authorization and device of a kind of group endpoints |
| CN107454077B (en) * | 2017-08-01 | 2020-05-19 | 北京迪曼森科技有限公司 | Single sign-on method based on IKI identification authentication |
| CN108683690B (en) * | 2018-08-27 | 2021-11-02 | 创新维度科技(北京)有限公司 | Authentication method, user equipment, authentication device, authentication server and storage medium |
| CN112788571A (en) * | 2021-01-14 | 2021-05-11 | 兰州大学 | Group authentication method and system for machine type communication equipment in LTE network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101511082A (en) * | 2008-02-15 | 2009-08-19 | 中国移动通信集团公司 | Method, equipment and system for updating group cipher key |
| CN101640887A (en) * | 2008-07-29 | 2010-02-03 | 上海华为技术有限公司 | Authentication method, communication device and communication system |
| CN102215474A (en) * | 2010-04-12 | 2011-10-12 | 华为技术有限公司 | Method and device for carrying out authentication on communication equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1727329A1 (en) * | 2005-05-23 | 2006-11-29 | Siemens S.p.A. | Method and system for the remote management of a machine via IP links of an IP multimedia subsystem, IMS |
| CN101212508B (en) * | 2006-12-31 | 2011-12-28 | 康佳集团股份有限公司 | Incoming call prompt method and system |
-
2010
- 2010-04-22 CN CN201010153947.8A patent/CN102238484B/en active Active
-
2011
- 2011-02-17 WO PCT/CN2011/071068 patent/WO2011131052A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101511082A (en) * | 2008-02-15 | 2009-08-19 | 中国移动通信集团公司 | Method, equipment and system for updating group cipher key |
| CN101640887A (en) * | 2008-07-29 | 2010-02-03 | 上海华为技术有限公司 | Authentication method, communication device and communication system |
| CN102215474A (en) * | 2010-04-12 | 2011-10-12 | 华为技术有限公司 | Method and device for carrying out authentication on communication equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102238484A (en) | 2011-11-09 |
| WO2011131052A1 (en) | 2011-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102238484B (en) | Based on the authentication method of group and system in the communication system of Machine To Machine | |
| US11863975B2 (en) | Protection of initial non-access stratum protocol message in 5G systems | |
| US10003965B2 (en) | Subscriber profile transfer method, subscriber profile transfer system, and user equipment | |
| KR102315881B1 (en) | Mutual authentication between user equipment and an evolved packet core | |
| CA2995311C (en) | Network access identifier including an identifier for a cellular access network node | |
| CN102469458B (en) | Group authentication method in a kind of M2M communication and system | |
| CN109314638A (en) | Cipher key configuration and security strategy determine method, apparatus | |
| US20230413041A1 (en) | Protection of Initial Non-Access Stratum Protocol Message in 5G Systems | |
| CN102457844B (en) | Group key management method and system in the certification of a kind of M2M group | |
| WO2020010515A1 (en) | Identity-based message integrity protection and verification for wireless communication | |
| KR20200003108A (en) | Key generation methods, user equipment, devices, computer readable storage media, and communication systems | |
| US20140075509A1 (en) | Performing a group authentication and key agreement procedure | |
| CN102480727B (en) | Group authentication method in machine and machine communication and system | |
| EP2854329B1 (en) | Method, system, and device for securely establishing wireless local area network | |
| WO2019096075A1 (en) | Method and apparatus for message protection | |
| US11343673B2 (en) | Enhanced aggregated re-authentication for wireless devices | |
| CN101926151A (en) | Method and communication network system for establishing security conjunction | |
| EP3076695B1 (en) | Method and system for secure transmission of small data of mtc device group | |
| CN102843233A (en) | Method and system of group certification in machine-to-machine communication | |
| Zhang et al. | Dynamic group based authentication protocol for machine type communications | |
| CN109155915A (en) | Communication means, network side equipment and user equipment | |
| EP2648437B1 (en) | Method, apparatus and system for key generation | |
| CN112492590A (en) | Communication method and device | |
| CN109150899A (en) | A kind of Internet of Things method of mobile communication and system | |
| Lai et al. | Security issues on machine to machine communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |