CN102256234A - Method and equipment for processing user authentication process - Google Patents

Method and equipment for processing user authentication process Download PDF

Info

Publication number
CN102256234A
CN102256234A CN2010101827920A CN201010182792A CN102256234A CN 102256234 A CN102256234 A CN 102256234A CN 2010101827920 A CN2010101827920 A CN 2010101827920A CN 201010182792 A CN201010182792 A CN 201010182792A CN 102256234 A CN102256234 A CN 102256234A
Authority
CN
China
Prior art keywords
algorithm
deriving
tenability
hss
mme
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010101827920A
Other languages
Chinese (zh)
Inventor
苏丽芳
赵国胜
习建德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Telecommunications Technology CATT
Original Assignee
China Academy of Telecommunications Technology CATT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Telecommunications Technology CATT filed Critical China Academy of Telecommunications Technology CATT
Priority to CN2010101827920A priority Critical patent/CN102256234A/en
Publication of CN102256234A publication Critical patent/CN102256234A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method and equipment for processing a user authentication process. The method comprises the following steps: user equipment carries derivation algorithm supporting capability in an initial non-access stratum message and transmits the initial non-access stratum message to a mobile management entity; the mobile management entity acquires the supporting capability of the user equipment to a derivation algorithm from the initial non-access stratum message, and transmits the supporting capability of the user equipment to the derivation algorithm to a home subscriber server in a process of requesting data to the home subscriber server; and the home subscriber server receives the supporting capability of the user equipment to the derivation algorithm, sent by the mobile management entity, and determines a derivation algorithm used by the user equipment according to the supporting capability of the user equipment to the derivation algorithm. According to the method and the equipment, the home subscriber server can acquire key algorithm supporting capability of the user equipment, so that the key derivation algorithm can be flexibly selected, and the requirement of an operator to the selection flexibility of the key derivation algorithm is fulfilled.

Description

A kind of method and apparatus that the subscription authentication process is handled
Technical field
The present invention relates to wireless communication technology, particularly a kind of method and apparatus that the subscription authentication process is handled.
Background technology
UE (User Equipment has been described among the TS23.401, subscriber equipment) is attached to the process of network, at initial NAS (NonAccess Stratum, Non-Access Stratum) carried the network capabilities (UEnetwork capability) of UE in the message, 9.9.3.3.4.1 among the TS24.301 has partly provided the network capabilities structure of UE, therefrom as can be seen, the network capabilities of UE comprises EPS (Evolved Packet System, evolved packet system) security algorithm ability, UMTS (Universal Mobile Telecommunications System, universal mobile telecommunications system) security algorithm ability, UCS2 (Universal Character Set 2, universal performance collection 2) ability and 1xSRVCC (1x Single Radio Voice Call Continuity, the speech continuity of single wireless connections, 1x refers to the version of CDMA2000) ability, this network capabilities is stored among the MME (Mobility Management Entity, Mobility Management Entity).
Figure 9.9.3.34.1:UE network capability information element (UE capability information unit):
Figure GSA00000138172400021
Wherein, each English in the table is:
EEA:EPS Encryption Algorithm, EPS Encryption Algorithm;
EIA:EPS Integrity Algorithm, EPS Integrity Algorithm;
UEA:UMTS Encryption Algorithm, UMTS Encryption Algorithm;
UCS:Universal Character Set, the universal performance collection;
UIA:UMTS Integrity Algorithm, the UMTS integral algorithm;
Spare: keep the position.
Fig. 1 is Distribution of authentication data from HSS to MME (HSS distributes verify data to a MME) schematic diagram, UE initiates initial NAS message, the security capabilities that comprises UE, after MME receives initial NAS message, AKA (Authentication and Key Agreement is carried out in decision, authentication and key agreement) process, as shown in the figure, at first MME is to HSS (Home Subscriber Server, home subscriber server) sends Authentication data Request (authentication data request) message, the request authentication data, HSS derives algorithm according to key and derives out key and each Ciphering Key, passes to MME in Authentication data Response (verify data response) message.The concrete authentication data request process that can partly provide referring to 6.1.2-1 among the TS33.401.
In the table 5.2.3.1.1/1 of TS29.272 part, provided theing contents are as follows of request message:
Table 5.2.3.1.1/1:Authentication Information Request (authentication information request)
Informatio n element name (information unit) Mapping to Diameter AVP Cat Description (description)
IMSI User-Nam e(See IETF?RFC 3588[4]) M (essential) This information element shall contain the user IMSI, formatted according to 3GPP TS 23.003 [3], clause 2.2. (this information unit comprises user's IMSI, and form is according to 3GPP TS 23.003[3] clause)
Supported Features (See 3GPP?TS 29.229 [9]) Supported -Features O (optional) If present, this information element shall contain the list of features supported by the origin host. (if this information unit comprises the feature list that source host is supported)
Requested E-UTRA N Authentic ation?Info (See 7.3.11) Requested -EUTRA N-Authent ication-Inf o C (condition is optional) This information element shall contain the information related to authentication requests for E-UTRAN. (this information unit comprises to the relevant information of E-UTRAN request authentication)
Requested UTRAN/ GERAN Authentic ation?Info (See 7.3.12) Requested -UTRAN- GERAN Authentic ation-Info C This information element shall contain the information related to authentication requests for UTRAN or GERAN. (this information unit comprises to UTRAN or the relevant information of GERAN request authentication)
Visited PLMN?ID (See 7.3.9) Visited-P LMN-ID M This IE shall contain the MCC and the MNC of the visited PLMN, see 3GPP TS 23.003[3]. (this information unit comprises MCC and the MNC that visits PLMN, referring to 3GPP TS 23.003[3])
Wherein, IMSI:International Mobile Subscriber Identity, international mobile subscriber identification code;
E-UTRAN:Evolution-Universal Terrestrial Radio Access Network, the global grounding wireless access network of evolution;
GERAN:GSM EDGE Radio Access Network, GSM EDGE wireless access network;
PLMN:Public Land Mobile Network, public land mobile network;
MCC:Mobile Country Code, mobile country code;
MNC:Mobile Network Code, mobile network code, MNC;
AVP:(Attribute Value Pair, property value to).
Fig. 2 is EPS user authentication (EPS AKA) (EPS authentification of user) schematic diagram, as shown in the figure, after MME receives the verify data of HSS, initiates the AKA process, realizes the card process of recognizing each other between UE and the network.The concrete verification process that can partly provide referring to 6.1.1-1 in 33.401.
The deficiencies in the prior art are: HSS does not know that whether UE supports the self-defining key of operator to derive algorithm, makes HSS to select key to derive algorithm flexibly.
Summary of the invention
Technical problem solved by the invention has been to provide a kind of method and apparatus that the subscription authentication process is handled, and HSS can not determine the problem of deriving algorithm that UE uses to the tenability of deriving algorithm according to UE in the prior art in order to solve.
A kind of method that the subscription authentication process is handled is provided in the embodiment of the invention, has comprised the steps:
UE determines that UE is to deriving the tenability of algorithm;
UE carries deriving the tenability of algorithm in initial NAS message;
UE sends initial NAS message to MME.
A kind of method that the subscription authentication process is handled is provided in the embodiment of the invention, has comprised the steps:
MME obtains UE to deriving the tenability of algorithm from the initial NAS message that UE sends;
MME sends to HSS with UE to the tenability of deriving algorithm in the process of HSS request msg.
A kind of method that the subscription authentication process is handled is provided in the embodiment of the invention, has comprised the steps:
HSS receive MME at the UE that in the process of HSS request msg, sends to deriving the tenability of algorithm;
HSS determines the algorithm of deriving that UE uses according to UE to the configuration of the tenability of deriving algorithm and operator.
A kind of subscriber equipment is provided in the embodiment of the invention, has comprised:
The ability determination module is used for determining that UE is to deriving the tenability of algorithm;
Parameter is carried module, is used for carrying deriving the tenability of algorithm in initial NAS message;
Sending module is used for sending initial NAS message to MME.
A kind of mobile management entity device is provided in the embodiment of the invention, has comprised:
Acquisition module is used for obtaining UE to deriving the tenability of algorithm from the initial NAS message that UE sends;
Sending module is used in the process to the HSS request msg UE being sent to HSS to the tenability of deriving algorithm.
A kind of home subscriber server is provided in the embodiment of the invention, has comprised:
Receiver module is used for receiving UE that MME sends in the process to the HSS request msg to deriving the tenability of algorithm;
The algorithm determination module is used for according to UE the algorithm of deriving that UE uses being determined in the configuration of the tenability of deriving algorithm and operator.
Beneficial effect of the present invention is as follows:
The present invention is in implementation process, and UE sends initial NAS message to MME after carrying the tenability of deriving algorithm in initial NAS message; The initial NAS message that MME sends from UE obtain UE to the tenability of deriving algorithm after, in the process of HSS request msg, UE is sent to HSS to the tenability of deriving algorithm; HSS receives MME after the UE that sends is to the tenability of deriving algorithm in the process of HSS request msg, according to UE the algorithm of deriving that UE uses is determined in the configuration of the tenability of deriving algorithm and operator.Because the optional ability indication of algorithm of deriving of UE is reported HSS through MME, make HSS can obtain the key algorithm tenability of UE, thereby HSS can select key to derive algorithm flexibly, satisfied operator key has been derived the requirement that algorithm is selected flexibility.
Description of drawings
Fig. 1 is a Distribution of authentication data from HE to MME schematic diagram in the background technology;
Fig. 2 is EPS user authentication (EPS AKA) schematic diagram in the background technology;
The method implementing procedure schematic diagram that Fig. 3 handles the subscription authentication process for UE side in the embodiment of the invention;
The method implementing procedure schematic diagram that Fig. 4 handles the subscription authentication process for MME side in the embodiment of the invention;
The method implementing procedure schematic diagram that Fig. 5 handles the subscription authentication process for HSS side in the embodiment of the invention;
Fig. 6 for UE in the embodiment of the invention to deriving the tenability conveying flow schematic diagram of algorithm;
Fig. 7 is a user device architecture schematic diagram in the embodiment of the invention;
Fig. 8 is a mobile management entity device structural representation in the embodiment of the invention;
Fig. 9 is a home subscriber server structural representation in the embodiment of the invention.
Embodiment
The inventor notices in the invention process:
In initial NAS message, comprise the network capabilities of UE, but do not comprise UE in the network capabilities of UE key is not derived the tenability of algorithm, and this will cause MME can't obtain the key that UE supports deriving algorithm.
Further, in the authentication data request process that MME initiates, the key that does not comprise UE in Authentication dataRequest message is derived the tenability of algorithm, and HSS equally also can't obtain the key algorithm tenability of UE.
In the subscription authentication process, need HSS to derive algorithm according to the network capabilities of UE and a kind of key of selection of configuration of operator, derive algorithm according to this and derive out CK/IK (CipherKey/Integrity key, encryption key/Integrity Key) by K (key, key).
Because having, operator use the key that oneself customizes to derive the demand of algorithm, need to support to derive the flexible selection of algorithm, so, UE affects HSS to deriving the selectable range of algorithm to the indication of the tenability of deriving algorithm, if promptly UE has indicated for operator is self-defined to HSS via MME and derived that algorithm provides support and the self-defined algorithm of deriving is used in operator's configuration, then HSS can select that operator is self-defined to derive algorithm and indicate UE to use equally for use.But the security capabilities of UE does not comprise UE derives the algorithm support to key ability in the existing protocol, so HSS does not know whether UE supports the self-defining key of operator to derive algorithm, this just makes HSS to select key to derive algorithm flexibly, thereby influence the flexibility that key is derived, and can not satisfy the demand of operator.
Based on this, proposed key in the embodiment of the invention and derived the scheme that the optional ability of algorithm is indicated.Below in conjunction with accompanying drawing the specific embodiment of the present invention is described.
In declarative procedure, the execution mode from UE, MME, HSS is respectively described, the coordination use to the three describes then.
One, the enforcement of UE side.
The method implementing procedure schematic diagram that Fig. 3 handles the subscription authentication process for the UE side as shown in the figure, can comprise the steps:
Step 301, UE determine that UE is to deriving the tenability of algorithm;
Step 302, UE carry deriving the tenability of algorithm in initial NAS message;
Step 303, UE send initial NAS message to MME.
In the enforcement, UE carries deriving the tenability of algorithm in initial NAS message, can be to add UE to deriving the tenability of algorithm among the UE network capability IE in initial NAS message.
Concrete, in UE network capability IE, add UE to deriving the tenability of algorithm, can be to add UE to deriving the tenability of algorithm in the reservation position of UE network capability IE.
In concrete the enforcement, carrying UE can implement as follows to the tenability of deriving algorithm in the network capabilities of UE:
UE issues MME with the network capabilities of UE when initiating initial NAS message, in this process, newly-increased UE derives the tenability item of algorithm in the network capabilities of UE.As shown in the table:
Figure GSA00000138172400091
As above shown in the table, the network capabilities cell of UE comprises security capabilities, UCS2 ability and the 1xSRVCC ability of UE under the security capabilities, UMTS of UE under the EPS, and some keep position (adding the information bit that big font partly shows with overstriking in seeing Table).Can utilize these to keep the position in the enforcement and carry the indication of UE, in the network capabilities of UE, add UE deriving the ability that algorithm is supported to the ability of deriving algorithm and supporting.
Two, the enforcement of MME side.
The method implementing procedure schematic diagram that Fig. 4 handles the subscription authentication process for the MME side as shown in the figure, can comprise the steps:
Step 401, MME obtain UE to deriving the tenability of algorithm from the initial NAS message that UE sends;
Step 402, MME send to HSS with UE to the tenability of deriving algorithm in the process of HSS request msg.
In the enforcement, MME is to the process of HSS request msg, can be the process that the request authentication data of initiating to HSS after the AKA process are carried out in the MME decision.
In the enforcement, MME increases in the authentication data request message of HSS in the implementation process of UE to the tenability of deriving algorithm, obtain the security capabilities of UE at MME after, the AKA process is initiated in the MME decision, to HSS request authentication data, just can in request message, comprise the tenability of deriving algorithm of UE.Then MME report UE to the mode of the tenability of deriving algorithm by UE under different access waies to the tenability of deriving algorithm consistent division the whether, following dual mode can be arranged:
Mode 1,
Carry among the Supported-Key-Derive-Capability AVP of MME in Authentication Information Request message (supporting key to derive ability AVP) UE to the tenability of deriving algorithm after, send Authentication Information Request message to HSS.
Under this mode, report unified UE under each access way to deriving the tenability of algorithm.Under different access waies, comprise GERAN, UTRAN, E-UTRAN etc., UE may be consistent to the tenability of deriving algorithm, so can increase UE in implementing to deriving the ability that algorithm is supported in request message Authentication InformationRequest (authentication information request).Concrete, can be as follows:
<Authentication-Information-Request>::=<Diameter?Header:318,REQ,
PXY,16777251>
<Session-Id>
[Vendor-Specific-Application-Id]
{Auth-Session-State}
{Origin-Host}
{Origin-Realm}
[Destination-Host]
{Destination-Realm}
{User-Name}
*[Supported-Features]
[Requested-EUTRAN-Authentication-Info]
[Requested-UTRAN-GERAN-Authentication
-Info]
[Supported-Key-Derive-Capability]
{Visited-PLMN-Id}
*[AVP]
*[Proxy-Info]
*[Route-Record]
Can in adding the Supported-Key-Derive-Capability AVP of big font, overstriking comprise UE to deriving the tenability of algorithm, the tenability of deriving algorithm that just can provide according to UE after HSS receives and the configuration of operator are selected flexibly from the algorithm list of this locality and are derived algorithm like this.
Mode 2,
Under the E-UTRAN access way, carry among the Requested E-UTRANAuthentication Info AVP of MME in request message (request E-UTRAN authentication information AVP) UE to the tenability of deriving algorithm after, send a request message to HSS;
Under non-E-UTRAN access way, carry among the AVP of the request authentication vector of MME in request message UE to the tenability of deriving algorithm after, send a request message to HSS.
Under this mode, adopt under each access way and divide other UE deriving the tenability of algorithm.UE is under different access waies, comprise GERAN, UTRAN, E-UTRAN etc., the tenability that the key of UE is derived algorithm might be different, so can report the tenability of deriving algorithm of UE respectively in request message at different access waies in implementing.Under the E-UTRAN access way, in the Requested of request message E-UTRAN Authentication Info AVP, increase UE to deriving the ability that algorithm is supported; For other access way, in the AVP of request authentication vector, increase the tenability of deriving algorithm of UE.
With the example that increases to of Requested E-UTRAN Authentication Info AVP, can increase and the contents are as follows:
Requested-EUTRAN-Authentication-Info::=<AVP?header:1408
10415>
[Number-Of-Requested-Vectors]
[Immediate-Response-Preferred]
[Re-synchronization-Info]
[UE-Key-Derive-Capability]
*[AVP]
During concrete enforcement, can in Requested E-UTRAN Authentication Info AVP, increase overstriking and add the UE-Key-Derive-Capability AVP (the UE key is derived ability AVP) shown in the big font part, after HSS receives, just can go out key like this and derive algorithm according to the selection of configuration of the ability of this UE and operator.
Described MME above UE has been sent to the enforcement of HSS to the tenability of deriving algorithm, below MME has been obtained UE the enforcement of the tenability of deriving algorithm is described.
Because UE is from UE to the tenability of deriving algorithm, therefore, with reference to the enforcement of UE side, MME can implement accordingly as follows.
In the enforcement, MME obtains UE to deriving the tenability of algorithm from the initial NAS message that UE sends, and can be to obtain UE to deriving the tenability of algorithm among the UE network capability IE from initial NAS message.
In the enforcement, obtaining UE to deriving the tenability of algorithm from UE network capability IE, can be to obtain UE to deriving the tenability of algorithm in the reservation position of UE network capability IE.
Three, the enforcement of HSS side.
The method implementing procedure schematic diagram that Fig. 5 handles the subscription authentication process for the HSS side as shown in the figure, can comprise the steps:
Step 501, HSS receive MME at the UE that in the process of HSS request msg, sends to deriving the tenability of algorithm;
Step 502, HSS are determined the algorithm of deriving that UE uses according to UE to the configuration of the tenability of deriving algorithm and operator.
For HSS, because UE is from MME to the tenability of deriving algorithm, therefore, with reference to the enforcement of MME side, HSS can implement accordingly as follows.
In the enforcement, MME is to the process of HSS request msg, can be the process that the request authentication data of initiating to HSS after the AKA process are carried out in the MME decision.
In the enforcement, HSS receives the UE of MME transmission to deriving the tenability of algorithm, can comprise:
Receive UE among the Supported-Key-Derive-Capability AVP of HSS from Authentication Information Request message to deriving the tenability of algorithm.
In the enforcement, HSS receives the UE of MME transmission to deriving the tenability of algorithm, can comprise:
Receive UE among the Requested E-UTRAN Authentication Info AVP of HSS from request message to deriving the tenability of algorithm;
Or, receive UE among the AVP of the request authentication vector of HSS from request message to deriving the tenability of algorithm.
In the superincumbent declarative procedure, enforcement from UE, MME, HSS is illustrated respectively, for the cooperation of better understanding between the three is implemented, unified below describing, but this and do not mean that the three must cooperate enforcement, in fact, as UE, MME, when the HSS branch is opened and implemented, it also solves the problem of UE side, MME side, HSS side separately, when just triplicity is used, can obtain better technique effect.
Fig. 6 for UE to deriving the tenability conveying flow schematic diagram of algorithm, in message, report UE that the enforcement of the tenability of deriving algorithm can be comprised as shown in the figure:
Step 601, UE send UE Initiated NAS message (the initial NAS message of UE) to MME;
Carry UE in the message to deriving the tenability of algorithm.
Step 602, MME send Authentication data Request message to HSS;
Carry UE in the message to deriving the tenability of algorithm.
Step 603, HSS select key to derive algorithm according to UE from tabulation to the tenability of deriving algorithm and the configuration of operator.
Step 604, HSS are to MME feedback Authentication data Response;
Carry HSS in the message and derive the object information that algorithm is selected.
Concrete, when UE initiates initial NAS message, the tenability to deriving algorithm of UE is passed to MME by initial NAS message, MME gives HSS with UE to the ability relaying of deriving algorithm and supporting in the process of HSS request msg.After HSS receives the indication of the tenability that this derives algorithm, from optional algorithm list, select a kind of key to derive algorithm according to the security capabilities of UE and the relevant configuration of operator, and derive key according to certain criterion of choosing.HSS will derive the object information that algorithm selects and pass to MME in verify data is receiveed the response then.Finally in the AKA flow process, MME derives algorithm with the selected key of HSS and passes to UE, and UE then chooses the HSS appointment from the algorithm candidate list of oneself algorithm carries out deriving of key.
Based on same inventive concept, a kind of UE, MME, HSS also are provided in the embodiment of the invention, because the principle that these equipment are dealt with problems is similar to the method that UE side, MME side, HSS side are handled the subscription authentication process, therefore the enforcement of these equipment can repeat part and repeat no more referring to the enforcement of method.
Fig. 7 is the user device architecture schematic diagram, as shown in the figure, can comprise among the UE:
Ability determination module 701 is used for determining that UE is to deriving the tenability of algorithm;
Parameter is carried module 702, is used for carrying deriving the tenability of algorithm in initial NAS message;
Sending module 703 is used for sending initial NAS message to MME.
In the enforcement, parameter is carried module and can also be further used for adding UE to deriving the tenability of algorithm among the UEnetwork capability IE in initial NAS message.
In the enforcement, parameter is carried module can also be further used in UE network capability IE adding UE when deriving the tenability of algorithm, adds UE to deriving the tenability of algorithm in the reservation position of UE network capability IE.
Fig. 8 is the mobile management entity device structural representation, as shown in the figure, can comprise among the MME:
Acquisition module 801 is used for obtaining UE to deriving the tenability of algorithm from the initial NAS message that UE sends;
Sending module 802 is used in the process to the HSS request msg UE being sent to HSS to the tenability of deriving algorithm.
In the enforcement, sending module can also be further used for after the AKA process is carried out in decision in the process of the request authentication data that HSS initiates UE being sent to HSS to the tenability of deriving algorithm.
In the enforcement, sending module can also be further used for when UE is sent to HSS to the tenability of deriving algorithm, carry among the Supported-Key-Derive-Capability AVP in Authentication Information Request message UE to the tenability of deriving algorithm after, send Authentication Information Request message to HSS.
In the enforcement, sending module can also be further used for when UE is sent to HSS to the tenability of deriving algorithm, under the E-UTRAN access way, carry among the Requested E-UTRANAuthentication Info AVP in request message UE to the tenability of deriving algorithm after, send a request message to HSS; Under non-E-UTRAN access way, carry among the AVP of the request authentication vector in request message UE to the tenability of deriving algorithm after, send a request message to HSS.
In the enforcement, acquisition module can also be further used for obtaining UE to deriving the tenability of algorithm among the UE networkcapability IE from initial NAS message.
In the enforcement, acquisition module can also be further used for obtaining UE when deriving the tenability of algorithm from UE network capability IE, obtains UE to deriving the tenability of algorithm from the reservation position of UE network capability IE.
Fig. 9 is the home subscriber server structural representation, as shown in the figure, can comprise among the HSS:
Receiver module 901 is used for receiving UE that MME sends in the process to the HSS request msg to deriving the tenability of algorithm;
Algorithm determination module 902 is used for according to UE the algorithm of deriving that UE uses being determined in the configuration of the tenability of deriving algorithm and operator.
In the enforcement, receiver module can also be further used for receiving the MME decision and carry out the UE that sends after the AKA process to deriving the tenability of algorithm in the process of the request authentication data that HSS initiates.
In the enforcement, receiver module can also be further used for receiving among the Supported-Key-Derive-Capability AVP from Authentication Information Request message UE to deriving the tenability of algorithm.
In the enforcement, receiver module can also be further used for receiving among the RequestedE-UTRAN Authentication Info AVP from request message UE to deriving the tenability of algorithm; Or, receive UE among the AVP of the request authentication vector from request message to deriving the tenability of algorithm.
For the convenience of describing, the each several part of the above device is divided into various modules with function or the unit is described respectively.Certainly, when enforcement is of the present invention, can in same or a plurality of softwares or hardware, realize the function of each module or unit.
As seen from the above-described embodiment, in the technical scheme of the embodiment of the invention, proposed the optional ability of algorithm of the deriving indication of UE is reported, satisfied the requirement that key is derived the algorithm washability, satisfied operator key is derived the requirement that algorithm is selected flexibility.
Those skilled in the art should understand that embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware embodiment, complete software implementation example or in conjunction with the form of the embodiment of software and hardware aspect.And the present invention can adopt the form that goes up the computer program of implementing in one or more computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) that wherein include computer usable program code.
The present invention is that reference is described according to the flow chart and/or the block diagram of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block diagram and/or square frame and flow chart and/or the block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out by the processor of computer or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded on computer or other programmable data processing device, make on computer or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of carrying out on computer or other programmable devices is provided for being implemented in the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art get the basic creative notion of cicada, then can make other change and modification to these embodiment.So claims are intended to all changes and the modification that are interpreted as comprising preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (26)

1. the method that the subscription authentication process is handled is characterized in that, comprises the steps:
User equipment (UE) determines that UE is to deriving the tenability of algorithm;
UE carries deriving the tenability of algorithm in initial non access stratum NAS message;
UE sends initial NAS message to Mobility Management Entity MME.
2. the method for claim 1, it is characterized in that, UE carries deriving the tenability of algorithm in initial NAS message, is to add UE to deriving the tenability of algorithm among the user equipment network ability information unit UE network capability IE in initial NAS message.
3. method as claimed in claim 2 is characterized in that, adds UE to deriving the tenability of algorithm in UE network capability IE, is to add UE to deriving the tenability of algorithm in the reservation position of UE network capability IE.
4. the method that the subscription authentication process is handled is characterized in that, comprises the steps:
MME obtains UE to deriving the tenability of algorithm from the initial NAS message that UE sends;
MME sends to HSS with UE to the tenability of deriving algorithm in the process of home subscriber server HSS request msg.
5. method as claimed in claim 4 is characterized in that, MME is to the process of HSS request msg, is the process that the request authentication data of initiating to HSS after authentication and the key agreement AKA process are carried out in the MME decision.
6. method as claimed in claim 5 is characterized in that, UE is sent to HSS to the tenability of deriving algorithm, comprising:
The support key of MME in authentication information request Authentication Information Request message derive the ability property value carry in to Supported-Key-Derive-Capability AVP UE to the tenability of deriving algorithm after, send Authentication Information Request message to HSS.
7. method as claimed in claim 5 is characterized in that, UE is sent to HSS to the tenability of deriving algorithm, comprising:
Under the global grounding wireless access network E-UTRAN access way of evolution, the request E-UTRAN authentication information property value of MME in request message to carry among the Requested E-UTRAN Authentication InfoAVP UE to the tenability of deriving algorithm after, send a request message to HSS;
Under non-E-UTRAN access way, the property value of the request authentication vector of MME in request message to carry among the AVP UE to the tenability of deriving algorithm after, send a request message to HSS.
8. method as claimed in claim 4 is characterized in that, MME obtains UE to deriving the tenability of algorithm from the initial NAS message that UE sends, and is to obtain UE to deriving the tenability of algorithm among the UE networkcapability IE from initial NAS message.
9. method as claimed in claim 8 is characterized in that, obtains UE to deriving the tenability of algorithm from UE network capability IE, is to obtain UE to deriving the tenability of algorithm in the reservation position of UE network capability IE.
10. the method that the subscription authentication process is handled is characterized in that, comprises the steps:
HSS receive MME at the UE that in the process of HSS request msg, sends to deriving the tenability of algorithm;
HSS determines the algorithm of deriving that UE uses according to UE to the configuration of the tenability of deriving algorithm and operator.
11. method as claimed in claim 10 is characterized in that, MME is to the process of HSS request msg, is the process that the request authentication data of initiating to HSS after the AKA process are carried out in the MME decision.
12. method as claimed in claim 10 is characterized in that, HSS receives the UE of MME transmission to deriving the tenability of algorithm, comprising:
Receive UE among the Supported-Key-Derive-CapabilityAVP of HSS from Authentication Information Request message to deriving the tenability of algorithm.
13. method as claimed in claim 10 is characterized in that, HSS receives the UE of MME transmission to deriving the tenability of algorithm, comprising:
Receive UE among the Requested E-UTRAN Authentication Info AVP of HSS from request message to deriving the tenability of algorithm;
Or, receive UE among the AVP of the request authentication vector of HSS from request message to deriving the tenability of algorithm.
14. a subscriber equipment is characterized in that, comprising:
The ability determination module is used for determining that UE is to deriving the tenability of algorithm;
Parameter is carried module, is used for carrying deriving the tenability of algorithm in initial NAS message;
Sending module is used for sending initial NAS message to MME.
15. subscriber equipment as claimed in claim 14 is characterized in that, parameter is carried module and is further used for adding UE to deriving the tenability of algorithm among the UE network capability IE in initial NAS message.
16. subscriber equipment as claimed in claim 15, it is characterized in that, parameter is carried module and is further used in UE network capability IE adding UE when deriving the tenability of algorithm, adds UE to deriving the tenability of algorithm in the reservation position of UEnetwork capability IE.
17. a mobile management entity device is characterized in that, comprising:
Acquisition module is used for obtaining UE to deriving the tenability of algorithm from the initial NAS message that UE sends;
Sending module is used in the process to the HSS request msg UE being sent to HSS to the tenability of deriving algorithm.
18. equipment as claimed in claim 17 is characterized in that, sending module is further used for after the AKA process is carried out in decision in the process of the request authentication data that HSS initiates UE being sent to HSS to the tenability of deriving algorithm.
19. equipment as claimed in claim 18, it is characterized in that, sending module is further used for when UE is sent to HSS to the tenability of deriving algorithm, carry among the Supported-Key-Derive-Capability AVP in Authentication InformationRequest message UE to the tenability of deriving algorithm after, send Authentication Information Request message to HSS.
20. equipment as claimed in claim 18, it is characterized in that, sending module is further used for when UE is sent to HSS to the tenability of deriving algorithm, under the E-UTRAN access way, carry among the Requested E-UTRAN Authentication Info AVP in request message UE to the tenability of deriving algorithm after, send a request message to HSS; Under non-E-UTRAN access way, carry among the AVP of the request authentication vector in request message UE to the tenability of deriving algorithm after, send a request message to HSS.
21. equipment as claimed in claim 17 is characterized in that, acquisition module is further used for obtaining UE to deriving the tenability of algorithm among the UE network capability IE from initial NAS message.
22. equipment as claimed in claim 21, it is characterized in that, acquisition module is further used for obtaining UE when deriving the tenability of algorithm from UE network capability IE, obtains UE to deriving the tenability of algorithm from the reservation position of UE networkcapability IE.
23. a home subscriber server is characterized in that, comprising:
Receiver module is used for receiving UE that MME sends in the process to the HSS request msg to deriving the tenability of algorithm;
The algorithm determination module is used for according to UE the algorithm of deriving that UE uses being determined in the configuration of the tenability of deriving algorithm and operator.
24. home subscriber server as claimed in claim 23 is characterized in that, receiver module is further used for receiving the MME decision and carries out the UE that sends after the AKA process to deriving the tenability of algorithm in the process of the request authentication data that HSS initiates.
25. home subscriber server as claimed in claim 23, it is characterized in that receiver module is further used for receiving among the Supported-Key-Derive-Capability AVP from Authentication Information Request message UE to deriving the tenability of algorithm.
26. home subscriber server as claimed in claim 23 is characterized in that, receiver module is further used for receiving among the Requested E-UTRAN Authentication Info AVP from request message UE to deriving the tenability of algorithm; Or, receive UE among the AVP of the request authentication vector from request message to deriving the tenability of algorithm.
CN2010101827920A 2010-05-19 2010-05-19 Method and equipment for processing user authentication process Pending CN102256234A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101827920A CN102256234A (en) 2010-05-19 2010-05-19 Method and equipment for processing user authentication process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101827920A CN102256234A (en) 2010-05-19 2010-05-19 Method and equipment for processing user authentication process

Publications (1)

Publication Number Publication Date
CN102256234A true CN102256234A (en) 2011-11-23

Family

ID=44983165

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101827920A Pending CN102256234A (en) 2010-05-19 2010-05-19 Method and equipment for processing user authentication process

Country Status (1)

Country Link
CN (1) CN102256234A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595369A (en) * 2012-02-29 2012-07-18 大唐移动通信设备有限公司 Transmission method and device of non-access stratum (NAS) algorithm
WO2013091543A1 (en) * 2011-12-22 2013-06-27 华为技术有限公司 Security communication method, device and system for low cost terminal
CN103260156A (en) * 2012-02-15 2013-08-21 中国移动通信集团公司 Key stream generating device and method and confidentiality protective device and method
CN104754577A (en) * 2013-12-31 2015-07-01 华为技术有限公司 Authentication algorithm selecting method, device and system
CN105376214A (en) * 2014-08-12 2016-03-02 沃达方Ip许可有限公司 Machine-to-machine cellular communication security

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889710A (en) * 2005-06-27 2007-01-03 华为技术有限公司 Method for transmitting information utilizing information transmission protocol based on internetwork protocol
CN1893427A (en) * 2005-07-07 2007-01-10 华为技术有限公司 Method for conducting business support ability consultation
CN101420763A (en) * 2007-10-23 2009-04-29 华为技术有限公司 Method, system and apparatus for obtaining actual access capability information of UE
CN101605321A (en) * 2008-06-11 2009-12-16 中兴通讯股份有限公司 A kind of method for distributing frequency band sources
CN101626601A (en) * 2008-07-08 2010-01-13 中兴通讯股份有限公司 Cell capacity information indicating method, base station and wireless network controller
CN101651950A (en) * 2009-09-09 2010-02-17 新邮通信设备有限公司 Business realization method, equipment and system in long-term evolution network
WO2010032845A1 (en) * 2008-09-22 2010-03-25 株式会社エヌ・ティ・ティ・ドコモ Mobile communication method
CN101702818A (en) * 2009-11-02 2010-05-05 上海华为技术有限公司 Method, system and device of algorithm negotiation in radio link control connection re-establishment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889710A (en) * 2005-06-27 2007-01-03 华为技术有限公司 Method for transmitting information utilizing information transmission protocol based on internetwork protocol
CN1893427A (en) * 2005-07-07 2007-01-10 华为技术有限公司 Method for conducting business support ability consultation
CN101420763A (en) * 2007-10-23 2009-04-29 华为技术有限公司 Method, system and apparatus for obtaining actual access capability information of UE
CN101605321A (en) * 2008-06-11 2009-12-16 中兴通讯股份有限公司 A kind of method for distributing frequency band sources
CN101626601A (en) * 2008-07-08 2010-01-13 中兴通讯股份有限公司 Cell capacity information indicating method, base station and wireless network controller
WO2010032845A1 (en) * 2008-09-22 2010-03-25 株式会社エヌ・ティ・ティ・ドコモ Mobile communication method
CN101651950A (en) * 2009-09-09 2010-02-17 新邮通信设备有限公司 Business realization method, equipment and system in long-term evolution network
CN101702818A (en) * 2009-11-02 2010-05-05 上海华为技术有限公司 Method, system and device of algorithm negotiation in radio link control connection re-establishment

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013091543A1 (en) * 2011-12-22 2013-06-27 华为技术有限公司 Security communication method, device and system for low cost terminal
CN103260156A (en) * 2012-02-15 2013-08-21 中国移动通信集团公司 Key stream generating device and method and confidentiality protective device and method
CN103260156B (en) * 2012-02-15 2015-12-02 中国移动通信集团公司 Key stream generating apparatus and method, Confidentiality protection device and method
CN102595369A (en) * 2012-02-29 2012-07-18 大唐移动通信设备有限公司 Transmission method and device of non-access stratum (NAS) algorithm
WO2013127190A1 (en) * 2012-02-29 2013-09-06 大唐移动通信设备有限公司 Nas algorithm transmission method and device
CN102595369B (en) * 2012-02-29 2015-02-25 大唐移动通信设备有限公司 Transmission method and device of non-access stratum (NAS) algorithm
US9220009B2 (en) 2012-02-29 2015-12-22 Datang Mobile Communications Equipment Co., Ltd NAS algorithm transmission method and device
CN104754577A (en) * 2013-12-31 2015-07-01 华为技术有限公司 Authentication algorithm selecting method, device and system
WO2015100975A1 (en) * 2013-12-31 2015-07-09 华为技术有限公司 Method, apparatus and system for selecting authentication algorithm
EP3079392A4 (en) * 2013-12-31 2016-10-12 Huawei Tech Co Ltd Method, apparatus and system for selecting authentication algorithm
CN105376214A (en) * 2014-08-12 2016-03-02 沃达方Ip许可有限公司 Machine-to-machine cellular communication security

Similar Documents

Publication Publication Date Title
US11829774B2 (en) Machine-to-machine bootstrapping
US9538373B2 (en) Method and device for negotiating security capability when terminal moves
CN106851632B (en) A kind of method and device of smart machine access WLAN
CN109889509B (en) Network assisted bootstrapping for machine-to-machine communication
US10034215B2 (en) Offloading method, user equipment, base station, and access point
US11582602B2 (en) Key obtaining method and device, and communications system
CN103609154B (en) A kind of WLAN access authentication method, equipment and system
CN106134231B (en) Key generation method, equipment and system
WO2020029729A1 (en) Communication method and device
US20120297193A1 (en) Mtc device authentication method, mtc gateway, and related device
KR102094216B1 (en) Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment
US20100064135A1 (en) Secure Negotiation of Authentication Capabilities
EP2744250B1 (en) Method and apparatus for binding universal integrated circuit card and machine type communication device
CN108683690A (en) Method for authenticating, user equipment, authentication device, authentication server and storage medium
WO2018206636A1 (en) Selection of ip version
CN108616805B (en) Emergency number configuration and acquisition method and device
CN105636017A (en) Data service enablement device and method
EP3135053A1 (en) Data transmission
EP2648437B1 (en) Method, apparatus and system for key generation
CN102256234A (en) Method and equipment for processing user authentication process
US20220303767A1 (en) User Equipment Authentication and Authorization Procedure for Edge Data Network
US20150026787A1 (en) Authentication method, device and system for user equipment
CN113498057A (en) Communication system, method and device
CN106797559B (en) Access authentication method and device
US20240089728A1 (en) Communication method and apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20111123