CN102378165A - Identity authentication method and system of evolved node B - Google Patents
Identity authentication method and system of evolved node B Download PDFInfo
- Publication number
- CN102378165A CN102378165A CN2010102554475A CN201010255447A CN102378165A CN 102378165 A CN102378165 A CN 102378165A CN 2010102554475 A CN2010102554475 A CN 2010102554475A CN 201010255447 A CN201010255447 A CN 201010255447A CN 102378165 A CN102378165 A CN 102378165A
- Authority
- CN
- China
- Prior art keywords
- evolved node
- authentication
- server
- enb
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/005—Data network PoA devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/08—Access point devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an identify authentication method and an identify authentication system of an evolved node B. The method comprises the following steps that: when the evolved node B applies to a server for an internet protocol address, identity authentication information is transmitted to the server; and after receiving the identity authentication information, the evolved node B is authenticated by the server through the identity authentication information, and if the evolved node B passes the authentication, an Internet protocol address is allocated to the evolved node B. Due to the adoption of the method, the complexity of the network caused by the separating processing of the access and the authentication can be reduced.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of identity identifying method and system of evolved Node B.
Background technology
Wireless communication system obtains increasing deployment and application with its open network architecture, and along with popularizing of wireless communication system, the safety problem in the communication system also becomes the focus that the user pays close attention to gradually.Appearance along with application models such as Home eNodeB; Evolved Node B (Evolved Node B; Abbreviate eNB as) may be in physically mistrustful zone, in order to prevent to palm off the eNB access network entire wireless communication system and user's sensitive information is threatened, the legal identity of eNB is carried out authentication; Guarantee to have only the network of legal eNB ability access carrier, become the primary mechanism that guarantees wireless communication system safety.
In order to reduce operation and the maintenance cost of operator to network; ENB is when access carrier network physically, after the power-up initializing process is accomplished, through DHCP (Dynamic Host Configure Protocol; Be called for short DHCP); Operator is this eNB assigns internet protocol (Internet Protocol abbreviates IP as) address and other network information, and follow-up eNB uses the core net and the network management system of this IP address and operator to communicate.
In practical application, for eNB is managed, operator distributes unique identity (eNB Identity) of the whole network and the corresponding password (eNB Password) of identity therewith for eNB before the eNB access network.Wherein, eNB Identity is open, eNB Password need to be keep secret storage.
In correlation technique, the authentication of eNB normally to be separated with the access procedure of eNB, flow process is comparatively complicated.Simultaneously, correlation technique has only the unilateral authentication mechanism of network authentication eNB identity, and fail safe is lower.
Summary of the invention
Main purpose of the present invention is to provide a kind of identity verification scheme of evolved Node B, to solve in the correlation technique that authentication to eNB normally separates with the access procedure of eNB at least and cause the flow process complicated problems.
To achieve these goals, according to an aspect of the present invention, a kind of identity identifying method of evolved Node B is provided, this method comprises: evolved Node B sends to server with authentication information to server application Internet protocol address the time; Server carries out authentication through authentication information to evolved Node B after receiving authentication information, authentication is passed through, and is evolved Node B assigns internet protocol address.
Preferably, before evolved Node B sent to server with authentication information, server sent to evolved Node B with first random string; Evolved Node B sends to server with authentication information and comprises: evolved Node B is used evolved Node B password through first function first random string to be carried out computing and is obtained first data; Evolved Node B sends to server with authentication information, and wherein, authentication information comprises: the identification information of first data, first function and evolved Node B sign; Server carries out authentication through authentication information to evolved Node B and comprises: server obtains first function according to the identification information of first function; Server obtains and the corresponding evolved Node B password of evolved Node B sign; First random string that the evolved Node B password that the server use is obtained is stored this locality through first function carries out computing, and the operation result and first data are compared, if coupling, then authentication is passed through, otherwise authentication is not passed through.
Preferably, before server sent to evolved Node B with first random string, operator was that evolved Node B is distributed evolved Node B password and evolved Node B sign.
Preferably; Do not distribute for evolved Node B under the situation of evolved Node B password and evolved Node B sign in operator, evolved Node B is used evolved Node B password through first function first random string to be carried out computing and obtained first data and comprise: evolved Node B is used the evolved Node B password of forging through first function first random string to be carried out computing and is obtained first data; Evolved Node B is designated the evolved Node B sign of forgery.
Preferably, after server carried out authentication to evolved Node B, this method also comprised: server sends authentication legitimacy information to evolved Node B; Evolved Node B is carried out authentication according to authentication legitimacy information to server.
Preferably, before evolved Node B was sent authentication legitimacy information, evolved Node B sent to server with second random string at server; Server sends authentication legitimacy information to evolved Node B and comprises: server uses evolved Node B password through second function second random string to be carried out computing and obtains second data; Server sends to evolved Node B with authentication legitimacy information, and wherein, authentication legitimacy information comprises: the identification information of second data and second function; Evolved Node B is carried out authentication according to authentication legitimacy information to server and comprised: evolved Node B obtains second function according to the identification information of second function; Second random string that evolved Node B uses the evolved Node B password of evolved Node B through second function this locality to be stored carries out computing, and the operation result and second data are compared, if coupling, then authentication is passed through, otherwise authentication is not passed through.
Preferably, before evolved Node B sent to server with second random string, this method also comprised: operator is that evolved Node B is distributed evolved Node B password and evolved Node B sign.
Preferably; Do not get access under the situation that operator is the evolved Node B password that distributes of evolved Node B at server, server uses evolved Node B password through second function second random string to be carried out computing and obtains second data and comprise: server uses the evolved Node B password of forging through second function second random string to be carried out computing and obtains second data.
To achieve these goals; According to another aspect of the present invention; A kind of identity authorization system of evolved Node B is provided, and this system comprises: evolved Node B and server, wherein; Evolved Node B is used for to server application Internet protocol address the time, authentication information being sent to server; Server is used for after receiving authentication information, through authentication information evolved Node B is carried out authentication, and authentication is passed through, and is evolved Node B assigns internet protocol address.
Preferably, server also is used for sending authentication legitimacy information to evolved Node B; Evolved Node B also is used for according to authentication legitimacy information server being carried out authentication.
Through the present invention, the mode of when being employed in operator and being eNB distributing IP address eNB being carried out the bidirectional safe authentication has reduced the complexity that access and authentication separating treatment cause network.Simultaneously, the present invention adopts eNB and the mode that carrier network carries out the bidirectional safe authentication, has avoided the security breaches of unilateral authentication existence.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the network architecture that the embodiment of the invention is used;
Fig. 2 is the identity identifying method according to a kind of eNB of the embodiment of the invention;
Fig. 3 is according to the mutual sketch map of the DHCP protocol massages of the embodiment of the invention;
Fig. 4 carries out the sketch map of the method for authentication according to the embodiment of the invention to legal eNB;
Fig. 5 carries out the sketch map of the method for authentication according to the embodiment of the invention to illegal eNB;
Fig. 6 is the sketch map that the legal eNB according to the embodiment of the invention carries out the method for authentication when inserting illegal network;
Fig. 7 is the structured flowchart according to the identity authorization system of the eNB of the embodiment of the invention.
Embodiment
Hereinafter will and combine embodiment to specify the present invention with reference to accompanying drawing.Need to prove that under the situation of not conflicting, embodiment and the characteristic among the embodiment among the application can make up each other.
Fig. 1 is the network architecture that the embodiment of the invention is used, and as shown in the figure, security gateway (Security Gateway abbreviates Se GW as) is the secure network of operator afterwards, and network element deployments such as Dynamic Host Configuration Protocol server, NM server and core net are in secure network.
According to the embodiment of the invention, the identity identifying method of a kind of eNB is provided.Fig. 2 is the identity identifying method according to a kind of eNB of the embodiment of the invention, and is as shown in Figure 2, and this method comprises:
Step S202, eNB sends to server with authentication information to server application IP address the time;
Step S204, server carry out authentication through authentication information to eNB after receiving authentication information, authentication is passed through, and are eNB distributing IP address.
When this embodiment is employed in operator and is eNB distributing IP address eNB carried out the mode of safety certification; Solved in the correlation technique that authentication to eNB normally separates with the access procedure of eNB and caused the flow process complicated problems, reduced the complexity that access and authentication separating treatment cause network.
It should be noted that the server in the present embodiment can be a Dynamic Host Configuration Protocol server, the security gateway of DHCP function that can be integrated also.
Preferably, before eNB sent to server with authentication information, server sent to eNB with first random string; ENB sends to server with authentication information and comprises: eNB uses the eNB password through first function first random string to be carried out computing and obtains first data; ENB sends to server with authentication information, and wherein, authentication information comprises: the identification information of first data, first function and eNB sign; Server carries out authentication through authentication information to eNB and comprises: server obtains and the corresponding eNB password of eNB sign; Wherein, under the situation of carrying out local authentication, operator is at the eNB of server configures eNB sign and eNB password; Server obtains the corresponding eNB password of eNB sign from this locality; Participate in the third party under the situation of authentication, operator identifies and the eNB password at the eNB that the third party stores eNB, and server sends to the third party with the eNB sign; The third party confirming with after this eNB identifies corresponding eNB password, and the eNB password of correspondence is sent to server; First random string that the eNB password that the server use is obtained is preserved this locality through first function carries out computing, and the operation result and first data are compared, if coupling, then authentication is passed through, otherwise authentication is not passed through.This embodiment accomplishes the authentication of network to eNB through eNBPassword (enhancement mode node password) information, has guaranteed the fail safe of Long Term Evolution (Long-Term Evolution abbreviates LTE as) Access Network.
Preferably, before server sent to eNB with first random string, operator was that eNB distributes eNB password and eNB sign.Among this embodiment, server and eNB have unified eNB password, thereby guarantee can authentication to pass through through above-mentioned authentication mode.
Preferably; Distribute for eNB in operator under the situation of eNB password and eNB sign, eNB uses the eNB password through first function first random string to be carried out computing and obtains first data and comprise: eNB uses the eNB password of forgery through first function first random string to be carried out computing and obtains first data; ENB is designated the eNB sign of forgery, and wherein, the mode that the eNB of forgery sign obtains comprises: this eNB steals the eNB sign of legal eNB, and it is forged into the eNB sign of self, and perhaps eNB directly forges an eNB sign.Among this embodiment, server and eNB do not have unified eNB password, and eNB is illegal, can not pass through by authentication eNB through above-mentioned authentication mode, avoid palming off the attack that eNB causes network.
Preferably, after server carried out authentication to eNB, server sent authentication legitimacy information to eNB; ENB carries out authentication according to authentication legitimacy information to server.This embodiment is in the process of eNB access network; Realize that synchronously eNB is to the two-way authentication to the eNB identity of the legitimacy authentication of access network and access network; Avoided loaded down with trivial details multistep access authentication flow process and the existing drawback of unilateral authentication; Can effectively protect the safety of user profile, eNB information and carrier network, the fail safe that has improved entire wireless communication system.
Preferably, before eNB sent authentication legitimacy information, eNB sent to server with second random string at server; Server sends authentication legitimacy information to eNB and comprises: server uses the eNB password through second function second random string to be carried out computing and obtains second data; Server sends to eNB with authentication legitimacy information, and wherein, authentication legitimacy information comprises: the identification information of second data and second function; ENB carries out authentication according to authentication legitimacy information to server and comprises: eNB obtains second function according to the identification information of second function; Second random string that eNB uses the eNB password of this eNB through second function this locality to be preserved carries out computing, and the operation result and second data are compared, if coupling, then authentication is passed through, otherwise authentication is not passed through.This embodiment accomplishes the authentication of eNB to institute's access network through eNBPassword information, has guaranteed the fail safe of LTE Access Network.
Preferably, before eNB sent to server with second random string, operator was that eNB distributes eNB password and eNB sign.Among this embodiment; Server and eNB have unified eNB password; Because server knows that operator distributes to the secret password information of eNB, can think that then this server is legal, and then the information of its distribution also is legal; The network that eNB inserts is legal, has guaranteed eNB safety access network.
Preferably; Do not get access under the situation that operator is the eNB password that distributes of eNB at server, server uses the eNB password through second function second random string to be carried out computing and obtains second data and comprise: server uses the eNB password of forging through second function second random string to be carried out computing and obtains second data.Among this embodiment, server and eNB do not have unified eNB password, and server is illegal, can not pass through by certificate server through above-mentioned authentication mode, thereby eNB can not insert illegal network, have guaranteed the safety of access network.
Below in conjunction with specific embodiment and accompanying drawing implementation of the present invention is elaborated.
In embodiments of the present invention, in the time of can using the network information such as DHCP application IP address at eNB, carry authentication information, thereby accomplish the two-way authentication of eNB identity and server identity with the mode of scaling option.Wherein, the DHCP scaling option information of use is as shown in the table:
Table 1
In the scaling option of in table 1, describing, RANDOM-STRING is the random string that eNB or Dynamic Host Configuration Protocol server generate, and KEY-HASH-STRING is a key hash function operation result character string, the employed key hash function of HASH-FUNC-ID ID authentication.Fig. 3 is according to the mutual sketch map of the DHCP protocol massages of the embodiment of the invention, and the embodiment of the invention is carried out authentication alternately through the DHCP protocol massages.
Under scene shown in Figure 1, possibly there are following three kinds of situation: the authentication when authentication the when authentication during legal eNB access network, illegal eNB access network and legal eNB insert illegal network.Below in conjunction with embodiment above-mentioned three kinds of situation are described.
Embodiment one
Behind the legal eNB access network, network side carries out authentication to the identity of eNB, and is its distributing IP address, and eNB carries out authentication to network side simultaneously, after the two-way authentication success, and the service that eNB normally uses carrier network to provide.Fig. 4 be according to the embodiment of the invention legal eNB is carried out the sketch map of the method for authentication, as shown in Figure 4, the practical implementation process of method of legal eNB being carried out authentication is following:
Step S402; During the eNB access network; At first initiate dhcp process, be oneself application legal IP address so that and Mobility Management Entity (Mobile Management Entity; Be called for short MME)/S-GW/ operation maintenance center net element communications such as (Operation Management Center abbreviate OMC as).ENB sends DHCP Discover (DHCP discovery) message to network.
Step S404; DHCP Server in the network is after receiving DHCP Discover message; Generate the character string random_string_1 that a length is 32 bytes at random; This character string random_string_1 is encapsulated in the DHCP Offer message with the mode of RANDOM-STRING scaling option, sends to eNB then.
Step S406, eNB resolve the RANDOM-STRING option after receiving DHCP Offer (DHCP provides) message, calculate hash_string_1 in this locality, and calculation mode is asked Hash for being key with eNB Password to the random_string_1 that receives, that is,
hash_string_1=HASH_FUNC
eNB_password(random_string_1)。
ENB structure DHCP Request (DHCP request) message; Carry hash_string_1 in this message, the information of hash function identification (Identity abbreviates ID as), eNB Identity (eNB sign) and the local random string random_string_2 that generates; Wherein, Hash function ID has identified and has calculated the required key hash function of hash_string_1, and then, eNB sends to DHCP Server with the DHCP Request message of structure.
Step S408; DHCP Server is after receiving DHCP Request message; Index corresponding eNB Password according to the eNB Identity that carries in the message, and calculate hash_string_1 according to the method among the step S406 is local according to the corresponding hash algorithm of HASH-FUNC-ID, if carry in the hash_string_1 that calculates and the DHCP Request message consistent; Explain that then this eNB is legal, DHCP Server is eNB distributing IP address.
DHCP Server uses the corresponding eNB Password of this eNB that indexes that the random_string_2 that receives is carried out hash calculation and obtains hash_string_2, that is,
hash_string_2=HASH_FUNC
eNB_password(random_string_2)。
Step S410, DHCP Server structure DHCP ACK message also sends it to eNB, and wherein, DHCP ACK message comprises the IP address of eNB and the information of other network side, hash_string_2 and HASH function ID.
Step S412, eNB according to the local hash_string_2 that calculates of the mode of step S408, if calculate carry in result just and the ACK message consistent, think that then network side is legal after receiving DHCP ACK message.The eNB request for utilization to information such as IP address communicate by letter with the networking.
DHCP Offer, DHCP Request and DHCP Ack message use the message authentication option of DHCP agreement that message is carried out integrity protection, prevent that message from being distorted in transmittance process.
Embodiment two
During illegal eNB access network, network side is to the authentication failure of eNB, and then, network side can refuse to be eNB distributing IP address, the service that this eNB can't use carrier network to provide.Fig. 5 be according to the embodiment of the invention illegal eNB is carried out the sketch map of the method for authentication, as shown in Figure 5, the practical implementation process of method of illegal eNB being carried out authentication is following:
When step S502, illegal eNB access network, at first initiating dhcp process, is own application legal IP address, so that and net element communication such as MME/S-GW/OMC.Illegal eNB sends DHCP Discover message to network.
Step S504; DHCP Server in the network is after receiving DHCP Discover message; Generate the character string random_string_1 that a length is 32 bytes at random; This character string random_string_1 is encapsulated in the DHCP Offer message with the mode of RANDOM-STRING scaling option, and sends to eNB.
Step S506, illegal eNB resolves random_string_1 after receiving DHCP Offer message, because the legal eNBPassword that illegal eNB does not have operator to distribute, therefore, illegal eNB can't correct calculation hash_string_1.
Illegal eNB structure DHCP Request message; This message carries information and the local random string random_string_2 that generates that forges hash_string_1, hash function ID, eNB Identity; Wherein, Hash function ID has identified and has calculated the required key hash function of hash_string_1, and eNB sends to DHCP Server with DHCP Request message.
Step S508; DHCP Server is after receiving DHCP Request message; Index corresponding eNB Password according to the eNB Identity that carries in the message; And according to the local hash_string_1 that calculates of the corresponding hash algorithm of HASH-FUNC-ID, the KEY-HASH-STRING that carries in its result of calculation and the message must be different, and the eNB authentication is failed.
Step S510, DHCP Server response DHCP NACK message refuses to be network side information such as this eNB distributing IP address.
Illegal eNB can't apply for the information such as legitimate ip address that carrier network provides, the service that it can't use carrier network to provide.DHCP Offer, DHCP Request and DHCP Ack message use the message authentication option of DHCP agreement that message is carried out integrity protection, prevent that message from being distorted in transmittance process.
Embodiment three
Legal eNB inserts illegal network, and the authentication of illegal network acquiescence eNB is passed through, and is its distributing IP address, makes legal eNB insert illegal network, to steal user sensitive information.Fig. 6 is the sketch map that the legal eNB according to the embodiment of the invention carries out the method for authentication when inserting illegal network, and is as shown in Figure 6, and legal eNB carries out authentication when inserting illegal network the practical implementation process of method is following:
Step S602, operator disposes eNB, for eNB distributes unique eNB Identity and corresponding therewith eNB Password.
Step S604 during the eNB access network, at first initiates dhcp process, is oneself application legal IP address, so as with net element communication such as MME/S-GW/OMC.ENB sends DHCP Discover (DHCP discovery) message to network.
Step S606; DHCP Server illegal in the network is after receiving the DHCPDiscover message; Generate the character string random_string_1 that a length is 32 bytes at random; This character string random_string_1 is encapsulated in the DHCP Offer message with the mode of scaling option, and sends to eNB.
Step S608, eNB resolve RANDOM-STRING option wherein after receiving DHCP Offer message, the local hash_string_1 that calculates for example, calculates hash_string_1 with the mode among the embodiment one step S406.
ENB structure DHCP Request message; This message carries hash_string_1; The information of HASH-FUNC-ID, eNB Identity and the local random string random_string_2 that generates, then, eNB sends to illegal DHCPServer with DHCP Request message.
Step S610; Illegal DHCP Server is after receiving DHCP Request message, because it does not know eNB Password information, and identity that can't authentication eNB; Therefore; Illegal DHCP Server directly sends DHCP ACK message to eNB, carries illegal the IP address and the network information in this message, and the hash_string_2 that forges.
Step S612, eNB are after receiving DHCP ACK message, and hash_string_2 is calculated in this locality; For example; Mode with among the embodiment one step S408 is calculated hash_string_2, and that carries in the result who calculates and the ACK message must be different, are illegal thereby eNB detects network side; Refusal uses information such as its IP address allocated, has avoided user sensitive information to be stolen like this.
DHCP Offer, DHCP Request and DHCP Ack message use the message authentication option of DHCP agreement that message is carried out integrity protection, prevent that message from being distorted in transmittance process.
System embodiment
Corresponding to said method embodiment, the present invention also provides the identity authorization system of a kind of eNB.Fig. 7 is the structured flowchart according to the identity authorization system of the eNB of the embodiment of the invention, and this system comprises: eNB 72 and server 74, and wherein, eNB 72, are used for to server application Internet protocol address the time, authentication information being sent to server; Server 74 is coupled to eNB 72, is used for after receiving authentication information, through authentication information eNB is carried out authentication, and authentication is passed through, and is eNB assigns internet protocol address.
Preferably, server 74 also is used for sending authentication legitimacy information to eNB; ENB 72 also is used for according to authentication legitimacy information server being carried out authentication.
In sum, when the embodiment of the invention is eNB distributing IP address in operator eNB is carried out safety certification, reduced the complexity that access and authentication separating treatment cause network.Simultaneously, the embodiment of the invention is also carried out two-way authentication to eNB and network, has solved the security breaches that unilateral authentication exists, and reaches to optimize and inserts and identifying procedure, improves the effect of security of system.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, and in some cases, can carry out step shown or that describe with the order that is different from here by calculation element; Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. the identity identifying method of an evolved Node B is characterized in that, comprising:
Evolved Node B sends to said server with authentication information to server application Internet protocol address the time;
Said server carries out authentication through said authentication information to said evolved Node B after receiving said authentication information, authentication is passed through, and is said evolved Node B assigns internet protocol address.
2. method according to claim 1 is characterized in that,
Before said evolved Node B sent to said server with said authentication information, said server sent to said evolved Node B with first random string;
Said evolved Node B sends to said server with said authentication information and comprises:
Said evolved Node B is used evolved Node B password through first function said first random string to be carried out computing and is obtained first data;
Said evolved Node B sends to said server with said authentication information, and wherein, said authentication information comprises: the identification information of said first data, said first function and evolved Node B sign;
Said server carries out authentication through said authentication information to said evolved Node B and comprises:
Said server obtains said first function according to the identification information of said first function;
Said server obtains and the corresponding evolved Node B password of said evolved Node B sign;
Said first random string that the said evolved Node B password that said server use is obtained is stored this locality through said first function carries out computing; Operation result and said first data are compared, if coupling, then authentication is passed through; Otherwise authentication is not passed through.
3. method according to claim 2 is characterized in that, before said server sent to said evolved Node B with said first random string, said method also comprised:
Operator is that said evolved Node B is distributed said evolved Node B password and said evolved Node B sign.
4. method according to claim 2 is characterized in that, do not distribute under the situation of evolved Node B password and evolved Node B sign in operator for said evolved Node B,
Said evolved Node B is used said evolved Node B password through said first function said first random string to be carried out computing and obtained said first data and comprise: said evolved Node B is used the said evolved Node B password of forging through said first function said first random string to be carried out computing and is obtained said first data;
Said evolved Node B is designated the evolved Node B sign of forgery.
5. method according to claim 1 is characterized in that, after said server carried out authentication to said evolved Node B, said method also comprised:
Said server sends authentication legitimacy information to said evolved Node B;
Said evolved Node B is carried out authentication according to said authentication legitimacy information to said server.
6. method according to claim 5 is characterized in that,
Before said evolved Node B was sent authentication legitimacy information, said evolved Node B sent to said server with second random string at said server;
Said server sends authentication legitimacy information to said evolved Node B and comprises:
Said server uses evolved Node B password through second function said second random string to be carried out computing and obtains second data;
Said server sends to said evolved Node B with said authentication legitimacy information, and wherein, said authentication legitimacy information comprises: the identification information of said second data and said second function;
Said evolved Node B is carried out authentication according to said authentication legitimacy information to said server and is comprised:
Said evolved Node B obtains said second function according to the identification information of said second function;
Said second random string that said evolved Node B uses the evolved Node B password of said evolved Node B through said second function this locality to be stored carries out computing; Operation result and said second data are compared, if coupling, then authentication is passed through; Otherwise authentication is not passed through.
7. method according to claim 6 is characterized in that, before said evolved Node B sent to said server with second random string, said method also comprised:
Operator is that said evolved Node B is distributed said evolved Node B password and said evolved Node B sign.
8. method according to claim 6 is characterized in that, do not get access under the situation that operator is the evolved Node B password that distributes of said evolved Node B at said server,
Said server uses said evolved Node B password through said second function said second random string to be carried out computing and obtains said second data and comprise: said server uses the said evolved Node B password of forging through said second function said second random string to be carried out computing and obtains said second data.
9. the identity authorization system of an evolved Node B is characterized in that, comprising: evolved Node B and server, wherein,
Said evolved Node B is used for to server application Internet protocol address the time, authentication information being sent to said server;
Said server is used for after receiving said authentication information, through said authentication information said evolved Node B is carried out authentication, and authentication is passed through, and is said evolved Node B assigns internet protocol address.
10. system according to claim 9 is characterized in that,
Said server also is used for sending authentication legitimacy information to said evolved Node B;
Said evolved Node B also is used for according to said authentication legitimacy information said server being carried out authentication.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010255447.5A CN102378165B (en) | 2010-08-16 | 2010-08-16 | Identity authentication method and system of evolved node B |
| PCT/CN2011/072464 WO2012022155A1 (en) | 2010-08-16 | 2011-04-06 | Identity authentication method and system for evolved node b |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010255447.5A CN102378165B (en) | 2010-08-16 | 2010-08-16 | Identity authentication method and system of evolved node B |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102378165A true CN102378165A (en) | 2012-03-14 |
| CN102378165B CN102378165B (en) | 2014-06-11 |
Family
ID=45604734
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010255447.5A Active CN102378165B (en) | 2010-08-16 | 2010-08-16 | Identity authentication method and system of evolved node B |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102378165B (en) |
| WO (1) | WO2012022155A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105897764A (en) * | 2016-06-15 | 2016-08-24 | 中电长城网际系统应用有限公司 | Security authentication method, device and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043331A (en) * | 2006-06-30 | 2007-09-26 | 华为技术有限公司 | System and method for distributing address for network equipment |
| CN101141492A (en) * | 2005-04-29 | 2008-03-12 | 华为技术有限公司 | Method and system for implementing DHCP address safety allocation |
| CN101425897A (en) * | 2007-10-29 | 2009-05-06 | 上海交通大学 | Customer authentication method, system, server and customer node |
| CN101656725A (en) * | 2009-09-24 | 2010-02-24 | 杭州华三通信技术有限公司 | Method for implementing safety access and access equipment |
-
2010
- 2010-08-16 CN CN201010255447.5A patent/CN102378165B/en active Active
-
2011
- 2011-04-06 WO PCT/CN2011/072464 patent/WO2012022155A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141492A (en) * | 2005-04-29 | 2008-03-12 | 华为技术有限公司 | Method and system for implementing DHCP address safety allocation |
| CN101043331A (en) * | 2006-06-30 | 2007-09-26 | 华为技术有限公司 | System and method for distributing address for network equipment |
| CN101425897A (en) * | 2007-10-29 | 2009-05-06 | 上海交通大学 | Customer authentication method, system, server and customer node |
| CN101656725A (en) * | 2009-09-24 | 2010-02-24 | 杭州华三通信技术有限公司 | Method for implementing safety access and access equipment |
Non-Patent Citations (1)
| Title |
|---|
| 3GPP: "《3GPP TR 33.820 V8.2.0 (2009-09)》", 30 September 2009 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105897764A (en) * | 2016-06-15 | 2016-08-24 | 中电长城网际系统应用有限公司 | Security authentication method, device and system |
| CN105897764B (en) * | 2016-06-15 | 2019-08-30 | 中电长城网际系统应用有限公司 | A kind of safety certifying method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012022155A1 (en) | 2012-02-23 |
| CN102378165B (en) | 2014-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10841784B2 (en) | Authentication and key agreement in communication network | |
| CN103416082B (en) | Method for being authenticated using safety element to distant station | |
| JP4965671B2 (en) | Distribution of user profiles, policies and PMIP keys in wireless communication networks | |
| US9306905B2 (en) | Secure access to application servers using out-of-band communication | |
| CN101369893B (en) | Method for local area network access authentication of casual user | |
| CN110800331A (en) | Network verification method, related equipment and system | |
| US11812263B2 (en) | Methods and apparatus for securely storing, using and/or updating credentials using a network device at a customer premises | |
| CN101986598B (en) | Authentication method, server and system | |
| CN101039181B (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN102082665A (en) | Identity authentication method, system and equipment in EAP (Extensible Authentication Protocol) authentication | |
| CN105592180A (en) | Portal authentication method and device | |
| CN113572765A (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CN105873059A (en) | Joint identity authentication method and system for power distribution communication wireless private network | |
| CN101572645A (en) | Method for establishing tunnel and device thereof | |
| CN110771087B (en) | Private key update | |
| CN114221822B (en) | Distribution network method, gateway device and computer readable storage medium | |
| US7631344B2 (en) | Distributed authentication framework stack | |
| US20060026433A1 (en) | Method and apparatus for minimally onerous and rapid cocktail effect authentication (MORCEAU) | |
| CN105610667B (en) | The method and apparatus for establishing Virtual Private Network channel | |
| CN102256252A (en) | Method for realizing safety model of access authentication in mobile internet | |
| CN102378165B (en) | Identity authentication method and system of evolved node B | |
| CN107888383B (en) | Login authentication method and device | |
| Santos et al. | Cross-federation identities for IoT devices in cellular networks | |
| CN109818903B (en) | Data transmission method, system, device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |