CN106664195B - Data processing method, device and system - Google Patents
Data processing method, device and system Download PDFInfo
- Publication number
- CN106664195B CN106664195B CN201480080518.9A CN201480080518A CN106664195B CN 106664195 B CN106664195 B CN 106664195B CN 201480080518 A CN201480080518 A CN 201480080518A CN 106664195 B CN106664195 B CN 106664195B
- Authority
- CN
- China
- Prior art keywords
- algorithm
- message
- authentication protocol
- terminal
- extended authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention provides a data processing method, a device and a system, relates to the field of communication, and solves the problems of an algorithm supported by a negotiation terminal and an algorithm supported by a second device. In the EAP-AKA' process, a first device, a second device or a terminal acquires an algorithm identifier of an algorithm supported by the terminal and an algorithm identifier of an algorithm supported by the second device, selects a first algorithm, the first algorithm is an algorithm which is the same as the algorithm supported by the terminal, and the second device and the terminal acquire the algorithm identifier corresponding to the first algorithm. The data processing method, the device and the system provided by the embodiment of the invention are used for the first equipment, the second equipment or the terminal to negotiate the algorithm supported by the terminal and the algorithm supported by the second equipment.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a data processing method, apparatus, and system.
Background
With the deployment of 802.1X, 802.11u, and hotspot2.0, 3GPP (the 3rd generation partnership Project) operators allow UEs (User Equipment) to Access EPC networks using S2a interfaces through TWANs (Trusted WLAN Access networks) including TWAGs (Trusted WLAN Access gateways), or TWAGs and TWAPs (Trusted WLAN AAA Proxy, Trusted WLAN authentication authorization accounting Proxy). The WLAN is a Wireless Local Area Network (WLAN). The EPC (Evolved Packet Core) is a Core network of a fourth generation mobile communication network LTE (Long Term Evolution). The AAA is an AAA (Authentication Authorization Accounting server) and is used for managing a terminal accessing the LTE network and providing Authentication Authorization and account services.
In the prior art, a new control plane Protocol WLCP (WLAN control Protocol) is defined between the UE and the TWAG for providing a control plane management function, and the WLCP may have two transmission modes, UDP (user datagram Protocol)/IP (Internet Protocol)/Internet Protocol (IP), or Ethernet frame (Ethernet frame). Currently, the standard selects UDP/IP as the transmission mode of WLCP.
In order to ensure the security of WLCP messages transmitted by the WLCP layer, the WLCP messages can be directly encrypted and integrity protected at the WLCP layer. A WLCP message generally has only two messages, i.e., a request message and a response message, and there may be seven messages if the request message and the response message are classified. If the selected algorithm is brought directly into the request message and the request message needs integrity protection and ciphering, the UE or the network side cannot see the algorithm.
Another problem is that the AAA or TWAG cannot obtain the WLCP algorithm capabilities of the UE before the WLCP message, nor can it select an algorithm based on the WLCP algorithm capabilities of the UE. Therefore, negotiating the algorithm supported by the UE and the algorithm supported by the second device at the WLCP layer becomes a problem to be solved urgently.
Disclosure of Invention
Embodiments of the present invention provide a data processing method, apparatus, and system, which solve the problem of negotiating an algorithm supported by a terminal and an algorithm supported by a second device.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a data processing method is provided, including:
receiving an algorithm identification of an algorithm supported by the terminal and an algorithm identification of an algorithm supported by the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
selecting a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, wherein the first algorithm is the same algorithm as the algorithm supported by the terminal and is the algorithm supported by the second device;
and sending the algorithm identification corresponding to the first algorithm.
In combination with the first aspect, in a first implementable manner,
the data processing method is applied to first equipment, wherein the first equipment is an authentication, authorization and accounting server (AAA) or a Home Subscriber Server (HSS), and the method comprises the following steps:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
With reference to the first implementable manner, in a second implementable manner, the first extended authentication protocol payload message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Challenge message EAP-AKA' -Challenge, and the second extended authentication protocol payload message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
With reference to the first aspect, in a third implementation manner, the data processing method is applied to a second device, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization and accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the method includes:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
In combination with the third implementable manner, in the fourth implementable manner,
before the sending of the second extended authentication protocol payload message to the terminal, the method further comprises:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
With reference to the first aspect, in a fifth implementable manner, the data processing method is applied to a terminal, and the method includes:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the fifth implementable manner, in a sixth implementable manner, the first extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification, and the second extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
In a second aspect, a data processing method is provided, which is applied to a second device, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the method includes:
receiving a first extended authentication protocol load message sent by a terminal, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal, the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, and the first algorithm is an algorithm supported by a second device and the same as the algorithm supported by the terminal;
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message and an algorithm identification of an algorithm supported by a second device, the algorithm identification of the algorithm supported by the second device being used for the first device to select a first algorithm;
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
and sending the second extended authentication protocol loading message to the terminal.
In a third aspect, a data processing method is provided, which is applied to a first device, where the first device is an authentication, authorization, and accounting server AAA or a home subscriber server HSS, and the method includes:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises a first extended authentication protocol load message, the first extended authentication protocol load message comprises an algorithm identification of an algorithm supported by a terminal, the algorithm identification of the algorithm supported by the terminal is used for the second device to select a first algorithm, and the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
analyzing the first DIAMETER message to obtain the first extended authentication protocol load message, and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
sending a second DIAMETER message to the second device, the second DIAMETER message including an algorithm identification of an algorithm supported by the terminal.
With reference to the third aspect, in a first implementable manner, after the sending of the second DIAMETER message to the second device, the method further comprises:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
In a fourth aspect, a data processing method is provided, which is applied to a terminal, and the method includes:
sending a first extended authentication protocol load message to a second device, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by a terminal, the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, and the first algorithm is an algorithm which is supported by the second device and is the same as the algorithm supported by the terminal;
and receiving a second extended authentication protocol load message sent by the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the fourth aspect, in a first implementable manner, before the sending the first extended authentication protocol payload message to the second device, the method further comprises:
judging whether the terminal supports a multi-connection mode MCM;
the sending the first extended authentication protocol payload message to the second device comprises:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
In a fifth aspect, a data processing method is provided, which is applied to a second device, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the method includes:
sending a first extended authentication protocol load message to a terminal, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by second equipment, the algorithm identifier of the algorithm supported by the second equipment is used for the terminal to select a first algorithm, and the first algorithm is an algorithm which is supported by the second equipment and is the same as the algorithm supported by the terminal;
receiving a second extended authentication protocol load message sent by the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to a first algorithm;
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the fifth aspect, in a first implementable manner, before the sending of the first extended authentication protocol payload message to the terminal, the method further comprises:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
In a sixth aspect, a data processing method is provided, which is applied to a first device, where the first device is an authentication, authorization, and accounting server AAA or a home subscriber server HSS, and the method includes:
receiving a third DIAMETER message sent by second equipment, wherein the third DIAMETER message comprises a second extended authentication protocol load message, and the second extended authentication protocol load message comprises an algorithm identifier corresponding to a first algorithm;
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the sixth aspect, in a first implementable manner, before the receiving of the third DIAMETER message sent by the second device, the method further comprises:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
In a seventh aspect, a data processing apparatus is provided, including:
a receiving unit, configured to receive an algorithm identifier of an algorithm supported by the terminal and an algorithm identifier of an algorithm supported by the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
a processing unit, configured to select a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
and the sending unit is used for sending the algorithm identification corresponding to the first algorithm.
With reference to the seventh aspect, in a first implementable manner, the data processing apparatus is a first device, the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS,
the receiving unit is specifically configured to:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the sending unit is specifically configured to:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
With reference to the first implementable manner, in a second implementable manner, the first extended authentication protocol payload message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Challenge message EAP-AKA' -Challenge, and the second extended authentication protocol payload message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
With reference to the seventh aspect, in a third implementable manner, the data processing apparatus is a second device, the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP,
the receiving unit is further configured to:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
the sending unit is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
the receiving unit is specifically configured to:
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the sending unit is specifically configured to:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
In combination with the third implementable manner, in the fourth implementable manner,
the sending unit is further configured to:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
the receiving unit is further configured to:
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
With reference to the seventh aspect, in a fifth implementable manner, the data processing device is a terminal,
the receiving unit is specifically configured to:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the sending unit is specifically configured to:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the fifth implementable manner, in a sixth implementable manner, the first extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification, and the second extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
In an eighth aspect, a second device is provided, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the second device includes:
a receiving unit, configured to receive a first extended authentication protocol load message sent by a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by the terminal, and the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, where the first algorithm is an algorithm supported by a second device and is the same as the algorithm supported by the terminal;
a sending unit, configured to send a first DIAMETER message to a first device, where the first DIAMETER message includes the first extended authentication protocol payload message and an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the first device to select a first algorithm;
the receiving unit is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
the processing unit is used for analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
the sending unit is further configured to:
and sending the second extended authentication protocol loading message to the terminal.
In a ninth aspect, a first device is provided, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and the first device includes:
a receiving unit, configured to receive a first DIAMETER message sent by a second device, where the first DIAMETER message includes a first extended authentication protocol payload message, the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
the processing unit is used for analyzing the first DIAMETER message to obtain the first extended authentication protocol load message and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
a sending unit, configured to send a second DIAMETER message to the second device, where the second DIAMETER message includes an algorithm identifier of an algorithm supported by the terminal.
With reference to the ninth aspect, in a first implementable manner,
the receiving unit is further configured to:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
the sending unit is further configured to:
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
In a tenth aspect, there is provided a terminal comprising:
a sending unit, configured to send a first extended authentication protocol load message to a second device, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, where the first algorithm is an algorithm that is the same as an algorithm supported by the second device and the algorithm supported by the terminal;
a receiving unit, configured to receive a second extended authentication protocol payload message sent by the second device, where the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
With reference to the tenth aspect, in a first implementable manner, the terminal further includes:
the processing unit is used for judging whether the terminal supports a multi-connection mode MCM;
the sending unit is specifically configured to:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
In an eleventh aspect, a second device is provided, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the second device includes:
a sending unit, configured to send a first extended authentication protocol load message to a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the terminal to select a first algorithm, where the first algorithm is an algorithm that is the same as an algorithm supported by the second device and the algorithm supported by the terminal;
a receiving unit, configured to receive a second extended authentication protocol load message sent by the terminal, where the second extended authentication protocol load message includes an algorithm identifier corresponding to a first algorithm;
the sending unit is further configured to:
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
the receiving unit is further configured to:
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the eleventh aspect, in a first implementable manner,
the sending unit is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
the receiving unit is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
In a twelfth aspect, a first device is provided, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and the first device includes:
a receiving unit, configured to receive a third DIAMETER message sent by a second device, where the third DIAMETER message includes a second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm;
a sending unit, configured to send a fourth DIAMETER message to the second device, where the fourth DIAMETER message includes an algorithm identifier corresponding to the first algorithm.
With reference to the twelfth aspect, in a first implementable manner,
the receiving unit is further configured to:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
the first device further comprises:
the processing unit is used for analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
the sending unit is further configured to:
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
In a thirteenth aspect, there is provided a data processing apparatus comprising:
a receiver for receiving an algorithm identification of an algorithm supported by the terminal and an algorithm identification of an algorithm supported by the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the following method:
selecting a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, wherein the first algorithm is the same algorithm as the algorithm supported by the terminal and is the algorithm supported by the second device;
and the transmitter is used for transmitting the algorithm identification corresponding to the first algorithm.
With reference to the thirteenth aspect, in a first implementable manner, the data processing apparatus is a first device, the first device is an authentication, authorization, accounting server, AAA, or a home subscriber server, HSS,
the receiver is specifically configured to:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the transmitter is specifically configured to:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
With reference to the first implementable manner, in a second implementable manner, the first extended authentication protocol payload message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Challenge message EAP-AKA' -Challenge, and the second extended authentication protocol payload message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
With reference to the thirteenth aspect, in a third implementable manner, the data processing apparatus is a second device, the second device is a trusted wireless local area network node, the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP,
the receiver is further configured to:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
the transmitter is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
the receiver is specifically configured to:
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the transmitter is specifically configured to:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
In combination with the third implementable manner, in the fourth implementable manner,
the transmitter is further configured to:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
the receiver is further configured to:
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
With reference to the thirteenth aspect, in a fifth implementable manner, the data processing device is a terminal,
the receiver is specifically configured to:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the transmitter is specifically configured to:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the fifth implementable manner, in a sixth implementable manner, the first extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification, and the second extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
In a fourteenth aspect, a second device is provided, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the second device includes:
the system comprises a receiver and a processing unit, wherein the receiver is used for receiving a first extended authentication protocol load message sent by a terminal, the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal, the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, and the first algorithm is an algorithm supported by a second device and the same as the algorithm supported by the terminal;
a transmitter to transmit a first DIAMETER message to a first device, the first DIAMETER message including the first extended authentication protocol payload message and an algorithm identification of an algorithm supported by a second device, the algorithm identification of the algorithm supported by the second device to be used for the first device to select a first algorithm;
the receiver is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the following method:
analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
the transmitter is further configured to:
and sending the second extended authentication protocol loading message to the terminal.
In a fifteenth aspect, a first device is provided, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and the first device includes:
a receiver, configured to receive a first DIAMETER message sent by a second device, where the first DIAMETER message includes a first extended authentication protocol payload message, the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device that is the same as the algorithm supported by the terminal;
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the following method:
analyzing the first DIAMETER message to obtain the first extended authentication protocol load message, and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
a transmitter to transmit a second DIAMETER message to the second device, the second DIAMETER message including an algorithm identification of an algorithm supported by the terminal.
With reference to the fifteenth aspect, in a first implementable manner,
the receiver is further configured to:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
the transmitter is further configured to:
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
In a sixteenth aspect, a terminal is provided, including:
a transmitter, configured to send a first extended authentication protocol payload message to a second device, where the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
and the receiver is used for receiving a second extended authentication protocol load message sent by the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the sixteenth aspect, in a first implementation manner, the terminal further includes:
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the following method:
judging whether the terminal supports a multi-connection mode MCM;
the transmitter is specifically configured to:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
In a seventeenth aspect, a second device is provided, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, and the second device includes:
a transmitter, configured to send a first extended authentication protocol load message to a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the terminal to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
the receiver is used for receiving a second extended authentication protocol load message sent by the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to a first algorithm;
the transmitter is further configured to:
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
the receiver is further configured to:
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
With reference to the seventeenth aspect, in a first implementable manner,
the transmitter is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
the receiver is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
In an eighteenth aspect, a first device is provided, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and the first device includes:
a receiver, configured to receive a third DIAMETER message sent by a second device, where the third DIAMETER message includes a second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm;
a transmitter, configured to send a fourth DIAMETER message to the second device, where the fourth DIAMETER message includes an algorithm identifier corresponding to the first algorithm.
With reference to the eighteenth aspect, in a first implementable manner,
the receiver is further configured to:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
the first device further comprises:
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the following method:
analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
the transmitter is further configured to:
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
In a nineteenth aspect, there is provided a data processing system comprising:
the first device as described in any of the above, the second device as described in any of the above, and the terminal as described in any of the above.
The embodiment of the invention provides a data processing method, a device and a system. The data processing method comprises the following steps: in the EAP-AKA 'process, the first equipment, the second equipment or the terminal acquires the algorithm identification of the algorithm supported by the terminal and the algorithm identification of the algorithm supported by the second equipment, selects the first algorithm, the first algorithm is the algorithm which is supported by the second equipment and is the same as the algorithm supported by the terminal, and the second equipment and the terminal acquire the algorithm identification corresponding to the first algorithm in the EAP-AKA' process, so that the second equipment and the terminal use the first algorithm to encrypt and protect the integrity of the WLCP message, and the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment in the WLCP layer is effectively solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a diagram of a prior art enhancement to a control plane protocol stack;
FIG. 2 is a flowchart of a data processing method according to an embodiment of the present invention shown in FIG. 1;
FIG. 3 is a flowchart of a data processing method according to an embodiment of the present invention shown in FIG. 2;
FIG. 4 is a flowchart of a data processing method according to an embodiment of the present invention, shown in FIG. 3;
FIG. 5 is a flowchart of a data processing method according to an embodiment of the present invention shown in FIG. 4;
FIG. 6 is a flowchart of a data processing method according to an embodiment of the present invention shown in FIG. 5;
FIG. 7 is a flowchart of a data processing method according to an embodiment of the present invention shown in FIG. 6;
FIG. 8 is a flowchart of a data processing method of the present invention shown in FIG. 7;
FIG. 9 is a flowchart of a data processing method of the present invention in FIG. 8;
FIG. 10 is a flowchart of a data processing method according to an embodiment of the present invention shown in FIG. 9;
FIG. 11 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention, showing FIG. 1;
fig. 12 is a schematic structural diagram of a second apparatus according to an embodiment of the present invention, which is shown in fig. 1;
fig. 13 is a schematic structural diagram of a first apparatus according to an embodiment of the present invention, which is shown in fig. 1;
fig. 14 is a schematic diagram of a terminal structure 1 according to an embodiment of the present invention;
fig. 15 is a schematic diagram of a terminal structure according to an embodiment of the present invention;
FIG. 16 is a schematic diagram of a second apparatus according to an embodiment of the present invention, shown in FIG. 2;
fig. 17 is a schematic structural diagram of a first apparatus according to an embodiment of the present invention, which is shown in fig. 2;
FIG. 18 is a schematic diagram of a first apparatus according to an embodiment of the present invention, shown in FIG. 3;
FIG. 19 is a block diagram of a data processing apparatus according to an embodiment of the present invention, which is shown in FIG. 2;
FIG. 20 is a schematic diagram of a second apparatus according to an embodiment of the present invention, shown in FIG. 3;
FIG. 21 is a schematic diagram of a first apparatus according to an embodiment of the present invention shown in FIG. 4;
fig. 22 is a schematic diagram of a terminal structure according to an embodiment of the present invention, which is shown in fig. 3;
fig. 23 is a schematic diagram of a terminal structure according to an embodiment of the present invention 4;
FIG. 24 is a schematic structural diagram of a second apparatus according to an embodiment of the present invention shown in FIG. 4;
FIG. 25 is a schematic diagram of a first apparatus according to an embodiment of the present invention shown in FIG. 5;
FIG. 26 is a schematic diagram of a first apparatus according to an embodiment of the present invention shown in FIG. 6;
FIG. 27 is a block diagram of a data processing system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first extended authentication protocol payload message, first DIAMETER message, etc. may be used to describe a portion of the WLCP control protocol in embodiments of the present invention, these first extended authentication protocol payload message, first DIAMETER message, etc. should not be limited to these terms. These terms are only used to distinguish between different authentication messages. For example, EAP-RSP, EAP-AKA '-Challenge, EAP-REQ, or EAP-AKA' -Notification.
The word "if," as used herein, may be interpreted as "when or" when "or" in response to a determination, "in response to a judgment," or "in response to a detection," depending on the context. Similarly, the phrases "if determined," if determined, "or" if detected (a stated condition or event) "may be interpreted as" when determined "or" in response to determining "or" when detected (a stated condition or event), "when determined (a stated condition or event)," or "in response to detecting (a stated condition or event)," depending on the context.
In the prior art, the protocol stacks of the UE and the TWAG shown in fig. 1 may be used between the UE and the TWAG to implement the flow of the control plane. Wherein, WLCP (WLAN Control Protocol) is used for implementing a management function of the Control plane; UDP is a transport layer protocol providing information transfer service, and IETF (Internet Engineering Task Force ) RFC 768 is a formal specification of UDP; IPv6/IPv4 is a transport layer protocol that specifies the transport of packets; IEEE (Institute of Electrical and Electronics Engineers) 802.11 is a wireless lan standard protocol that can be used for transmission of messages in a wireless lan by a terminal.
An embodiment of the present invention provides a data processing method, as shown in fig. 2, the method includes:
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identification of an algorithm supported by the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure.
And 102, selecting a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, wherein the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal.
And 103, sending the algorithm identification corresponding to the first algorithm.
Thus, before the WLCP request message, the first device, the second device, or the terminal receives the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure to perform algorithm agreement, that is, an algorithm that is the same as the algorithm supported by the terminal is selected as the first algorithm, and then the second device and the terminal receive the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the second device and the terminal acquire the first algorithm, and encrypt and integrity protect the WLCP message by using the first algorithm, thereby effectively solving the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device at the WLCP layer.
An embodiment of the present invention provides a data processing method, which is applied to a second device, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network access agent TWAP, or the trusted wireless local area network node includes a TWAP, as shown in fig. 3, the method includes:
step 201, receiving a first extended authentication protocol load message sent by a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by the terminal, and the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, where the first algorithm is an algorithm supported by a second device and is the same as the algorithm supported by the terminal.
Thus, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device receives the first extended authentication protocol load message sent by the terminal, and then sends the first extended authentication protocol load message and the algorithm identifier of the algorithm supported by the second device to the first device through the first DIAMETER message, so that the first device performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm supported by the second device that is the same as the algorithm supported by the terminal as the first algorithm, and then the first device sends the agreement result, that is, the algorithm identifier corresponding to the first algorithm, to the second device and the terminal through the second DIAMETER message, so that the second device and the terminal acquire the first algorithm, and encrypts and integrity-protects the WLCP message using the first algorithm, the method effectively solves the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment on the WLCP layer.
An embodiment of the present invention provides a data processing method, which is applied to a first device, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and as shown in fig. 4, the method includes:
Step 303, sending a second DIAMETER message to the second device, wherein the second DIAMETER message comprises an algorithm identifier of an algorithm supported by the terminal.
Thus, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the first device receives the first DIAMETER message sent by the second device, parses the first DIAMETER message to obtain a first extended authentication protocol payload message, parses the first extended authentication protocol payload message to obtain an algorithm identifier of an algorithm supported by the terminal, then sends the second DIAMETER message carrying the algorithm identifier of the algorithm supported by the terminal to the second device, so that the second device performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm whose algorithm supported by the second device is the same as that supported by the terminal as the first algorithm, and then the second device and the terminal receive the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
An embodiment of the present invention provides a data processing method applied to a terminal, and as shown in fig. 5, the method includes:
step 401, sending a first extended authentication protocol load message to a second device, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal.
Thus, before the WLCP request message, the terminal sends a first extended authentication protocol payload message to the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the first device or the second device performs algorithm negotiation according to the algorithm identification of the algorithm supported by the second device and the algorithm identification of the algorithm supported by the terminal, i.e. selecting, as the first algorithm, an algorithm supported by the second device that is the same as the algorithm supported by the terminal, then, the second device and the terminal receive the algorithm identification corresponding to the first algorithm in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
An embodiment of the present invention provides a data processing method, which is applied to a second device, where the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network access agent TWAP, or the trusted wireless local area network node includes a TWAP, as shown in fig. 6, the method includes:
In this way, before the WLCP request message, the second device sends a first extended authentication protocol payload message to the terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the terminal performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm supported by the second device and the same as the algorithm supported by the terminal as a first algorithm, then the second device receives a second extended authentication protocol payload message sent by the terminal, sends a third DIAMETER message to the first device, receives a fourth DIAMETER message sent by the first device, obtains the algorithm identifier corresponding to the first algorithm, and the second device receives the algorithm identifier corresponding to the first algorithm in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
An embodiment of the present invention provides a data processing method, which is applied to a first device, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and as shown in fig. 7, the method includes:
In this way, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the first device receives the third DIAMETER message sent by the second device, and sends the fourth DIAMETER message to the second device, so that the second device receives the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the second device and the terminal acquire the first algorithm, and encrypt and integrity-protect the WLCP message using the first algorithm, thereby effectively solving the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device at the WLCP layer.
An embodiment of the present invention provides a data processing method, which is applied to a terminal, a first device, and a second device, and as shown in fig. 8, the method includes:
The terminal generates a first extended authentication protocol load message and carries out integrity protection on the first extended authentication protocol load message. The first extended authentication protocol payload message may be an extended authentication protocol-response message (EAP-RSP) or an extended authentication protocol-authentication and key agreement '-Challenge message (EAP-AKA' -Challenge), including an algorithm identification of an algorithm supported by the terminal.
It should be noted that the terminal may determine whether the terminal supports a multi-connection mode (MCM), if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal, and if the terminal does not support the MCM, the terminal sends the first extended authentication protocol load message to the second device without carrying an algorithm identifier of any algorithm supported by the terminal.
The invention assumes that the terminal supports MCM, and the first extended authentication protocol load message sent to the second device carries the algorithm identification of the algorithm supported by the terminal.
And the second equipment receives a first extended authentication protocol load message sent by the terminal and generates a first DIAMETER message, wherein the first DIAMETER message comprises the first extended authentication protocol load message and the algorithm identification of the algorithm supported by the second equipment.
The first equipment receives a first DIAMETER message sent by the second equipment, wherein the first DIAMETER message comprises a first extended authentication protocol payload message and an algorithm identification of an algorithm supported by the second equipment. First, a first device analyzes a first DIAMETER message, obtains a first extended authentication protocol load message and an algorithm identifier of an algorithm supported by a second device, analyzes the first extended authentication protocol load message, obtains an algorithm identifier of an algorithm supported by a terminal, compares the algorithm identifier of each second device with the algorithm identifier of each terminal, obtains an algorithm supported by the second device, the algorithm is the same as the algorithm supported by the terminal, namely, a first algorithm, if more than two algorithms supported by the second device are the same as the algorithm supported by the terminal, selects the first algorithm according to the priority of each algorithm, and selects the first algorithm according to an operator or service provider policy, wherein the first algorithm is used for encryption and integrity protection of a WLCP message.
And the first equipment carries out integrity protection on the second extended authentication protocol loading message. The second extended authentication protocol payload message may be an extended authentication protocol-request message (EAP-REQ) or an extended authentication protocol-authentication and key agreement '-Notification message (EAP-AKA' -Notification), and includes an algorithm identifier corresponding to the first algorithm.
And the second equipment receives a second DIAMETER message sent by the first equipment, analyzes the second DIAMETER message and obtains an algorithm identifier corresponding to the first algorithm and a second extended authentication protocol load message.
And the terminal receives a second extended authentication protocol load message sent by the second equipment, analyzes the second extended authentication protocol load message and acquires an algorithm identifier corresponding to the first algorithm.
Before the WLCP request message, the terminal reports the algorithm identifier of the algorithm supported by the terminal to the second device in an EAP-AKA procedure, the second device reports the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device to the first device, the first device compares the algorithm identifier of each terminal with the algorithm identifier of each second device to obtain an algorithm that is the same as the algorithm supported by the second device, that is, a first algorithm, and then the first device sends the algorithm identifier corresponding to the first algorithm to the second device and the terminal, so that the second device and the terminal use the first algorithm to encrypt and protect the WLCP message, and negotiate the algorithm of the UE and the algorithm of the TWAG in an EAP-AKA' procedure, the method effectively solves the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment on the WLCP layer.
An embodiment of the present invention provides a data processing method, which is applied to a terminal, a first device, and a second device, and as shown in fig. 9, the method includes:
step 801, the terminal sends a first extended authentication protocol load message to the second device, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by the terminal.
The terminal generates a first extended authentication protocol load message and carries out integrity protection on the first extended authentication protocol load message. The first extended authentication protocol payload message may be an extended authentication protocol-response message (EAP-RSP) or an extended authentication protocol-authentication and key agreement '-Challenge message (EAP-AKA' -Challenge), including an algorithm identification of an algorithm supported by the terminal.
It should be noted that the terminal may determine whether the terminal supports a multi-connection mode (MCM), if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal, and if the terminal does not support the MCM, the terminal sends the first extended authentication protocol load message to the second device without carrying an algorithm identifier of any algorithm supported by the terminal.
The invention assumes that the terminal supports MCM, and the first extended authentication protocol load message sent to the second device carries the algorithm identification of the algorithm supported by the terminal.
And the second equipment receives a first extended authentication protocol loading message sent by the terminal and generates a first DIAMETER message, wherein the first DIAMETER message comprises the first extended authentication protocol loading message.
The first equipment receives a first DIAMETER message sent by the second equipment, analyzes the first DIAMETER message, acquires a first extended authentication protocol load message, analyzes the first extended authentication protocol load message, acquires an algorithm identifier of an algorithm supported by the terminal, and generates a second DIAMETER message, wherein the second DIAMETER message comprises the algorithm identifier of the algorithm supported by the terminal.
And the second equipment receives a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises the algorithm identification of the algorithm supported by the terminal. The method comprises the steps that first equipment analyzes a second DIAMETER message, algorithm identification of an algorithm supported by a terminal is obtained, algorithm identification of an algorithm supported by the second equipment is obtained locally, then algorithm identification of each second equipment is compared with algorithm identification of each terminal, the algorithm which is supported by the second equipment and is the same as the algorithm supported by the terminal, namely a first algorithm, if more than two algorithms which are supported by the second equipment and are the same as the algorithm supported by the terminal exist, the first algorithm is selected according to priority of each algorithm, and the first algorithm is selected according to an operator or service provider policy, wherein the first algorithm is used for encryption and integrity protection of WLCP messages.
The second device generates a third DIAMETER message that includes an algorithm identification corresponding to the first algorithm.
The first equipment receives a third DIAMETER message sent by the second equipment, analyzes the third DIAMETER message, obtains an algorithm identifier corresponding to the first algorithm, and generates a fourth DIAMETER message. The fourth DIAMETER message comprises a second extended authentication protocol payload message. And the first equipment carries out integrity protection on the second extended authentication protocol loading message. The second extended authentication protocol payload message may be an extended authentication protocol-request message (EAP-REQ) or an extended authentication protocol-authentication and key agreement '-Notification message (EAP-AKA' -Notification), and includes an algorithm identifier corresponding to the first algorithm.
And the second equipment receives a fourth DIAMETER message sent by the first equipment, and analyzes the fourth DIAMETER message to obtain a second extended authentication protocol payload message. And the terminal receives a second extended authentication protocol load message sent by the second equipment, analyzes the second extended authentication protocol load message and acquires an algorithm identifier corresponding to the first algorithm.
The data processing method described in the embodiment of the present invention, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device obtains an algorithm identifier of an algorithm supported by the terminal and an algorithm identifier of an algorithm supported by the second device, then compares the algorithm identifier of each terminal with the algorithm identifier of each second device, obtains an algorithm that is the same as the algorithm supported by the terminal, that is, a first algorithm, the second device sends the algorithm identifier corresponding to the first algorithm to the first device, the first device sends the algorithm identifier corresponding to the first algorithm to the terminal, so that the second device and the terminal use the first algorithm to encrypt and protect WLCP messages, and negotiate the algorithm of the UE and the algorithm of the TWAG in the extended authentication protocol-authentication and key agreement '(EAP-AKA'), the method effectively solves the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment on the WLCP layer.
An embodiment of the present invention provides a data processing method, which is applied to a terminal, a first device, and a second device, and as shown in fig. 10, the method includes:
Step 902, the first device parses the first DIAMETER message.
The first equipment receives a first DIAMETER message sent by the second equipment, analyzes the first DIAMETER message, obtains an algorithm identifier of an algorithm supported by the second equipment, and generates a second DIAMETER message. The second DIAMETER message comprises a first extended authentication protocol payload message. And the first equipment carries out integrity protection on the first extended authentication protocol loading message. The first extended authentication protocol payload message may be an extended authentication protocol-request message (EAP-REQ) or an extended authentication protocol-authentication and key agreement '-Notification message (EAP-AKA' -Notification), including an algorithm identification of an algorithm supported by the second device.
Step 903, the first device sends a second DIAMETER message to the second device, where the second DIAMETER message includes a first extended authentication protocol payload message, and the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by the second device.
And the second equipment receives a second DIAMETER message sent by the first equipment, analyzes the second DIAMETER message and obtains a first extended authentication protocol payload message.
The terminal receives a first extended authentication protocol load message sent by the second equipment, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment. The method comprises the steps that firstly, a terminal analyzes a first extended authentication protocol load message, algorithm identification of an algorithm supported by second equipment is obtained, algorithm identification of an algorithm supported by the terminal is obtained locally, then, the algorithm identification of each second equipment is compared with the algorithm identification of each terminal, an algorithm which is supported by the second equipment and is the same as the algorithm supported by the terminal is obtained, namely a first algorithm, if more than two algorithms which are supported by the second equipment and are the same as the algorithm supported by the terminal exist, the first algorithm is selected according to the priority of each algorithm, and the first algorithm is selected according to an operator or service provider policy, wherein the first algorithm is used for encryption and integrity protection of WLCP messages.
And the terminal generates a second extended authentication protocol load message and carries out integrity protection on the second extended authentication protocol load message. The second extended authentication protocol payload message may be an extended authentication protocol-response message (EAP-RSP) or an extended authentication protocol-authentication and key agreement '-Notification message (EAP-AKA' -Notification), and includes an algorithm identifier corresponding to the first algorithm.
Step 907, the second device sends a third DIAMETER message to the first device, where the third DIAMETER message includes a second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
And the second equipment receives a second extended authentication protocol load message sent by the terminal and generates a third DIAMETER message, wherein the third DIAMETER message comprises the second extended authentication protocol load message, and the second extended authentication protocol load message comprises the algorithm identification corresponding to the first algorithm.
And the first equipment receives a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises the second extended authentication protocol load message, and the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm. The first equipment analyzes the third DIAMETER message to obtain a second extended authentication protocol load message, then analyzes the second extended authentication protocol load message to obtain an algorithm identification corresponding to the first algorithm, and generates a fourth DIAMETER message, wherein the fourth DIAMETER message comprises the algorithm identification corresponding to the first algorithm. And the first equipment sends a fourth DIAMETER message to the second equipment so that the second equipment can obtain the algorithm identification corresponding to the first algorithm.
It should be noted that, after the terminal selects the first algorithm identifier, the algorithm identifier corresponding to the first algorithm is sent to the first device, and when the first device sends the algorithm identifier corresponding to the first algorithm to the second device, the algorithm identifier may be included in the Diameter message and the EAP-success message, or may be sent in any Diameter message obtained by the first device after the first algorithm identifier is obtained.
The data processing method described in the embodiment of the present invention, in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, a terminal obtains an algorithm identifier of an algorithm supported by a terminal and an algorithm identifier of an algorithm supported by a second device, then compares the algorithm identifier of each terminal with the algorithm identifier of each TWAG to obtain an algorithm that is the same as the algorithm supported by the second device, i.e., a first algorithm, the terminal sends the algorithm identifier corresponding to the first algorithm to the first device, the first device sends the algorithm identifier corresponding to the first algorithm to the second device, so that the second device and the terminal use the first algorithm to encrypt and integrity protect WLCP messages, and negotiate the algorithm of the UE and the algorithm of the TWAG in an extended authentication protocol-authentication and key agreement '(EAP-AKA'), the method effectively solves the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment on the WLCP layer.
Specifically, in the present invention, the information interaction between the second device and the first device may be, specifically, information interaction such as receiving and sending between the TWAP device and the AAA device, and the first algorithm for selecting by the second device may be TWAP selection, TWAG selection, or selection by the second device including TWAP and TWAG functions.
It should be noted that the algorithm supported by the second device according to the present invention may include the following cases: when the second device comprises a trusted wireless local area network access gateway (TWAG), the algorithm supported by the second device is an algorithm supported by the TWAG; when the second device comprises a trusted wireless local area network authentication authorization accounting proxy TWAP, the algorithm supported by the second device is the algorithm supported by the TWAP; when the second device includes a TWAG and a TWAP, the algorithms supported by the second device are algorithms supported by the TWAG and the TWAP.
An embodiment of the present invention provides a data processing apparatus 11, as shown in fig. 11, including:
a receiving unit 111, configured to receive, in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, an algorithm identifier of an algorithm supported by the terminal and an algorithm identifier of an algorithm supported by the second device,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
a processing unit 112, configured to select a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, where the first algorithm is the same algorithm as the algorithm supported by the terminal and supported by the second device;
a sending unit 113, configured to send an algorithm identifier corresponding to the first algorithm.
Thus, before the WLCP request message, the first device, the second device, or the terminal receives the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure to perform algorithm agreement, that is, an algorithm that is the same as the algorithm supported by the terminal is selected as the first algorithm, and then the second device and the terminal receive the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the second device and the terminal acquire the first algorithm, and encrypt and integrity protect the WLCP message by using the first algorithm, thereby effectively solving the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device at the WLCP layer.
When the data processing device 11 is a first device, the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS,
the receiving unit 111 is specifically configured to:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the sending unit 113 is specifically configured to:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
It should be noted that the first extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Challenge message EAP-AKA' -Challenge, and the second extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
An embodiment of the present invention provides a second device 12, where the second device is a trusted wireless local area network node, where the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, as shown in fig. 12, and the second device includes:
a receiving unit 121, configured to receive a first extended authentication protocol load message sent by a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by the terminal, and the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, where the first algorithm is an algorithm supported by a second device and is the same as the algorithm supported by the terminal;
a sending unit 122, configured to send a first DIAMETER message to a first device, where the first DIAMETER message includes the first extended authentication protocol payload message and an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the first device to select a first algorithm;
the receiving unit 121 is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
a processing unit 123, configured to parse the second DIAMETER message to obtain the second extended authentication protocol payload message and an algorithm identifier corresponding to the first algorithm;
the sending unit 122 is further configured to:
and sending the second extended authentication protocol loading message to the terminal.
Thus, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device receives the first extended authentication protocol load message sent by the terminal, and then sends the first extended authentication protocol load message and the algorithm identifier of the algorithm supported by the second device to the first device through the first DIAMETER message, so that the first device performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm supported by the second device that is the same as the algorithm supported by the terminal as the first algorithm, and then the first device sends the agreement result, that is, the algorithm identifier corresponding to the first algorithm, to the second device and the terminal through the second DIAMETER message, so that the second device and the terminal acquire the first algorithm, and encrypts and integrity-protects the WLCP message using the first algorithm, the method effectively solves the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment on the WLCP layer.
When the data processing apparatus 11 is a second device, the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP,
the receiving unit 111 is further configured to:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
the sending unit 113 is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
the receiving unit 111 is specifically configured to:
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the sending unit 113 is specifically configured to:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
The sending unit 113 is further configured to:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
the receiving unit 111 is further configured to:
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
An embodiment of the present invention provides a first device 13, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and as shown in fig. 13, the first device includes:
a receiving unit 131, configured to receive a first DIAMETER message sent by a second device, where the first DIAMETER message includes a first extended authentication protocol payload message, the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
a processing unit 132, configured to parse the first DIAMETER message to obtain the first extended authentication protocol payload message, and then parse the first extended authentication protocol payload message to obtain an algorithm identifier of an algorithm supported by the terminal;
a sending unit 133, configured to send a second DIAMETER message to the second device, where the second DIAMETER message includes an algorithm identifier of an algorithm supported by the terminal.
Thus, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the first device receives the first DIAMETER message sent by the second device, parses the first DIAMETER message to obtain a first extended authentication protocol payload message, parses the first extended authentication protocol payload message to obtain an algorithm identifier of an algorithm supported by the terminal, then sends the second DIAMETER message carrying the algorithm identifier of the algorithm supported by the terminal to the second device, so that the second device performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm whose algorithm supported by the second device is the same as that supported by the terminal as the first algorithm, and then the second device and the terminal receive the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
The receiving unit 131 is further configured to:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
the sending unit 133 is further configured to:
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
An embodiment of the present invention provides a terminal 14, as shown in fig. 14, including:
a sending unit 141, configured to send a first extended authentication protocol payload message to a second device, where the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
a receiving unit 142, configured to receive a second extended authentication protocol payload message sent by the second device, where the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
Thus, before the WLCP request message, the terminal sends a first extended authentication protocol payload message to the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the first device or the second device performs algorithm negotiation according to the algorithm identification of the algorithm supported by the second device and the algorithm identification of the algorithm supported by the terminal, i.e. selecting, as the first algorithm, an algorithm supported by the second device that is the same as the algorithm supported by the terminal, then, the second device and the terminal receive the algorithm identification corresponding to the first algorithm in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
As shown in fig. 15, the terminal 14 further includes:
a processing unit 143, configured to determine whether the terminal supports a multi-connection mode MCM;
the sending unit 141 is specifically configured to:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
When the data processing device 11 is a terminal,
the receiving unit 111 is specifically configured to:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the sending unit 113 is specifically configured to:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
It should be noted that the first extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification, and the second extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
An embodiment of the present invention provides a second device 15, where the second device is a trusted wireless local area network node, where the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, as shown in fig. 16, and the second device includes:
a sending unit 151, configured to send a first extended authentication protocol load message to a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the terminal to select a first algorithm, where the first algorithm is an algorithm that is the same as an algorithm supported by the second device and the algorithm supported by the terminal;
a receiving unit 152, configured to receive a second extended authentication protocol load message sent by the terminal, where the second extended authentication protocol load message includes an algorithm identifier corresponding to a first algorithm;
the sending unit 151 is further configured to:
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
the receiving unit 152 is further configured to:
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
In this way, before the WLCP request message, the second device sends a first extended authentication protocol payload message to the terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the terminal performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm supported by the second device and the same as the algorithm supported by the terminal as a first algorithm, then the second device receives a second extended authentication protocol payload message sent by the terminal, sends a third DIAMETER message to the first device, receives a fourth DIAMETER message sent by the first device, obtains the algorithm identifier corresponding to the first algorithm, and the second device receives the algorithm identifier corresponding to the first algorithm in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
The sending unit 151 is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
the receiving unit 152 is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
An embodiment of the present invention provides a first device 16, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and as shown in fig. 17, the first device includes:
a receiving unit 161, configured to receive a third DIAMETER message sent by a second device, where the third DIAMETER message includes a second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm;
a sending unit 162, configured to send a fourth DIAMETER message to the second device, where the fourth DIAMETER message includes an algorithm identifier corresponding to the first algorithm.
In this way, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the first device receives the third DIAMETER message sent by the second device, and sends the fourth DIAMETER message to the second device, so that the second device receives the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the second device and the terminal acquire the first algorithm, and encrypt and integrity-protect the WLCP message using the first algorithm, thereby effectively solving the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device at the WLCP layer.
The receiving unit 161 is further configured to:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
as shown in fig. 18, the first device 16 further includes:
a processing unit 163, configured to parse the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second device;
the sending unit 162 is further configured to:
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
An embodiment of the present invention provides a data processing apparatus 17, as shown in fig. 19, including:
a receiver 171 for receiving the algorithm identification of the algorithm supported by the terminal and the algorithm identification of the algorithm supported by the second device in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
a memory 172 for storing program code;
a processor 173 for calling the program code stored in the memory to execute the following method:
selecting a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, wherein the first algorithm is the same algorithm as the algorithm supported by the terminal and is the algorithm supported by the second device;
and a transmitter 174 configured to transmit the algorithm identifier corresponding to the first algorithm.
Thus, before the WLCP request message, the first device, the second device, or the terminal receives the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure to perform algorithm agreement, that is, an algorithm that is the same as the algorithm supported by the terminal is selected as the first algorithm, and then the second device and the terminal receive the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the second device and the terminal acquire the first algorithm, and encrypt and integrity protect the WLCP message by using the first algorithm, thereby effectively solving the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device at the WLCP layer.
When the data processing device 17 is a first device, the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS,
the receiver 171 is specifically configured to:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the transmitter 174 is specifically configured to:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
The first extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Challenge message EAP-AKA' -Challenge, and the second extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
An embodiment of the present invention provides a second device 18, where the second device is a trusted wireless local area network node, where the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, as shown in fig. 20, and the second device includes:
a receiver 181, configured to receive a first extended authentication protocol load message sent by a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by the terminal, and the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, where the first algorithm is an algorithm that is the same as an algorithm supported by a second device and the algorithm supported by the terminal;
a transmitter 182 to transmit a first DIAMETER message to a first device, the first DIAMETER message including the first extended authentication protocol payload message and an algorithm identification of an algorithm supported by a second device, the algorithm identification of the algorithm supported by the second device to be used for the first device to select a first algorithm;
the receiver 181 is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
a memory 183 for storing program code;
a processor 184, for calling the program code stored in the memory to execute the following method:
analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
the transmitter 182 is further configured to:
and sending the second extended authentication protocol loading message to the terminal.
Thus, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device receives the first extended authentication protocol load message sent by the terminal, and then sends the first extended authentication protocol load message and the algorithm identifier of the algorithm supported by the second device to the first device through the first DIAMETER message, so that the first device performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm supported by the second device that is the same as the algorithm supported by the terminal as the first algorithm, and then the first device sends the agreement result, that is, the algorithm identifier corresponding to the first algorithm, to the second device and the terminal through the second DIAMETER message, so that the second device and the terminal acquire the first algorithm, and encrypts and integrity-protects the WLCP message using the first algorithm, the method effectively solves the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second equipment on the WLCP layer.
When the data processing apparatus 17 is a second device, the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP,
the receiver 171 is further configured to:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
the transmitter 174 is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
the receiver 171 is specifically configured to:
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the transmitter 174 is specifically configured to:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
The transmitter 174 is further configured to:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
the receiver 171 is further configured to:
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
An embodiment of the present invention provides a first device 19, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and as shown in fig. 21, the first device includes:
a receiver 191, configured to receive a first DIAMETER message sent by a second device, where the first DIAMETER message includes a first extended authentication protocol payload message, where the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used by the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device that is the same as the algorithm supported by the terminal;
a memory 192 for storing program code;
a processor 193 for calling the program code stored in the memory to execute the following method:
analyzing the first DIAMETER message to obtain the first extended authentication protocol load message, and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
a transmitter 194 configured to transmit a second DIAMETER message to the second device, the second DIAMETER message comprising an algorithm identification of an algorithm supported by the terminal.
Thus, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the first device receives the first DIAMETER message sent by the second device, parses the first DIAMETER message to obtain a first extended authentication protocol payload message, parses the first extended authentication protocol payload message to obtain an algorithm identifier of an algorithm supported by the terminal, then sends the second DIAMETER message carrying the algorithm identifier of the algorithm supported by the terminal to the second device, so that the second device performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm whose algorithm supported by the second device is the same as that supported by the terminal as the first algorithm, and then the second device and the terminal receive the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
The receiver 191 is further configured to:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
the transmitter 194 is further configured to:
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
An embodiment of the present invention provides a terminal 21, as shown in fig. 22, including:
a transmitter 211, configured to send a first extended authentication protocol payload message to a second device, where the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
a receiver 212, configured to receive a second extended authentication protocol payload message sent by the second device, where the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
Thus, before the WLCP request message, the terminal sends a first extended authentication protocol payload message to the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the first device or the second device performs algorithm negotiation according to the algorithm identification of the algorithm supported by the second device and the algorithm identification of the algorithm supported by the terminal, i.e. selecting, as the first algorithm, an algorithm supported by the second device that is the same as the algorithm supported by the terminal, then, the second device and the terminal receive the algorithm identification corresponding to the first algorithm in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
As shown in fig. 23, the terminal 21 further includes:
a memory 213 for storing program code;
a processor 214 for calling the program code stored in the memory to execute the following method:
judging whether the terminal supports a multi-connection mode MCM;
the transmitter 211 is specifically configured to:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
When the data processing means 17 is a terminal,
the receiver 171 is specifically configured to:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the transmitter 174 is specifically configured to:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
It should be noted that the first extended authentication protocol loading message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification, and the second extended authentication protocol loading message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
An embodiment of the present invention provides a second device 22, where the second device is a trusted wireless local area network node, where the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, as shown in fig. 24, and the second device includes:
a transmitter 221, configured to send a first extended authentication protocol load message to a terminal, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the terminal to select a first algorithm, where the first algorithm is an algorithm that is the same as an algorithm supported by the second device and the algorithm supported by the terminal;
a receiver 222, configured to receive a second extended authentication protocol load message sent by the terminal, where the second extended authentication protocol load message includes an algorithm identifier corresponding to a first algorithm;
the transmitter 221 is further configured to:
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
the receiver 222 is further configured to:
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
In this way, before the WLCP request message, the second device sends a first extended authentication protocol payload message to the terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the terminal performs algorithm agreement according to the algorithm identifier of the algorithm supported by the second device and the algorithm identifier of the algorithm supported by the terminal, that is, selects an algorithm supported by the second device and the same as the algorithm supported by the terminal as a first algorithm, then the second device receives a second extended authentication protocol payload message sent by the terminal, sends a third DIAMETER message to the first device, receives a fourth DIAMETER message sent by the first device, obtains the algorithm identifier corresponding to the first algorithm, and the second device receives the algorithm identifier corresponding to the first algorithm in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the second device and the terminal acquire the first algorithm, and the WLCP message is encrypted and integrity protected by using the first algorithm, so that the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device on a WLCP layer is effectively solved.
The transmitter 221 is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
the receiver 222 is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
An embodiment of the present invention provides a first device 23, where the first device is an authentication, authorization, accounting server AAA or a home subscriber server HSS, and as shown in fig. 25, the first device includes:
a receiver 231, configured to receive a third DIAMETER message sent by a second device, where the third DIAMETER message includes a second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm;
a transmitter 232, configured to transmit a fourth DIAMETER message to the second device, where the fourth DIAMETER message includes an algorithm identifier corresponding to the first algorithm.
In this way, before the WLCP request message, in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the first device receives the third DIAMETER message sent by the second device, and sends the fourth DIAMETER message to the second device, so that the second device receives the algorithm identifier corresponding to the first algorithm in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, so that the second device and the terminal acquire the first algorithm, and encrypt and integrity-protect the WLCP message using the first algorithm, thereby effectively solving the problem of negotiating the algorithm supported by the terminal and the algorithm supported by the second device at the WLCP layer.
The receiver 231 is further configured to:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
as shown in fig. 26, the first device 23 further includes:
a memory 233 for storing program code;
a processor 234 for calling the program code stored in the memory to execute the following method:
analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
the transmitter 232 is further configured to:
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
An embodiment of the present invention provides a data processing system 24, as shown in fig. 27, including:
a first device 241, a second device 242, and a terminal 243, wherein,
the first device 241 is configured to: receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
The second device 242 is configured to: receiving a first extended authentication protocol load message sent by a terminal, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal, the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, and the first algorithm is an algorithm supported by a second device and the same as the algorithm supported by the terminal;
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message and an algorithm identification of an algorithm supported by a second device, the algorithm identification of the algorithm supported by the second device being used for the first device to select a first algorithm;
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
and sending the second extended authentication protocol loading message to the terminal.
The terminal 243 is configured to: sending a first extended authentication protocol load message to a second device, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by a terminal, the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, and the first algorithm is an algorithm which is supported by the second device and is the same as the algorithm supported by the terminal;
and receiving a second extended authentication protocol load message sent by the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
The first device 241 is configured to: receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises a first extended authentication protocol load message, the first extended authentication protocol load message comprises an algorithm identification of an algorithm supported by a terminal, the algorithm identification of the algorithm supported by the terminal is used for the second device to select a first algorithm, and the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
analyzing the first DIAMETER message to obtain the first extended authentication protocol load message, and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
transmitting a second DIAMETER message to the second device, the second DIAMETER message including an algorithm identification of an algorithm supported by the terminal;
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
The second device 242 is further configured to: receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the sending of the algorithm identifier corresponding to the first algorithm includes:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
And sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
The first device 241 is configured to: receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device;
receiving a third DIAMETER message sent by second equipment, wherein the third DIAMETER message comprises a second extended authentication protocol load message, and the second extended authentication protocol load message comprises an algorithm identifier corresponding to a first algorithm;
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
The second device 242 is further configured to: sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identifier of an algorithm supported by the second device;
sending a first extended authentication protocol load message to a terminal, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by second equipment, the algorithm identifier of the algorithm supported by the second equipment is used for the terminal to select a first algorithm, and the first algorithm is an algorithm which is supported by the second equipment and is the same as the algorithm supported by the terminal;
receiving a second extended authentication protocol load message sent by the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to a first algorithm;
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
The terminal 243 is further configured to: receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be physically included alone, or two or more units may be integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (32)
1. A data processing method, comprising:
receiving an algorithm identification of an algorithm supported by the terminal and an algorithm identification of an algorithm supported by the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
selecting a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, wherein the first algorithm is the same algorithm as the algorithm supported by the terminal and is the algorithm supported by the second device;
sending an algorithm identifier corresponding to the first algorithm;
the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP.
2. The data processing method of claim 1, wherein the data processing method is applied to a first device, and the first device is an authentication, authorization, accounting server (AAA) or a Home Subscriber Server (HSS), and the method comprises:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
3. The data processing method according to claim 2, wherein the first extended authentication protocol payload message is an extended authentication protocol-response message EAP-RSP or an extended authentication protocol-authentication and key agreement '-Challenge message EAP-AKA' -Challenge, and the second extended authentication protocol payload message is an extended authentication protocol-request message EAP-REQ or an extended authentication protocol-authentication and key agreement '-Notification message EAP-AKA' -Notification.
4. The data processing method according to claim 1, applied to a second device, the method comprising:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
5. The data processing method of claim 4, wherein prior to the sending the second extended authentication protocol payload message to the terminal, the method further comprises:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
6. The data processing method according to claim 1, wherein the data processing method is applied to a terminal, and the method comprises:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the sending of the algorithm identifier corresponding to the first algorithm includes:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
7. The data processing method according to claim 6, wherein the first EAP payload message is an EAP-REQ message or an EAP-REQ '-Notification message, and the second EAP payload message is an EAP-RSP message or an EAP-AKA' -Notification message.
8. A data processing method applied to a second device, wherein the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, the method comprising:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal, the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, and the first algorithm is an algorithm supported by a second device and the same as the algorithm supported by the terminal;
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message and an algorithm identification of an algorithm supported by a second device received in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, the algorithm identification of the algorithm supported by the second device being used for the first device to select a first algorithm;
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
and sending the second extended authentication protocol loading message to the terminal.
9. A data processing method is applied to a first device, wherein the first device is an authentication, authorization and accounting server (AAA) or a Home Subscriber Server (HSS), and the method comprises the following steps:
receiving a first DIAMETER message sent by a second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extended authentication protocol load message, the first extended authentication protocol load message comprises an algorithm identification of an algorithm supported by a terminal, the algorithm identification of the algorithm supported by the terminal is used for the second device to select a first algorithm, and the first algorithm is an algorithm supported by the second device and the same as the algorithm supported by the terminal;
analyzing the first DIAMETER message to obtain the first extended authentication protocol load message, and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
sending a second DIAMETER message to the second device, the second DIAMETER message including an algorithm identification of an algorithm supported by the terminal.
10. The data processing method of claim 9, wherein after said sending a second DIAMETER message to the second device, the method further comprises:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
11. A data processing method is applied to a terminal, and the method comprises the following steps:
sending a first extended authentication protocol load message to a second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by a terminal, the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, and the first algorithm is an algorithm supported by the second device and the same as the algorithm supported by the terminal;
receiving a second extended authentication protocol payload message sent by the second device, where the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm received in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure.
12. The data processing method of claim 11, wherein prior to said sending the first extended authentication protocol payload message to the second device, the method further comprises:
judging whether the terminal supports a multi-connection mode MCM;
the sending the first extended authentication protocol payload message to the second device comprises:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
13. A data processing method applied to a second device, wherein the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP, the method comprising:
sending a first extended authentication protocol load message to a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by second equipment, the algorithm identifier of the algorithm supported by the second equipment is used for the terminal to select a first algorithm, and the first algorithm is an algorithm which is supported by the second equipment and is the same as the algorithm supported by the terminal;
receiving a second extended authentication protocol load message sent by the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to a first algorithm received in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process;
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
14. The data processing method of claim 13, wherein prior to the sending the first extended authentication protocol payload message to the terminal, the method further comprises:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
15. A data processing method is applied to a first device, wherein the first device is an authentication, authorization and accounting server (AAA) or a Home Subscriber Server (HSS), and the method comprises the following steps:
receiving a third DIAMETER message sent by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the third DIAMETER message comprises a second extensible authentication protocol payload message, and the second extensible authentication protocol payload message comprises an algorithm identifier corresponding to a first algorithm received in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
16. The data processing method of claim 15, wherein prior to the receiving a third DIAMETER message sent by a second device, the method further comprises:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
17. A data processing apparatus, comprising:
a receiving unit, configured to receive an algorithm identifier of an algorithm supported by the terminal and an algorithm identifier of an algorithm supported by the second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure,
or, receiving the algorithm identification of the algorithm supported by the terminal in the extensible authentication protocol-authentication and key agreement 'EAP-AKA' process,
or, receiving an algorithm identifier of an algorithm supported by the second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process;
a processing unit, configured to select a first algorithm according to the algorithm identifier of the algorithm supported by the terminal and the algorithm identifier of the algorithm supported by the second device, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
a sending unit, configured to send an algorithm identifier corresponding to the first algorithm;
the second device is a trusted wireless local area network node, and the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG, or the trusted wireless local area network node includes a trusted wireless local area network access gateway TWAG and a trusted wireless local area network authentication authorization accounting proxy TWAP, or the trusted wireless local area network node includes a TWAP.
18. The data processing apparatus of claim 17, wherein the data processing apparatus is a first device, the first device is an authentication, authorization, accounting server (AAA) or a Home Subscriber Server (HSS),
the receiving unit is specifically configured to:
receiving a first DIAMETER message sent by a second device in an extensible authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first DIAMETER message comprises a first extensible authentication protocol loading message and an algorithm identifier of an algorithm supported by the second device, and the first extensible authentication protocol loading message comprises the algorithm identifier of the algorithm supported by a terminal;
the sending unit is specifically configured to:
and sending a second DIAMETER message to the second equipment, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to the first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm.
19. The data processing apparatus according to claim 18, wherein the first EAP payload message is an EAP-RSP message or an EAP-Challenge message EAP-AKA ' -Challenge, and the second EAP payload message is an EAP-REQ message or an EAP-authentication-and-key-Challenge ' -Notification message EAP-AKA ' -Notification.
20. The data processing apparatus of claim 17, wherein the data processing apparatus is a second device,
the receiving unit is further configured to:
receiving a first extended authentication protocol load message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the terminal;
the sending unit is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message comprising the first extended authentication protocol payload message;
the receiving unit is specifically configured to:
receiving a second DIAMETER message sent by the first equipment, wherein the second DIAMETER message comprises an algorithm identification of an algorithm supported by the terminal;
the sending unit is specifically configured to:
and sending a second extended authentication protocol load message to the terminal, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
21. The data processing apparatus of claim 20,
the sending unit is further configured to:
sending a third DIAMETER message to the first device, wherein the third DIAMETER message comprises an algorithm identifier corresponding to the first algorithm;
the receiving unit is further configured to:
receiving a fourth DIAMETER message sent by the first device, where the fourth DIAMETER message includes the second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to the first algorithm.
22. The data processing apparatus of claim 17, wherein the data processing apparatus is a terminal,
the receiving unit is specifically configured to:
receiving a first extended authentication protocol load message sent by second equipment in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, wherein the first extended authentication protocol load message comprises an algorithm identifier of an algorithm supported by the second equipment;
the sending unit is specifically configured to:
and sending a second extended authentication protocol load message to the second device, wherein the second extended authentication protocol load message comprises an algorithm identifier corresponding to the first algorithm.
23. The data processing apparatus according to claim 22, wherein the first EAP payload message is an EAP-REQ message or an EAP-REQ '-Notification message, and the second EAP payload message is an EAP-RSP message or an EAP-AKA' -Notification message.
24. A second device, wherein the second device is a trusted wireless local area network node, wherein the trusted wireless local area network node comprises a trusted wireless local area network access gateway, TWAG, or wherein the trusted wireless local area network node comprises a trusted wireless local area network access gateway, TWAG, and a trusted wireless local area network authentication authorization accounting proxy, TWAP, or wherein the trusted wireless local area network node comprises a TWAP, the second device comprising:
a receiving unit, configured to receive a first extended authentication protocol payload message sent by a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, where the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by the terminal, and the algorithm identifier of the algorithm supported by the terminal is used for a first device to select a first algorithm, where the first algorithm is an algorithm supported by a second device and is the same as the algorithm supported by the terminal;
a sending unit, configured to send a first DIAMETER message to a first device, where the first DIAMETER message includes the first extended authentication protocol payload message and an algorithm identifier of an algorithm supported by a second device and received in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, and the algorithm identifier of the algorithm supported by the second device is used for the first device to select a first algorithm;
the receiving unit is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises a second extended authentication protocol load message and an algorithm identifier corresponding to a first algorithm, and the second extended authentication protocol load message comprises the algorithm identifier corresponding to the first algorithm;
the processing unit is used for analyzing the second DIAMETER message to obtain the second extended authentication protocol load message and the algorithm identification corresponding to the first algorithm;
the sending unit is further configured to:
and sending the second extended authentication protocol loading message to the terminal.
25. A first device, wherein the first device is an authentication, authorization, accounting server, AAA, or a home subscriber server, HSS, and wherein the first device comprises:
a receiving unit, configured to receive a first DIAMETER message sent by a second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, where the first DIAMETER message includes a first extended authentication protocol payload message, the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
the processing unit is used for analyzing the first DIAMETER message to obtain the first extended authentication protocol load message and then analyzing the first extended authentication protocol load message to obtain the algorithm identifier of the algorithm supported by the terminal;
a sending unit, configured to send a second DIAMETER message to the second device, where the second DIAMETER message includes an algorithm identifier of an algorithm supported by the terminal.
26. The first apparatus of claim 25,
the receiving unit is further configured to:
receiving a third DIAMETER message sent by the second equipment, wherein the third DIAMETER message comprises an algorithm identifier corresponding to a first algorithm;
the sending unit is further configured to:
and sending a fourth DIAMETER message to the second equipment, wherein the fourth DIAMETER message comprises a second extended authentication protocol payload message, and the second extended authentication protocol payload message comprises an algorithm identifier corresponding to the first algorithm.
27. A terminal, comprising:
a sending unit, configured to send a first extended authentication protocol payload message to a second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, where the first extended authentication protocol payload message includes an algorithm identifier of an algorithm supported by a terminal, and the algorithm identifier of the algorithm supported by the terminal is used for the first device or the second device to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
a receiving unit, configured to receive a second extended authentication protocol payload message sent by the second device, where the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm received in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure.
28. The terminal of claim 27, wherein the terminal further comprises:
the processing unit is used for judging whether the terminal supports a multi-connection mode MCM;
the sending unit is specifically configured to:
if the terminal supports the MCM, the first extended authentication protocol load message sent by the terminal to the second device carries an algorithm identifier of an algorithm supported by the terminal.
29. A second device, wherein the second device is a trusted wireless local area network node, wherein the trusted wireless local area network node comprises a trusted wireless local area network access gateway, TWAG, or wherein the trusted wireless local area network node comprises a trusted wireless local area network access gateway, TWAG, and a trusted wireless local area network authentication authorization accounting proxy, TWAP, or wherein the trusted wireless local area network node comprises a TWAP, the second device comprising:
a sending unit, configured to send a first extended authentication protocol load message to a terminal in an extended authentication protocol-authentication and key agreement 'EAP-AKA' process, where the first extended authentication protocol load message includes an algorithm identifier of an algorithm supported by a second device, and the algorithm identifier of the algorithm supported by the second device is used for the terminal to select a first algorithm, where the first algorithm is an algorithm supported by the second device and is the same as the algorithm supported by the terminal;
a receiving unit, configured to receive a second extended authentication protocol payload message sent by the terminal, where the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm received in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure;
the sending unit is further configured to:
transmitting a third DIAMETER message to the first device, the third DIAMETER message comprising the second extended authentication protocol payload message;
the receiving unit is further configured to:
receiving a fourth DIAMETER message sent by the first device, wherein the fourth DIAMETER message comprises an algorithm identifier corresponding to the first algorithm.
30. The second apparatus of claim 29,
the sending unit is further configured to:
sending a first DIAMETER message to a first device, the first DIAMETER message including an algorithm identification of an algorithm supported by the second device;
the receiving unit is further configured to:
receiving a second DIAMETER message sent by the first device, wherein the second DIAMETER message comprises the first extended authentication protocol payload message, and the first extended authentication protocol payload message comprises an algorithm identification of an algorithm supported by the second device.
31. A first device, wherein the first device is an authentication, authorization, accounting server, AAA, or a home subscriber server, HSS, and wherein the first device comprises:
a receiving unit, configured to receive a third DIAMETER message sent by a second device in an extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure, where the third DIAMETER message includes a second extended authentication protocol payload message, and the second extended authentication protocol payload message includes an algorithm identifier corresponding to a first algorithm received in the extended authentication protocol-authentication and key agreement 'EAP-AKA' procedure;
a sending unit, configured to send a fourth DIAMETER message to the second device, where the fourth DIAMETER message includes an algorithm identifier corresponding to the first algorithm.
32. The first apparatus of claim 31,
the receiving unit is further configured to:
receiving a first DIAMETER message sent by a second device, wherein the first DIAMETER message comprises an algorithm identifier of an algorithm supported by the second device, the algorithm identifier of the algorithm supported by the second device is used for a terminal to select a first algorithm, and the first algorithm is the same algorithm supported by the second device as the algorithm supported by the terminal;
the first device further comprises:
the processing unit is used for analyzing the first DIAMETER message to obtain an algorithm identifier of an algorithm supported by the second equipment;
the sending unit is further configured to:
sending a second DIAMETER message to the second device, the second DIAMETER message comprising a first extended authentication protocol payload message, the first extended authentication protocol payload message comprising an algorithm identification of an algorithm supported by the second device.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2014/083590 WO2016015347A1 (en) | 2014-08-01 | 2014-08-01 | Data processing method, apparatus, and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106664195A CN106664195A (en) | 2017-05-10 |
| CN106664195B true CN106664195B (en) | 2020-05-15 |
Family
ID=55216699
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201480080518.9A Expired - Fee Related CN106664195B (en) | 2014-08-01 | 2014-08-01 | Data processing method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106664195B (en) |
| WO (1) | WO2016015347A1 (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110672A (en) * | 2006-07-19 | 2008-01-23 | 华为技术有限公司 | Method and system for establishing ESP security alliance in communication system |
| CN101222322A (en) * | 2008-01-24 | 2008-07-16 | 中兴通讯股份有限公司 | Safety ability negotiation method in super mobile broadband system |
| CN101588606A (en) * | 2009-06-11 | 2009-11-25 | 中兴通讯股份有限公司 | Method, system and relative device for operating capability negotiation continually |
| CN101605324A (en) * | 2008-06-13 | 2009-12-16 | 华为技术有限公司 | The method of negotiating algorithm, Apparatus and system |
| CN101997679A (en) * | 2009-08-21 | 2011-03-30 | 华为终端有限公司 | Encrypted message negotiation method, equipment and network system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848464B (en) * | 2009-03-28 | 2012-11-21 | 华为技术有限公司 | Method, device and system for implementing network security |
| CN103781073B (en) * | 2012-10-26 | 2018-10-19 | 中兴通讯股份有限公司 | The cut-in method and system of mobile subscriber's fixed network |
| RU2628486C2 (en) * | 2013-01-03 | 2017-08-17 | Хуавей Текнолоджиз Ко., Лтд. | Systems and methods of network access |
-
2014
- 2014-08-01 WO PCT/CN2014/083590 patent/WO2016015347A1/en active Application Filing
- 2014-08-01 CN CN201480080518.9A patent/CN106664195B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110672A (en) * | 2006-07-19 | 2008-01-23 | 华为技术有限公司 | Method and system for establishing ESP security alliance in communication system |
| CN101222322A (en) * | 2008-01-24 | 2008-07-16 | 中兴通讯股份有限公司 | Safety ability negotiation method in super mobile broadband system |
| CN101605324A (en) * | 2008-06-13 | 2009-12-16 | 华为技术有限公司 | The method of negotiating algorithm, Apparatus and system |
| CN101588606A (en) * | 2009-06-11 | 2009-11-25 | 中兴通讯股份有限公司 | Method, system and relative device for operating capability negotiation continually |
| CN101997679A (en) * | 2009-08-21 | 2011-03-30 | 华为终端有限公司 | Encrypted message negotiation method, equipment and network system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2016015347A1 (en) | 2016-02-04 |
| CN106664195A (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8626122B2 (en) | Un-ciphered network operation solution | |
| US20200228977A1 (en) | Parameter Protection Method And Device, And System | |
| EP3281434A1 (en) | Method, apparatus, and system for providing encryption or integrity protection in a wireless network | |
| US11490252B2 (en) | Protecting WLCP message exchange between TWAG and UE | |
| WO2010094244A1 (en) | Method, device and system for performing access authentication | |
| US20230275883A1 (en) | Parameter exchange during emergency access using extensible authentication protocol messaging | |
| US20170078288A1 (en) | Method for accessing communications network by terminal, apparatus, and communications system | |
| US20240187862A1 (en) | Openroaming augmentation method for eap failures | |
| CN112887975A (en) | Data transmission method, user equipment and control plane node | |
| US20210168614A1 (en) | Data Transmission Method and Device | |
| US20180367978A1 (en) | Enhanced mobile subscriber privacy in telecommunications networks | |
| CN106664195B (en) | Data processing method, device and system | |
| CN110999256B (en) | Communication method, terminal equipment and core network equipment | |
| WO2020147602A1 (en) | Authentication method, apparatus and system | |
| KR102103320B1 (en) | Mobile terminal, network node server, method and computer program | |
| CN102625308A (en) | Method, apparatus and system for realization of mutual authentication based on LTE-LAN | |
| WO2023160390A1 (en) | Communication method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200413 Address after: 510000 room b08-l12-3, building 7, No. 804, Tianyuan Road, Tianhe District, Guangzhou City, Guangdong Province Applicant after: Guangzhou Xiaoxiong Information Technology Co.,Ltd. Address before: 625, room 269, Connaught platinum Plaza, No. 518101, Qianjin Road, Xin'an street, Shenzhen, Guangdong, Baoan District Applicant before: SHENZHEN SHANGGE INTELLECTUAL PROPERTY SERVICE Co.,Ltd. Effective date of registration: 20200413 Address after: 625, room 269, Connaught platinum Plaza, No. 518101, Qianjin Road, Xin'an street, Shenzhen, Guangdong, Baoan District Applicant after: SHENZHEN SHANGGE INTELLECTUAL PROPERTY SERVICE Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200515 |