CN107466038A - Method for authenticating and device - Google Patents

Method for authenticating and device Download PDF

Info

Publication number
CN107466038A
CN107466038A CN201710481726.5A CN201710481726A CN107466038A CN 107466038 A CN107466038 A CN 107466038A CN 201710481726 A CN201710481726 A CN 201710481726A CN 107466038 A CN107466038 A CN 107466038A
Authority
CN
China
Prior art keywords
authentication
authorization
parameter
vector group
network element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710481726.5A
Other languages
Chinese (zh)
Other versions
CN107466038B (en
Inventor
钟焰涛
陈光安
邓伟
邓一伟
郑倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Original Assignee
Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yulong Computer Telecommunication Scientific Shenzhen Co Ltd filed Critical Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Priority to CN201710481726.5A priority Critical patent/CN107466038B/en
Publication of CN107466038A publication Critical patent/CN107466038A/en
Application granted granted Critical
Publication of CN107466038B publication Critical patent/CN107466038B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The embodiment of the invention discloses a kind of method for authenticating and device, methods described includes:Receive the first authentication vector group, the second authentication vector group and with reference to authorization value that core network element is sent;In the case of successful according to the determination of the second authentication vector group and core network element bi-directional authentification, the second authorization parameter and reference authorization value generation authorization vector that are generated using message authentication function according to the second authentication vector group;Terminal is sent to by the first authentication vector group, with reference to authorization value and authorization vector;In the case of terminal determines according to the first authentication vector group and the bi-directional authentification of core network element is successful, use the first authentication vector group, authorization vector and carry out bi-directional authentification with reference to authorization value and terminal.Using the present invention, insertion authority during small by the terminated base station core network access network element of terminal can be achieved, ensure communication safety.

Description

Method for authenticating and device
Technical field
The present invention relates to communication technical field, has related generally to a kind of method for authenticating and device.
Background technology
For the 5th third-generation mobile communication technology (English:5-Generation, 5G) terminal research and development and innovation, by using The small base station of terminated (English:Terminal Small Cell, T-SC) 5G terminals are realized into base station, i.e., except transmitting more At a high speed, communicate more flexible, safer outer, 5G terminals will converge internet of things service, provide aggregation feature for other-end, that is, prop up Hold the cell access based on terminal.
Communication system based on the small base station of terminated as shown in Figure 1, the terminal of distal end is realized by the small base station of terminated Access between core net.Therefore, it is necessary to which the authentication being related to includes:1. mandate of the core network element to the small base station of terminated; 2. the bi-directional authentification between terminal and the small base station of terminated;3. the bi-directional authentification between terminal and core network element;4. terminal and Bi-directional authentification between the small base station of terminated.
However, existing Long Term Evolution (English:Long Term Evolution, LTE) authentication mechanism be only used for terminal and Authentication between core network element.Therefore, those skilled in the art also need to continue to study under the small base station scene of using terminalization The technical problem of complexity authentication.
The content of the invention
The embodiments of the invention provide a kind of method for authenticating and device, for solving LTE authentication mechanisms of the prior art The authentication being only used between terminal and core network element, the skill of the complicated authentication under the small base station scene of using terminalization can not be realized Art problem.
In a first aspect, the invention provides a kind of method for authenticating, including:
Receive the first authentication vector group, the second authentication vector group that the core network element sends and with reference to authorization value, institute It is that the core network element uses message authentication function according to the first authentication vector group and described second to state with reference to authorization value The generation of authentication vector group;
In the case of successful according to the second authentication vector group determination and the core network element bi-directional authentification, use The second authorization parameter and described generated with reference to authorization value that message authentication function generates according to the second authentication vector group authorize Vector;
The first authentication vector group, the reference authorization value and the authorization vector are sent to the terminal;
It is successful with the bi-directional authentification of the core network element according to the first authentication vector group determination in the terminal In the case of, carried out using the first authentication vector group, the authorization vector and the reference authorization value and the terminal two-way Authentication.
With reference in a first aspect, in the first possible implementation of first aspect, the first authentication vector group bag Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Integrity Key.
With reference to the first possible implementation of first aspect, in second of possible implementation of first aspect In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the First encryption key and first generating random number in one authentication vector group, second authorization parameter is described Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group State the second generating random number.
With reference to second of possible implementation of first aspect, in the third possible implementation of first aspect In, it is described two-way using the first authentication vector group, the authorization vector and the reference authorization value and terminal progress Authentication also includes:Awarded using the message authentication function according to first encryption key and first generating random number the 3rd Weight parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use the message authentication letter It is several to generate target authorization value according to the 3rd authorization parameter and second authorization parameter;When the target authorization value is equal to institute State when referring to authorization value, the bi-directional authentification success with the terminal.
Second aspect, present invention also offers a kind of method for authenticating, including:
Receive the first authentication vector group that the small base station of the terminated sends, with reference to authorization value and authorization vector, described the One authentication vector group is that the core network element is sent by the small base station of the terminated, and the reference authorization value is the core Heart network element is generated using message authentication function according to the first authentication vector group and the second authentication vector group, described Authorization vector is the second authorization parameter that the core network element uses message authentication function to be generated according to the second authentication vector group With it is described with reference to authorization value generate;
Bi-directional authentification is carried out according to the first authentication vector group and the core network element, in the described and core net In the case of network element bi-directional authentification is successful, using the first authentication vector group, the authorization vector and described authorization value is referred to Base station small with the terminated carries out bi-directional authentification.
With reference to second aspect, in the first possible implementation of second aspect, the first authentication vector group bag Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Integrity Key.
With reference to the first possible implementation of second aspect, in second of possible implementation of second aspect In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the First encryption key and first generating random number in one authentication vector group, second authorization parameter is described Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group State the second generating random number.
With reference to second of possible implementation of second aspect, in the third possible implementation of second aspect In, it is described two-way using the first authentication vector group, the authorization vector and the reference authorization value and terminal progress Authentication also includes:Awarded using the message authentication function according to first encryption key and first generating random number the 3rd Weight parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use the message authentication letter It is several to generate target authorization value according to the 3rd authorization parameter and second authorization parameter;When the target authorization value is equal to institute State when referring to authorization value, the bi-directional authentification success with the terminal.
The third aspect, the invention provides a kind of authentication device, including:
First transport module, for receiving the first authentication vector group, the second authentication vector that the core network element is sent Group and with reference to authorization value, it is described with reference to authorization value be the core network element using message authentication function according to the described first authentication What Vector Groups and the second authentication vector group generated;
First authentication module, for being determined and the core network element bi-directional authentification according to the second authentication vector group In the case of successfully, the second authorization parameter generated using message authentication function according to the second authentication vector group and the ginseng Examine authorization value generation authorization vector;
Second transport module, for the first authentication vector group, the reference authorization value and the authorization vector to be sent out Give the terminal;
Second authentication module, for being determined and the core network element according to the first authentication vector group in the terminal Bi-directional authentification it is successful in the case of, using the first authentication vector group, the authorization vector and it is described with reference to authorization value with The terminal carries out bi-directional authentification.
With reference to the third aspect, in the first possible implementation of the third aspect, the first authentication vector group bag Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Integrity Key.
With reference to the first possible implementation of the third aspect, in second of possible implementation of the third aspect In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the First encryption key and first generating random number in one authentication vector group, second authorization parameter is described Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group State the second generating random number.
With reference to second of possible implementation of the third aspect, in the third possible implementation of the third aspect In, second authentication module be also used for the message authentication function according to first encryption key and described first with Machine number generates the 3rd authorization parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use The message authentication function generates target authorization value according to the 3rd authorization parameter and second authorization parameter;When the mesh When marking authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
Fourth aspect, present invention also offers a kind of authentication device, including:
3rd transport module, for receiving the first authentication vector group of the small base station transmission of the terminated, with reference to authorization value And authorization vector, the first authentication vector group is that the core network element is sent by the small base station of the terminated, described It is that the core network element is reflected using message authentication function according to the first authentication vector group and described second with reference to authorization value The generation of weight vector group, the authorization vector is that the core network element uses message authentication function according to the second authentication vector group Generation the second authorization parameter and it is described with reference to authorization value generate;
3rd authentication module, for carrying out bi-directional authentification according to the first authentication vector group and the core network element, It is described with the core network element bi-directional authentification it is successful in the case of, using the first authentication vector group, it is described authorize to Amount and the reference authorization value carry out bi-directional authentification with the small base station of the terminated.
With reference to fourth aspect, in the first possible implementation of fourth aspect, the first authentication vector group bag Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Integrity Key.
With reference to the first possible implementation of fourth aspect, in second of possible implementation of fourth aspect In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the First encryption key and first generating random number in one authentication vector group, second authorization parameter is described Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group State the second generating random number.
With reference to second of possible implementation of fourth aspect, in the third possible implementation of fourth aspect In, the 3rd authentication module be also used for the message authentication function according to first encryption key and described first with Machine number generates the 3rd authorization parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use The message authentication function generates target authorization value according to the 3rd authorization parameter and second authorization parameter;When the mesh When marking authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
Implement the embodiment of the present invention, will have the advantages that:
After employing above-mentioned method for authenticating and device, when terminal request passes through the small base station core network access net of terminated After member, core network element generates the first authentication vector group and the second authentication vector group, using message authentication function according to the first mirror Weight vector group and the generation of the second authentication vector group refer to authorization value;The small base station of terminated receives the first mirror that core network element is sent Weight vector group, the second authentication vector group and with reference to authorization value, the small base station of terminated and core are determined according to the second authentication vector group Whether the bi-directional authentification of network element succeeds, if so, according to reference to authorization value generation authorization vector;The small base station of terminal receiving terminalization The first authentication vector group for sending, with reference to authorization value and authorization vector, determined according to the first authentication vector group and core network element Bi-directional authentification whether succeed, if so, using the first authentication vector group, authorization vector and two-way with reference to the progress of authorization value and terminal Authentication.Authenticated when can provide access service in the small base station of using terminalization for the terminal of distal end, it is ensured that terminal, terminated Authentication two-by-two between small base station and core network element three, ensures communication safety.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Wherein:
Fig. 1 is a kind of schematic diagram of the communication system based on the small base station of terminated provided in an embodiment of the present invention;
Fig. 2 is the flow chart that a kind of LTE provided in an embodiment of the present invention generates authentication vector group;
Fig. 3 is a kind of flow chart of LTE authentication mechanism provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation for generating authorization vector provided in an embodiment of the present invention;
Fig. 5 is a kind of flow chart of method for authenticating provided in an embodiment of the present invention;
Fig. 6 is the flow chart of the bi-directional authentification method of a kind of small base station of terminated provided in an embodiment of the present invention and terminal;
Fig. 7 is the flow chart of another method for authenticating provided in an embodiment of the present invention;
Fig. 8 is a kind of structure chart of authentication device provided in an embodiment of the present invention;
Fig. 9 is the structure chart of another authentication device provided in an embodiment of the present invention;
Figure 10 is a kind of timing diagram of right discriminating system provided in an embodiment of the present invention;
Figure 11 is the structural representation of the computer equipment of method for authenticating in one embodiment.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made Embodiment, belong to the scope of protection of the invention.
Existing LTE authentication mechanism, the authentication vector group of core network element generation include random number (English: Random Challenge, RAND), expected response (English:Expected Response, XRES), encryption key (English: Ciphering key, CK), tegrity protection key (English:Integrity key, IK), authentication-tokens (English: Authentication Token, AUTN) five parameter values, wherein RAND be core network element be supplied to terminal can not be pre- The random number known, length 16octets;XRES be used for and terminal caused by RES (or RES+RES_EXT) be compared, with certainly Whether fixed authentication succeeds, length 4-16octets;CK length is 16octets;IK length is 16octets;AUTN is used Authenticated in terminal and core network element, length 17octets.
The flow chart of LTE as shown in Figure 2 generation authentication vector group, according to sequence number (English:Sequence, SQN), RAND, key, authentication and key management field (English:Authentication and Key Manage Fields, AMF message authentication code (English) is generated:Message Authentication Code, MAC), XRES, CK, IK and anonymity it is close Key (English:Authorization key, AK), specific calculating process is as follows:
Message authentication code MAC=f1K(SQN | | RAND | | AMF), wherein f1 is message authentication function;
Expected response XRES=f2K(RAND), wherein f2 is (may a block) message authentication function;
Encryption key CK=f3K(RAND), wherein f3 is a key-function;
Tegrity protection key IK=f4K(RAND), wherein f4 is a key-function;
Anonymity Key AK=f5K(RAND), wherein f5 is a key-function or f5 ≡ 0.
Then, authentication-tokens AUTN and Ciphering Key (English are constructed:Authentication Vector, AV), calculated Journey is as follows:
Authentication-tokens
Ciphering Key AV:=RAND | | XRES | | CK | | IK | | AUTN.
According to above calculating process can obtain respectively random parameter RAND, expected response XRES that authentication vector group includes plus Five ciphering key K, tegrity protection key IK, authentication-tokens AUTN parameter values.
Using the flow chart of LTE authentication mechanism, as shown in figure 3, authentication-tokens AUTN is first verified, as authentication-tokens AUTN After being verified, Anonymity Key AK=f5 is calculatedK(RAND), and sequence number is recoveredMeter Calculate and it is expected message authentication code XMAC=f1k(SQN | | RAND | | AMF), and enter with the message authentication code MAC in authentication-tokens AUTN Row compares.If it is different, abandon authentication process;The sequence number SQN received is verified simultaneously whether in effective scope, if not In failed authentication.If it is expected message authentication code XMAC and sequence number SQN checkings all by completing distal end UE to core net net The authentication of member.Finally, encryption key CK and tegrity protection key IK is calculated.
Message authentication function f2 is the existing algorithm of LTE standard, and specific generating process is as shown in figure 4, the algorithm has two Individual input, an output.
It should be noted that the embodiment of the present invention only by taking prior art as an example, with compatible existing authentication process, improves authentication The compatibility of method.But it is not limited to other and defines authentication vector group and the method for message authentication function.That is, it may include Other definition modes, the present invention do not limit.
In the present embodiment, terminal is specifically as follows:Personal computer, server computer, hand-held or it is on knee, disappear Take type electronic equipment, mobile device (such as smart mobile phone, tablet personal computer, media player etc.) and multicomputer system etc. Deng, naturally it is also possible to it is:Base station.The specific embodiment of the invention does not limit to the above-mentioned terminal form of expression.
To solve the authentication that LTE authentication mechanisms of the prior art are only used between terminal and core network element, Wu Fashi The technical problem of complicated authentication under the small base station scene of existing using terminalization, first aspect present invention provide one kind and are based on terminal Change the method for authenticating of small base station.Communication system based on the small base station of terminated as shown in Figure 1, realized by the small base station of terminated Access between the terminal and core network element of distal end, when the small base station of terminal access terminal, the small base station of terminal is to core net net The access request of first forwarding terminal, authenticated two-by-two between the small base station of terminal, terminal and core network element three.Core net net Member may include the small base-station gateway of terminated (English:T-SC Gateway, T-SC GW), equipment vendor provide core network element (English Text:Evolved Packet Core network, EPC) and operator provide core network element (English:Operator Evolved Packet Core network, Operator EPC), the core network element that wherein operator provides includes movement Management entity (English:Mobility Management Entity, MME), server home signature user server (English: Home Subscriber Server, HSS), gateway (English:Serving Gateway, S-GW) and public data network net Close (English:Public Data Network Gateway, P-GW) etc..
Specifically, as shown in figure 5, a kind of method for authenticating, including:
Step S102:The first authentication vector group, the second authentication vector group and reference that core network element is sent is received to authorize Value.
In the present embodiment, the first authentication vector group is used for core network element and terminal and carries out bi-directional authentification, second authenticate to Amount group carries out bi-directional authentification for core network element and the small base station of terminated.
Optionally, the first authentication vector group includes the first random number, the first authentication parameter, first it is expected authentication parameter, the One encryption key and the first Integrity Key;Second authentication vector group includes the second random number, the second authentication parameter, the second expectation Authentication parameter, the second encryption key and the second Integrity Key.
Wherein, the first random number that can obtain the first authentication vector group respectively according to existing LTE authentication mechanism includes is RAND1, the first authentication parameter are the authentication parameter AUTN1 of terminal-pair core network element, and first it is expected that authentication parameter is core net Network element is to the authentication parameter XRES1 of terminal, and the first encryption key is CK1, and the first Integrity Key is IK1;Second authentication vector The second random number that group includes is RAND2, the second authentication parameter for terminal-pair core network element authentication parameter AUTN2, second It is expected authentication parameter for core network element to the authentication parameter XRES2 of terminal, the second encryption key is CK2, and the second integrality is close Key is IK2.The authentication mechanism for the authentication vector group that core network element generates in the existing LTE used, authenticated so that compatibility is existing Journey, improve the compatibility of authentication.
In the present embodiment, with reference to authorization value be core network element using message authentication function according to the first authentication vector group and The generation of second authentication vector group.
According to the message authentication function f2 algorithms of existing LTE standard, specific generating process is as shown in figure 4, the first mirror The first encryption key CK1 and the first random parameter RAND 1 in weight vector group generate the first authorization parameter W1, similarly, the second authentication The second encryption key CK2 and the second random parameter RAND 2 in Vector Groups generate the second authorization parameter W2, then first authorize ginseng Number and the generation of the second authorization parameter refer to authorization value WARR.
Step S104:In the case of successful according to the determination of the second authentication vector group and core network element bi-directional authentification, make The second authorization parameter and reference authorization value generation authorization vector generated with message authentication function according to the second authentication vector group.
In the present embodiment, the small base of terminated can be determined according to the second authentication vector group according to existing LTE authentication mechanism Stand with whether the bi-directional authentification of core network element succeeds, if so, the ginseng then sent according to core network element to the small base station of terminated Authorization value generation authorization vector is examined, the authorization vector forms by the second authorization parameter and with reference to authorization value.
Specifically, as the expectation message authentication code XMAC2 and message authentication code MAC2 that are generated according to the second authentication vector group When equal, and the sequence number SQN2 received is verified in effective range, the two-way mirror of the small base station of terminated and core network element Weigh successfully.
Step S106:Terminal is sent to by the first authentication vector group, with reference to authorization value and authorization vector.
In the present embodiment, the first authentication vector group that the small base station of terminal receiving terminalization is sent, with reference to authorization value and mandate Vector, the first authentication vector group is used for terminal and core network element carries out bi-directional authentification, is used for reference to authorization value and authorization vector Terminal and the small base station of terminated carry out bi-directional authentification and core network element carried out to the reference authorization value of the small base station of terminated true Recognize.
Step S108:In terminal according to the determination of the first authentication vector group and the successful situation of bi-directional authentification of core network element Under, carry out bi-directional authentification using the first authentication vector group, authorization vector and with reference to authorization value and terminal.
In the present embodiment, terminal and core can be determined according to the first authentication vector group according to existing LTE authentication mechanism Whether the bi-directional authentification of network element succeeds, if so, then sent using message authentication function according to the small base station of terminated to terminal With reference to authorization value, authorization vector generation target authorization value, when target authorization value, which is equal to, refers to authorization value, the two-way mirror with terminal Weigh successfully.
The detailed process of the bi-directional authentification of terminal and core network element:When the expectation generated according to the first authentication vector group disappears When ceasing authentication code XMAC1 and message authentication code MAC1 equal, and the sequence number SQN1 that checking receives is in effective range, whole End and the bi-directional authentification success of core network element.
The method flow diagram of the bi-directional authentification of the specific small base station of terminated and terminal is as shown in fig. 6, terminal uses message Authenticate function and the 3rd authorization value W3 is generated according to the first authentication vector group, then obtain the reference authorization value and second in authorization vector Authorization parameter W2, target authorization value is generated according to the 3rd authorization value W3 and the second authorization parameter W2 using message authentication function, most Determine whether target authorization value is equal to afterwards and refer to authorization value, if so, the then bi-directional authentification of the small base station of terminated and terminal success.
Second aspect of the present invention provides another method for authenticating, as shown in fig. 7, a kind of method for authenticating, including:
Step S202:The first authentication vector group that the small base station of receiving terminalization is sent, with reference to authorization value and authorization vector.
In the present embodiment, the first authentication vector group is that core network element is sent by the small base station of terminated, for core Network element and terminal carry out bi-directional authentification, including the first random number, the first authentication parameter, first it is expected authentication parameter, first plus Key and the first Integrity Key.
Optionally, core network element is according to sequence number SQN, random parameter RAND, key K, authentication and key management field AMF Message authentication code MAC, expected response XRES, encryption key CK, tegrity protection key IK and Anonymity Key AK are generated, then, Authentication-tokens AUTN and Ciphering Key AV is constructed, so as to which the first random number obtained in the first authentication vector group is RAND1, first Authentication parameter is the authentication parameter AUTN1 of terminal-pair core network element, and the first expectation authentication parameter is core network element to terminal Authentication parameter XRES1, the first encryption key is CK1, and the first Integrity Key is IK1.Core network element generation authentication to The authentication mechanism for the existing LTE that amount group uses, with compatible existing authentication process, improve the compatibility of authentication.
Similarly, core network element generates the second authentication vector group, for realizing the small base station of terminated and core network element Bi-directional authentification, after it is determined that the bi-directional authentification of the small base station of terminated and core network element is successful, core network element is small to terminated Base station is authorized, and distribution one refers to authorization value.
The existing LTE used authentication mechanism, as the expectation message authentication code XMAC2 generated according to the second authentication vector group When equal with message authentication code MAC2, and the sequence number SQN2 received is verified in effective range, the small base station of terminated and core The bi-directional authentification success of heart network element.
In the present embodiment, with reference to authorization value be core network element using message authentication function according to the first authentication vector group and The generation of second authentication vector group, authorization vector is that core network element is given birth to using message authentication function according to the second authentication vector group Into the second authorization parameter and with reference to authorization value generation.
The existing message authentication function f2 used algorithm, as shown in figure 4, the first encryption in the first authentication vector group Ciphering key K1 and the first random parameter RAND 1 generate the first authorization parameter W1.Similarly, the second encryption in the second authentication vector group is close Key CK2 and the second random parameter RAND 2 generate the second authorization parameter W2, are then given birth to according to the first authorization parameter and the second authorization parameter Into with reference to authorization value WARR.
Step S204:Bi-directional authentification is carried out according to the first authentication vector group and core network element, double with core network element To in the case of authenticating successfully, use the first authentication vector group, authorization vector and carried out with reference to authorization value and the small base station of terminated Bi-directional authentification.
According to existing LTE authentication mechanism, as the expectation message authentication code XMAC1 generated according to the first authentication vector group When equal with message authentication code MAC1, and the sequence number SQN1 received is verified in effective range, terminal and core network element Bi-directional authentification success.
Reference authorization value, the authorization vector sent using message authentication function according to the small base station of terminated to terminal generates mesh Authorization value is marked, when target authorization value, which is equal to, refers to authorization value, the bi-directional authentification success with terminal.
The method flow diagram of the bi-directional authentification of the specific small base station of terminated and terminal is as shown in fig. 6, terminal uses message Authenticate function and the 3rd authorization value W3 is generated according to the first authentication vector group, then obtain the reference authorization value and second in authorization vector Authorization parameter W2, target authorization value is generated according to the 3rd authorization value W3 and the second authorization parameter W2 using message authentication function, most Determine whether target authorization value is equal to afterwards and refer to authorization value, if so, the then bi-directional authentification of the small base station of terminated and terminal success.
Third aspect present invention provides a kind of authentication device, as shown in figure 8, above-mentioned authentication device includes the first transmission mould Block 102, the first authentication module 104, the second transport module 106 and the second authentication module 108, wherein:
First transport module 102, for receiving the first authentication vector group, the second authentication vector group of core network element transmission With with reference to authorization value, be that core network element is reflected using message authentication function according to the first authentication vector group and second with reference to authorization value The generation of weight vector group;
First authentication module 104, for being determined and the success of core network element bi-directional authentification according to the second authentication vector group In the case of, the second authorization parameter and reference authorization value that are generated using message authentication function according to the second authentication vector group are generated Authorization vector;
Second transport module 106, for being sent to terminal by the first authentication vector group, with reference to authorization value and authorization vector;
Second authentication module 108, for being determined and the two-way mirror of core network element according to the first authentication vector group in terminal In the case of power is successful, uses the first authentication vector group, authorization vector and carry out bi-directional authentification with reference to authorization value and terminal.
With reference to the third aspect, in the first possible implementation of the third aspect, the first authentication vector group bag Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Integrity Key.
With reference to the first possible implementation of the third aspect, in second of possible implementation of the third aspect In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the First encryption key and first generating random number in one authentication vector group, second authorization parameter is described Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group State the second generating random number.
With reference to second of possible implementation of the third aspect, in the third possible implementation of the third aspect In, second authentication module 108 is also used for the message authentication function according to first encryption key and described The authorization parameter of one generating random number the 3rd;Obtain second authorization parameter of the authorization vector and described refer to authorization value; Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;Work as institute When stating target authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
It will be appreciated that the function of each functional module of the authentication device of the light source of the present embodiment can be according to above-mentioned Fig. 5 side The method specific implementation of method embodiment, here is omitted.
Fourth aspect present invention provides another authentication device, as shown in figure 9, above-mentioned authentication device includes the 3rd transmission The authentication module 204 of module 202 and the 3rd, wherein:
3rd transport module 202, the first authentication vector group sent for the small base station of receiving terminalization, with reference to authorization value and Authorization vector, the first authentication vector group are that core network element is sent by the small base station of terminated, are core nets with reference to authorization value Network element is generated using message authentication function according to the first authentication vector group and the second authentication vector group, and authorization vector is core net What the second authorization parameter and reference authorization value that network element is generated using message authentication function according to the second authentication vector group generated.
3rd authentication module 204, for carrying out bi-directional authentification according to the first authentication vector group and core network element, with core In the case of heart network element bi-directional authentification is successful, using the first authentication vector group, authorization vector and authorization value and terminated are referred to Small base station carries out bi-directional authentification.
With reference to fourth aspect, in the first possible implementation of fourth aspect, the first authentication vector group bag Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Integrity Key.
With reference to the first possible implementation of fourth aspect, in second of possible implementation of fourth aspect In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the First encryption key and first generating random number in one authentication vector group, second authorization parameter is described Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group State the second generating random number.
With reference to second of possible implementation of fourth aspect, in the third possible implementation of fourth aspect In, the 3rd authentication module 204 is also used for the message authentication function according to first encryption key and described The authorization parameter of one generating random number the 3rd;Obtain second authorization parameter of the authorization vector and described refer to authorization value; Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;Work as institute When stating target authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
It will be appreciated that the function of each functional module of the authentication device of the light source of the present embodiment can be according to above-mentioned Fig. 7 side The method specific implementation of method embodiment, here is omitted.
In addition, fifth aspect present invention proposes a kind of right discriminating system, the authentication based on the small base station of terminated as shown in Figure 1 System, the access between the terminal of distal end and core network element is realized by the small base station of terminated.When the small base of terminal access terminal When standing, the small base station of terminal is to the access request of core network element forwarding terminal, the small base station of terminal, terminal and core network element three Between authenticated two-by-two.
Specifically, the timing diagram of right discriminating system as shown in Figure 10, the system includes core network element 302 and core net The terminal 306 that the small base station 304 of terminated and base station small with terminated 304 that network element 302 connects are connected, wherein:
Step S302:Core network element 302 generates the first authentication vector group and the second authentication vector group, uses message authentication Function refers to authorization value according to the first authentication vector group and the generation of the second authentication vector group.
In the present embodiment, the first authentication vector group is used for core network element 302 and terminal 306 and carries out bi-directional authentification, and second Authentication vector group is used for core network element 302 and the small base station 304 of terminated carries out bi-directional authentification.Wherein, the first authentication vector group It is expected authentication parameter, the first encryption key and the first Integrity Key including the first random number, the first authentication parameter, first;The It is complete that two authentication vector groups include the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second Whole property key.
Optionally, the first random number that the first authentication vector group includes can be obtained respectively according to existing LTE authentication mechanism For RAND1, the first authentication parameter is authentication parameter AUTN1 of the terminal 306 to core network element 302, and first it is expected authentication parameter Authentication parameter XRES1 for core network element 302 to terminal 306, the first encryption key is CK1, and the first Integrity Key is IK1;The second random number that second authentication vector group includes is RAND2, and the second authentication parameter is the small base station 304 of terminated to core The authentication parameter AUTN2 of network element 302, second it is expected that authentication parameter is mirror of the core network element 302 to the small base station of terminated 304 Weight parameter XRES2, the second encryption key are CK2, and the second Integrity Key is IK2.The authentication vector that core network element 302 generates The authentication mechanism for the existing LTE that group uses, with compatible existing authentication process, improve the compatibility of authentication.
It is that core network element 302 uses message authentication function according to the first authentication vector with reference to authorization value in the present embodiment What group and the second authentication vector group generated.
According to the message authentication function f2 algorithms of existing LTE standard, specific generating process is as shown in figure 4, the first mirror The first encryption key CK1 and the first random parameter RAND 1 in weight vector group generate the first authorization parameter W1, similarly, the second authentication The second encryption key CK2 and the second random parameter RAND 2 in Vector Groups generate the second authorization parameter W2, then first authorize ginseng Number W1 and the second authorization parameter W2 generations refer to authorization value WARR.
Step S304:Core network element 302 to the small base station 304 of terminated send the first authentication vector group, second authenticate to Amount group and with reference to authorization value.
In the present embodiment, the first authentication vector group is used for terminal 306 and core network element 302 and carries out bi-directional authentification, and second Authentication vector group is used for the small base station 304 of terminated and core network element 302 carries out bi-directional authentification, is core net net with reference to authorization value The authorization value that first small base station 304 of 302 pairs of terminateds is distributed, available for the small base station 304 of terminated and the bi-directional authentification of terminal 306.
Step S306:The small base station 304 of terminated is two-way with core network element 302 according to the determination of the second authentication vector group In the case of authentication is successful, authorization vector is generated according to reference to authorization value, message authentication function and the second authentication vector group.
In this implementation, the small base station 304 of terminated is additionally operable to determine and core network element 302 according to the second authentication vector group In the case of bi-directional authentification is successful, authorization vector is generated according to reference to authorization value, message authentication function and the second authentication vector group.
The small base station of terminated and core net net can be determined according to the second authentication vector group according to existing LTE authentication mechanism Whether the bi-directional authentification of member succeeds, if so, then being generated according to core network element to the reference authorization value that the small base station of terminated is sent Authorization vector, the authorization vector form by the second authorization parameter and with reference to authorization value.
Specifically, as the expectation message authentication code XMAC2 and message authentication code MAC2 that are generated according to the second authentication vector group When equal, and the sequence number SQN2 received is verified in effective range, the two-way mirror of the small base station of terminated and core network element Weigh successfully.
Step S308:The first authentication vector group that the small base station 304 of terminated is sent to terminal 306, with reference to authorization value and award Weight vector.
In the present embodiment, the first authentication vector group that the small base station 304 of the receiving terminalization of terminal 306 is sent, with reference to authorization value And authorization vector, the first authentication vector group are used for terminal 306 and core network element 302 and carry out bi-directional authentification, with reference to authorization value and Authorization vector is used for terminal 306 and the small base station 304 of terminated carries out bi-directional authentification and to core network element 302 to the small base of terminated 304 authorization values distributed of standing are confirmed.
Step S310:Terminal 306 determines the successful feelings of bi-directional authentification with core network element 302 in the first authentication vector group Under condition, bi-directional authentification is carried out using the first authentication vector group, authorization vector and with reference to authorization value and the small base station 304 of terminated.
In the present embodiment, according to existing LTE authentication mechanism can be determined according to the first authentication vector group terminal 306 with Whether the bi-directional authentification of core network element 302 succeeds, if so, then being given using message authentication function according to the small base station 304 of terminated Reference authorization value, the authorization vector generation target authorization value of the transmission of terminal 306, when target authorization value, which is equal to, refers to authorization value, With the bi-directional authentification success of terminal.
Terminal 306 and the detailed process of the bi-directional authentification of core network element 302:When what is generated according to the first authentication vector group When it is expected message authentication code XMAC1 and message authentication code MAC1 equal, and the sequence number SQN1 that checking receives is in effective range It is interior, the bi-directional authentification success of terminal and core network element.
The method flow diagram of the specific small base station 304 of terminated and the bi-directional authentification of terminal 306 is as shown in fig. 6, terminal makes The 3rd authorization value W3 is generated according to the first authentication vector group with message authentication function, then obtains the reference authorization value in authorization vector With the second authorization parameter W2, awarded using message authentication function according to the 3rd authorization value W3 and the second authorization parameter W2 generations target Weights, finally determine whether target authorization value is equal to and refer to authorization value, if so, the then small base station 304 of terminated and pair of terminal 306 To authenticating successfully.
To sum up, after terminal request base station core network access network element small by terminated, the mirror of core network element generation first Weight vector group and the second authentication vector group, given birth to using message authentication function according to the first authentication vector group and the second authentication vector group Into with reference to authorization value;The small base station of terminated receive the first authentication vector group that core network element sends, the second authentication vector group and With reference to authorization value, whether the bi-directional authentification for determining the small base station of terminated and core network element according to the second authentication vector group succeeds, If so, according to reference to authorization value generation authorization vector;First authentication vector group of the small base station transmission of terminal receiving terminalization, reference Authorization value and authorization vector, determine whether succeed with the bi-directional authentification of core network element according to the first authentication vector group, if so, making Bi-directional authentification is carried out with the first authentication vector group, authorization vector and with reference to authorization value and terminal.Can be in the small base of using terminalization Stand and authenticated when providing access service for the terminal of distal end, it is ensured that the small base station of terminal, terminated and core network element three it Between authentication two-by-two, ensure communication safety.
Referring to Figure 11, the embodiment of the present invention also provides a kind of equipment 600, and the equipment 600 includes but is not limited to:Intelligent hand Machine, intelligent watch, tablet personal computer, personal computer, notebook computer or computer group, as shown in figure 11, the equipment 600 wrap Include:Processor 601, memory 602, transceiver 603 and bus 604.Transceiver 603 is used to receive and dispatch number between external equipment According to.The quantity of processor 601 in equipment 600 can be one or more.In some embodiments of the present application, processor 601, Memory 602 and transceiver 603 can be connected by bus system or other means.Equipment 600 can be used for performing Fig. 5, Fig. 7 Shown method.The implication for the term being related on the present embodiment and citing, it may be referred to explanation corresponding to Fig. 5, Fig. 7.This Place repeats no more.
Wherein, store program codes in memory 602.Processor 601 is used to call the program generation stored in memory 602 Code, for perform as shown in Figure 5, Figure 7 the step of.
It should be noted that processor 601 here can be a treatment element or multiple treatment elements It is referred to as.For example, the treatment element can be central processing unit (Central Processing Unit, CPU) or spy Determine integrated circuit (Application Specific Integrated Circuit, ASIC), or be arranged to implement this Apply for one or more integrated circuits of embodiment, such as:One or more microprocessors (digital signal Processor, DSP), or, one or more field programmable gate array (Field Programmable Gate Array, FPGA).
Memory 602 can be the general designation of a storage device or multiple memory elements, and for storing and can hold Parameter, data etc. required for line program code or the operation of application program running gear.And memory 603 can include depositing at random Reservoir (RAM), nonvolatile memory (non-volatile memory), such as magnetic disk storage, flash memory can also be included (Flash) etc..
Bus 604 can be that industry standard architecture (Industry Standard Architecture, ISA) is total Line, external equipment interconnection (Peripheral Component, PCI) bus or extended industry-standard architecture (Extended Industry Standard Architecture, EISA) bus etc..The bus can be divided into address bus, data/address bus, control Bus processed etc..For ease of representing, only represented in Figure 11 with a thick line, it is not intended that an only bus or a type of Bus.
The equipment can also include input/output unit, be connected to bus 604, with by bus and the grade of processor 601 its Its part connects.The input/output unit can provide an inputting interface for operating personnel, so that operating personnel pass through the input Interface selects item of deploying to ensure effective monitoring and control of illegal activities, and can also be other interfaces, can pass through the external miscellaneous equipment of the interface.
In the above-described embodiments, can with it is all or part of by software, hardware, firmware or its any combination come reality It is existing.When being realized using software program, can realize in the form of a computer program product whole or in part.The computer Program product includes one or more computer instructions.When loading on computers and performing the computer program instructions, entirely Portion is partly produced according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, specially With computer, computer network or other programmable devices.The computer instruction can be stored in computer-readable storage In medium, or the transmission from a computer-readable recording medium to another computer-readable recording medium, for example, the meter The instruction of calculation machine can pass through wired (such as coaxial cable, light from a web-site, computer, server or data center Fine, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, clothes Business device or data center are transmitted.It is any available can be that computer can access for the computer-readable recording medium Medium is either comprising data storage devices such as the integrated server of one or more usable mediums, data centers.It is described to use Medium can be magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as it is solid State hard disk Solid State Disk (SSD)) etc..
Above disclosure is only preferred embodiment of present invention, can not limit the right model of the present invention with this certainly Enclose, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.

Claims (16)

1. a kind of method for authenticating, terminated small base station of the methods described based on connection terminal and core network element, it is characterised in that Methods described includes:
Receive the first authentication vector group, the second authentication vector group that the core network element sends and with reference to authorization value, the ginseng It is that the core network element is authenticated using message authentication function according to the first authentication vector group and described second to examine authorization value Vector Groups generation;
In the case of successful according to the second authentication vector group determination and the core network element bi-directional authentification, message is used The second authorization parameter and the reference authorization value generation authorization vector that authentication function generates according to the second authentication vector group;
The first authentication vector group, the reference authorization value and the authorization vector are sent to the terminal;
In the terminal according to the first authentication vector group determination and the successful situation of bi-directional authentification of the core network element Under, carry out bi-directional authentification with the terminal using the first authentication vector group, the authorization vector and the reference authorization value.
2. according to the method for claim 1, it is characterised in that the first authentication vector group includes the first random number, the One authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second Key and the second Integrity Key.
3. according to the method for claim 2, it is characterised in that the reference authorization value is that the core network element uses institute State what message authentication function generated according to the first authorization parameter and second authorization parameter, and first authorization parameter is institute State core network element using first encryption key of the message authentication function in the first authentication vector group and First generating random number, second authorization parameter be the core network element using the message authentication function according to Second encryption key and second generating random number in the second authentication vector group.
4. according to the method for claim 3, it is characterised in that described to use the first authentication vector group, the mandate Bi-directional authentification is carried out with reference to authorization value and the terminal described in vector sum, including:
Using the message authentication function according to first encryption key and the authorization parameter of the first generating random number the 3rd;
Obtain second authorization parameter of the authorization vector and described refer to authorization value;
Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;
When the target authorization value is equal to the reference authorization value, the bi-directional authentification success with the terminal.
5. a kind of method for authenticating, terminated small base station of the methods described based on connection terminal and core network element, it is characterised in that Methods described includes:
Receive the first authentication vector group of the small base station transmission of the terminated, with reference to authorization value and authorization vector, first mirror Weight vector group is that the core network element is sent by the small base station of the terminated, and the reference authorization value is the core net Network element is generated using message authentication function according to the first authentication vector group and the second authentication vector group, the mandate Vector is the second authorization parameter and institute that the core network element is generated using message authentication function according to the second authentication vector group State with reference to authorization value generation;
Bi-directional authentification is carried out according to the first authentication vector group and the core network element, in the described and core network element In the case of bi-directional authentification is successful, the first authentication vector group, the authorization vector and reference authorization value and the institute are used State the small base station of terminated and carry out bi-directional authentification.
6. according to the method for claim 5, it is characterised in that the first authentication vector group includes the first random number, the One authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second Key and the second Integrity Key.
7. according to the method for claim 6, it is characterised in that the reference authorization value is that the core network element uses institute State what message authentication function generated according to the first authorization parameter and with second authorization parameter, and first authorization parameter is The core network element uses first encryption key of the message authentication function in the first authentication vector group With first generating random number, second authorization parameter is that the core network element uses the message authentication function root According to second encryption key in the second authentication vector group and second generating random number.
8. according to the method for claim 7, it is characterised in that described to use the first authentication vector group, the mandate Carrying out bi-directional authentification with the terminal with reference to authorization value described in vector sum also includes:
Using the message authentication function according to first encryption key and the authorization parameter of the first generating random number the 3rd;
Obtain second authorization parameter of the authorization vector and described refer to authorization value;
Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;
When the target authorization value is equal to the reference authorization value, the bi-directional authentification success with the terminal.
9. a kind of authentication device, terminated small base station of the described device based on connection terminal and core network element, it is characterised in that Described device includes:
First transport module, for receive the first authentication vector group, the second authentication vector group that the core network element sends and With reference to authorization value, the authorization value that refers to is that the core network element uses message authentication function according to first authentication vector What group and the second authentication vector group generated;
First authentication module, for being determined and core network element bi-directional authentification success according to the second authentication vector group In the case of, the second authorization parameter and the reference that are generated using message authentication function according to the second authentication vector group are awarded Weights generate authorization vector;
Second transport module, for the first authentication vector group, the reference authorization value and the authorization vector to be sent to The terminal;
Second authentication module, it is double with the core network element for being determined in the terminal according to the first authentication vector group To authentication successfully in the case of, using the first authentication vector group, the authorization vector and it is described with reference to authorization value with it is described Terminal carries out bi-directional authentification.
10. device according to claim 9, it is characterised in that the first authentication vector group includes the first random number, the One authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second Key and the second Integrity Key.
11. device according to claim 10, it is characterised in that the authorization value that refers to is that the core network element uses The message authentication function generates according to the first authorization parameter and second authorization parameter, and first authorization parameter is The core network element uses first encryption key of the message authentication function in the first authentication vector group With first generating random number, second authorization parameter is that the core network element uses the message authentication function root According to second encryption key in the second authentication vector group and second generating random number.
12. device according to claim 11, it is characterised in that second authentication module is also used for the message Function is authenticated according to first encryption key and the authorization parameter of the first generating random number the 3rd;Obtain the authorization vector Second authorization parameter and described refer to authorization value;Using the message authentication function according to the 3rd authorization parameter and Second authorization parameter generates target authorization value;When the target authorization value is equal to the reference authorization value, with the end The bi-directional authentification success at end.
13. a kind of authentication device, terminated small base station of the described device based on connection terminal and core network element, its feature exist In described device includes:
3rd transport module, for receiving the first authentication vector group that the small base station of the terminated sends, with reference to authorization value and award Weight vector, the first authentication vector group are that the core network element is sent by the small base station of the terminated, the reference Authorization value be the core network element using message authentication function according to the first authentication vector group and described second authenticate to The generation of amount group, the authorization vector is that the core network element is generated using message authentication function according to the second authentication vector group The second authorization parameter and it is described with reference to authorization value generate;
3rd authentication module, for carrying out bi-directional authentification according to the first authentication vector group and the core network element, in institute State with the core network element bi-directional authentification it is successful in the case of, using the first authentication vector group, the authorization vector and It is described to carry out bi-directional authentification with reference to authorization value and the small base station of the terminated.
14. device according to claim 13, it is characterised in that the first authentication vector group include the first random number, First authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second Key and the second Integrity Key.
15. device according to claim 14, it is characterised in that the authorization value that refers to is that the core network element uses The message authentication function generates according to the first authorization parameter and the second authorization parameter, and first authorization parameter is described Core network element uses first encryption key and institute of the message authentication function in the first authentication vector group The first generating random number is stated, second authorization parameter is for the core network element using the message authentication function according to institute State second encryption key in the second authentication vector group and second generating random number.
16. device according to claim 15, it is characterised in that the 3rd authentication module is also used for the message Function is authenticated according to first encryption key and the authorization parameter of the first generating random number the 3rd;Obtain the authorization vector Second authorization parameter and described refer to authorization value;Using the message authentication function according to the 3rd authorization parameter and Second authorization parameter generates target authorization value;When the target authorization value is equal to the reference authorization value, with the end The bi-directional authentification success at end.
CN201710481726.5A 2017-06-22 2017-06-22 Authentication method and device Active CN107466038B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710481726.5A CN107466038B (en) 2017-06-22 2017-06-22 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710481726.5A CN107466038B (en) 2017-06-22 2017-06-22 Authentication method and device

Publications (2)

Publication Number Publication Date
CN107466038A true CN107466038A (en) 2017-12-12
CN107466038B CN107466038B (en) 2020-08-04

Family

ID=60546395

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710481726.5A Active CN107466038B (en) 2017-06-22 2017-06-22 Authentication method and device

Country Status (1)

Country Link
CN (1) CN107466038B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112118549A (en) * 2020-10-14 2020-12-22 中国联合网络通信集团有限公司 Authentication method, SMF, CHF, computer device, and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101511084A (en) * 2008-02-15 2009-08-19 中国移动通信集团公司 Authentication and cipher key negotiation method of mobile communication system
CN102143489A (en) * 2010-02-01 2011-08-03 华为技术有限公司 Method, device and system for authenticating relay node
CN104159223A (en) * 2014-07-15 2014-11-19 清华大学 Identification method for relay communication user
WO2017026465A1 (en) * 2015-08-07 2017-02-16 シャープ株式会社 Terminal device, base station device, method for controlling communication of terminal device, and method for controlling communication of base station device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101511084A (en) * 2008-02-15 2009-08-19 中国移动通信集团公司 Authentication and cipher key negotiation method of mobile communication system
CN102143489A (en) * 2010-02-01 2011-08-03 华为技术有限公司 Method, device and system for authenticating relay node
CN104159223A (en) * 2014-07-15 2014-11-19 清华大学 Identification method for relay communication user
WO2017026465A1 (en) * 2015-08-07 2017-02-16 シャープ株式会社 Terminal device, base station device, method for controlling communication of terminal device, and method for controlling communication of base station device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112118549A (en) * 2020-10-14 2020-12-22 中国联合网络通信集团有限公司 Authentication method, SMF, CHF, computer device, and storage medium
CN112118549B (en) * 2020-10-14 2021-09-03 中国联合网络通信集团有限公司 Authentication method, SMF, CHF, computer device, and storage medium

Also Published As

Publication number Publication date
CN107466038B (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN105101194B (en) Terminal security authentication method, apparatus and system
CN104169952B (en) A kind of method of network payment, apparatus and system
CN104838385B (en) Use the device authentication of the key generation system based on the unclonable function of physics
CN109699031A (en) Using the verification method and device of shared key, public key and private key
CN108012268A (en) A kind of mobile phone terminal SIM card and the method for safe handling App, medium
CN103188229B (en) The method and apparatus accessed for secure content
CN106779716A (en) Authentication method, apparatus and system based on block chain account address
CN109218263A (en) A kind of control method and device
CN107529160A (en) A kind of VoWiFi method for network access and system, terminal and wireless access points equipment
EP2693787A1 (en) Secure key distribution with general purpose mobile device
CN107615705A (en) In the dynamic assets certification based in neighbouring network of communication equipment
CN106027250A (en) Identity card information safety transmission method and system
CN109639644A (en) Authority checking method, apparatus, storage medium and electronic equipment
CN110505627A (en) A kind of authentication method and device based on access node group
CN108769054B (en) A kind of block chain transaction verification method and device based on equivalent test promise
CN108024243A (en) A kind of eSIM is caught in Network Communication method and its system
CN106792699A (en) A kind of Wireless Fidelity Wi Fi connection methods and mobile terminal
CN107689864A (en) A kind of authentication method, server, terminal and gateway
CN109561429A (en) A kind of method for authenticating and equipment
CN102932787A (en) Service test system for extensible authentication protocol (EAP)-subscriber identity module (SIM) user authentication
CN110191467A (en) A kind of method for authenticating of internet of things equipment, unit and storage medium
CN106941405A (en) A kind of method and apparatus of terminal authentication in a wireless local area network
CN107508804A (en) The method, device and mobile terminal of key and certificate in a kind of protection mobile terminal
CN107466038A (en) Method for authenticating and device
CN104335619B (en) The remote de-locking of telecommunication apparatus function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant