CN107466038A - Method for authenticating and device - Google Patents
Method for authenticating and device Download PDFInfo
- Publication number
- CN107466038A CN107466038A CN201710481726.5A CN201710481726A CN107466038A CN 107466038 A CN107466038 A CN 107466038A CN 201710481726 A CN201710481726 A CN 201710481726A CN 107466038 A CN107466038 A CN 107466038A
- Authority
- CN
- China
- Prior art keywords
- authentication
- authorization
- parameter
- vector group
- network element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The embodiment of the invention discloses a kind of method for authenticating and device, methods described includes:Receive the first authentication vector group, the second authentication vector group and with reference to authorization value that core network element is sent;In the case of successful according to the determination of the second authentication vector group and core network element bi-directional authentification, the second authorization parameter and reference authorization value generation authorization vector that are generated using message authentication function according to the second authentication vector group;Terminal is sent to by the first authentication vector group, with reference to authorization value and authorization vector;In the case of terminal determines according to the first authentication vector group and the bi-directional authentification of core network element is successful, use the first authentication vector group, authorization vector and carry out bi-directional authentification with reference to authorization value and terminal.Using the present invention, insertion authority during small by the terminated base station core network access network element of terminal can be achieved, ensure communication safety.
Description
Technical field
The present invention relates to communication technical field, has related generally to a kind of method for authenticating and device.
Background technology
For the 5th third-generation mobile communication technology (English:5-Generation, 5G) terminal research and development and innovation, by using
The small base station of terminated (English:Terminal Small Cell, T-SC) 5G terminals are realized into base station, i.e., except transmitting more
At a high speed, communicate more flexible, safer outer, 5G terminals will converge internet of things service, provide aggregation feature for other-end, that is, prop up
Hold the cell access based on terminal.
Communication system based on the small base station of terminated as shown in Figure 1, the terminal of distal end is realized by the small base station of terminated
Access between core net.Therefore, it is necessary to which the authentication being related to includes:1. mandate of the core network element to the small base station of terminated;
2. the bi-directional authentification between terminal and the small base station of terminated;3. the bi-directional authentification between terminal and core network element;4. terminal and
Bi-directional authentification between the small base station of terminated.
However, existing Long Term Evolution (English:Long Term Evolution, LTE) authentication mechanism be only used for terminal and
Authentication between core network element.Therefore, those skilled in the art also need to continue to study under the small base station scene of using terminalization
The technical problem of complexity authentication.
The content of the invention
The embodiments of the invention provide a kind of method for authenticating and device, for solving LTE authentication mechanisms of the prior art
The authentication being only used between terminal and core network element, the skill of the complicated authentication under the small base station scene of using terminalization can not be realized
Art problem.
In a first aspect, the invention provides a kind of method for authenticating, including:
Receive the first authentication vector group, the second authentication vector group that the core network element sends and with reference to authorization value, institute
It is that the core network element uses message authentication function according to the first authentication vector group and described second to state with reference to authorization value
The generation of authentication vector group;
In the case of successful according to the second authentication vector group determination and the core network element bi-directional authentification, use
The second authorization parameter and described generated with reference to authorization value that message authentication function generates according to the second authentication vector group authorize
Vector;
The first authentication vector group, the reference authorization value and the authorization vector are sent to the terminal;
It is successful with the bi-directional authentification of the core network element according to the first authentication vector group determination in the terminal
In the case of, carried out using the first authentication vector group, the authorization vector and the reference authorization value and the terminal two-way
Authentication.
With reference in a first aspect, in the first possible implementation of first aspect, the first authentication vector group bag
Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described
Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Integrity Key.
With reference to the first possible implementation of first aspect, in second of possible implementation of first aspect
In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second
Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the
First encryption key and first generating random number in one authentication vector group, second authorization parameter is described
Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group
State the second generating random number.
With reference to second of possible implementation of first aspect, in the third possible implementation of first aspect
In, it is described two-way using the first authentication vector group, the authorization vector and the reference authorization value and terminal progress
Authentication also includes:Awarded using the message authentication function according to first encryption key and first generating random number the 3rd
Weight parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use the message authentication letter
It is several to generate target authorization value according to the 3rd authorization parameter and second authorization parameter;When the target authorization value is equal to institute
State when referring to authorization value, the bi-directional authentification success with the terminal.
Second aspect, present invention also offers a kind of method for authenticating, including:
Receive the first authentication vector group that the small base station of the terminated sends, with reference to authorization value and authorization vector, described the
One authentication vector group is that the core network element is sent by the small base station of the terminated, and the reference authorization value is the core
Heart network element is generated using message authentication function according to the first authentication vector group and the second authentication vector group, described
Authorization vector is the second authorization parameter that the core network element uses message authentication function to be generated according to the second authentication vector group
With it is described with reference to authorization value generate;
Bi-directional authentification is carried out according to the first authentication vector group and the core network element, in the described and core net
In the case of network element bi-directional authentification is successful, using the first authentication vector group, the authorization vector and described authorization value is referred to
Base station small with the terminated carries out bi-directional authentification.
With reference to second aspect, in the first possible implementation of second aspect, the first authentication vector group bag
Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described
Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Integrity Key.
With reference to the first possible implementation of second aspect, in second of possible implementation of second aspect
In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second
Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the
First encryption key and first generating random number in one authentication vector group, second authorization parameter is described
Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group
State the second generating random number.
With reference to second of possible implementation of second aspect, in the third possible implementation of second aspect
In, it is described two-way using the first authentication vector group, the authorization vector and the reference authorization value and terminal progress
Authentication also includes:Awarded using the message authentication function according to first encryption key and first generating random number the 3rd
Weight parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use the message authentication letter
It is several to generate target authorization value according to the 3rd authorization parameter and second authorization parameter;When the target authorization value is equal to institute
State when referring to authorization value, the bi-directional authentification success with the terminal.
The third aspect, the invention provides a kind of authentication device, including:
First transport module, for receiving the first authentication vector group, the second authentication vector that the core network element is sent
Group and with reference to authorization value, it is described with reference to authorization value be the core network element using message authentication function according to the described first authentication
What Vector Groups and the second authentication vector group generated;
First authentication module, for being determined and the core network element bi-directional authentification according to the second authentication vector group
In the case of successfully, the second authorization parameter generated using message authentication function according to the second authentication vector group and the ginseng
Examine authorization value generation authorization vector;
Second transport module, for the first authentication vector group, the reference authorization value and the authorization vector to be sent out
Give the terminal;
Second authentication module, for being determined and the core network element according to the first authentication vector group in the terminal
Bi-directional authentification it is successful in the case of, using the first authentication vector group, the authorization vector and it is described with reference to authorization value with
The terminal carries out bi-directional authentification.
With reference to the third aspect, in the first possible implementation of the third aspect, the first authentication vector group bag
Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described
Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Integrity Key.
With reference to the first possible implementation of the third aspect, in second of possible implementation of the third aspect
In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second
Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the
First encryption key and first generating random number in one authentication vector group, second authorization parameter is described
Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group
State the second generating random number.
With reference to second of possible implementation of the third aspect, in the third possible implementation of the third aspect
In, second authentication module be also used for the message authentication function according to first encryption key and described first with
Machine number generates the 3rd authorization parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use
The message authentication function generates target authorization value according to the 3rd authorization parameter and second authorization parameter;When the mesh
When marking authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
Fourth aspect, present invention also offers a kind of authentication device, including:
3rd transport module, for receiving the first authentication vector group of the small base station transmission of the terminated, with reference to authorization value
And authorization vector, the first authentication vector group is that the core network element is sent by the small base station of the terminated, described
It is that the core network element is reflected using message authentication function according to the first authentication vector group and described second with reference to authorization value
The generation of weight vector group, the authorization vector is that the core network element uses message authentication function according to the second authentication vector group
Generation the second authorization parameter and it is described with reference to authorization value generate;
3rd authentication module, for carrying out bi-directional authentification according to the first authentication vector group and the core network element,
It is described with the core network element bi-directional authentification it is successful in the case of, using the first authentication vector group, it is described authorize to
Amount and the reference authorization value carry out bi-directional authentification with the small base station of the terminated.
With reference to fourth aspect, in the first possible implementation of fourth aspect, the first authentication vector group bag
Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described
Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Integrity Key.
With reference to the first possible implementation of fourth aspect, in second of possible implementation of fourth aspect
In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second
Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the
First encryption key and first generating random number in one authentication vector group, second authorization parameter is described
Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group
State the second generating random number.
With reference to second of possible implementation of fourth aspect, in the third possible implementation of fourth aspect
In, the 3rd authentication module be also used for the message authentication function according to first encryption key and described first with
Machine number generates the 3rd authorization parameter;Obtain second authorization parameter of the authorization vector and described refer to authorization value;Use
The message authentication function generates target authorization value according to the 3rd authorization parameter and second authorization parameter;When the mesh
When marking authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
Implement the embodiment of the present invention, will have the advantages that:
After employing above-mentioned method for authenticating and device, when terminal request passes through the small base station core network access net of terminated
After member, core network element generates the first authentication vector group and the second authentication vector group, using message authentication function according to the first mirror
Weight vector group and the generation of the second authentication vector group refer to authorization value;The small base station of terminated receives the first mirror that core network element is sent
Weight vector group, the second authentication vector group and with reference to authorization value, the small base station of terminated and core are determined according to the second authentication vector group
Whether the bi-directional authentification of network element succeeds, if so, according to reference to authorization value generation authorization vector;The small base station of terminal receiving terminalization
The first authentication vector group for sending, with reference to authorization value and authorization vector, determined according to the first authentication vector group and core network element
Bi-directional authentification whether succeed, if so, using the first authentication vector group, authorization vector and two-way with reference to the progress of authorization value and terminal
Authentication.Authenticated when can provide access service in the small base station of using terminalization for the terminal of distal end, it is ensured that terminal, terminated
Authentication two-by-two between small base station and core network element three, ensures communication safety.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Wherein:
Fig. 1 is a kind of schematic diagram of the communication system based on the small base station of terminated provided in an embodiment of the present invention;
Fig. 2 is the flow chart that a kind of LTE provided in an embodiment of the present invention generates authentication vector group;
Fig. 3 is a kind of flow chart of LTE authentication mechanism provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation for generating authorization vector provided in an embodiment of the present invention;
Fig. 5 is a kind of flow chart of method for authenticating provided in an embodiment of the present invention;
Fig. 6 is the flow chart of the bi-directional authentification method of a kind of small base station of terminated provided in an embodiment of the present invention and terminal;
Fig. 7 is the flow chart of another method for authenticating provided in an embodiment of the present invention;
Fig. 8 is a kind of structure chart of authentication device provided in an embodiment of the present invention;
Fig. 9 is the structure chart of another authentication device provided in an embodiment of the present invention;
Figure 10 is a kind of timing diagram of right discriminating system provided in an embodiment of the present invention;
Figure 11 is the structural representation of the computer equipment of method for authenticating in one embodiment.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the scope of protection of the invention.
Existing LTE authentication mechanism, the authentication vector group of core network element generation include random number (English: Random
Challenge, RAND), expected response (English:Expected Response, XRES), encryption key (English:
Ciphering key, CK), tegrity protection key (English:Integrity key, IK), authentication-tokens (English:
Authentication Token, AUTN) five parameter values, wherein RAND be core network element be supplied to terminal can not be pre-
The random number known, length 16octets;XRES be used for and terminal caused by RES (or RES+RES_EXT) be compared, with certainly
Whether fixed authentication succeeds, length 4-16octets;CK length is 16octets;IK length is 16octets;AUTN is used
Authenticated in terminal and core network element, length 17octets.
The flow chart of LTE as shown in Figure 2 generation authentication vector group, according to sequence number (English:Sequence,
SQN), RAND, key, authentication and key management field (English:Authentication and Key Manage Fields,
AMF message authentication code (English) is generated:Message Authentication Code, MAC), XRES, CK, IK and anonymity it is close
Key (English:Authorization key, AK), specific calculating process is as follows:
Message authentication code MAC=f1K(SQN | | RAND | | AMF), wherein f1 is message authentication function;
Expected response XRES=f2K(RAND), wherein f2 is (may a block) message authentication function;
Encryption key CK=f3K(RAND), wherein f3 is a key-function;
Tegrity protection key IK=f4K(RAND), wherein f4 is a key-function;
Anonymity Key AK=f5K(RAND), wherein f5 is a key-function or f5 ≡ 0.
Then, authentication-tokens AUTN and Ciphering Key (English are constructed:Authentication Vector, AV), calculated
Journey is as follows:
Authentication-tokens
Ciphering Key AV:=RAND | | XRES | | CK | | IK | | AUTN.
According to above calculating process can obtain respectively random parameter RAND, expected response XRES that authentication vector group includes plus
Five ciphering key K, tegrity protection key IK, authentication-tokens AUTN parameter values.
Using the flow chart of LTE authentication mechanism, as shown in figure 3, authentication-tokens AUTN is first verified, as authentication-tokens AUTN
After being verified, Anonymity Key AK=f5 is calculatedK(RAND), and sequence number is recoveredMeter
Calculate and it is expected message authentication code XMAC=f1k(SQN | | RAND | | AMF), and enter with the message authentication code MAC in authentication-tokens AUTN
Row compares.If it is different, abandon authentication process;The sequence number SQN received is verified simultaneously whether in effective scope, if not
In failed authentication.If it is expected message authentication code XMAC and sequence number SQN checkings all by completing distal end UE to core net net
The authentication of member.Finally, encryption key CK and tegrity protection key IK is calculated.
Message authentication function f2 is the existing algorithm of LTE standard, and specific generating process is as shown in figure 4, the algorithm has two
Individual input, an output.
It should be noted that the embodiment of the present invention only by taking prior art as an example, with compatible existing authentication process, improves authentication
The compatibility of method.But it is not limited to other and defines authentication vector group and the method for message authentication function.That is, it may include
Other definition modes, the present invention do not limit.
In the present embodiment, terminal is specifically as follows:Personal computer, server computer, hand-held or it is on knee, disappear
Take type electronic equipment, mobile device (such as smart mobile phone, tablet personal computer, media player etc.) and multicomputer system etc.
Deng, naturally it is also possible to it is:Base station.The specific embodiment of the invention does not limit to the above-mentioned terminal form of expression.
To solve the authentication that LTE authentication mechanisms of the prior art are only used between terminal and core network element, Wu Fashi
The technical problem of complicated authentication under the small base station scene of existing using terminalization, first aspect present invention provide one kind and are based on terminal
Change the method for authenticating of small base station.Communication system based on the small base station of terminated as shown in Figure 1, realized by the small base station of terminated
Access between the terminal and core network element of distal end, when the small base station of terminal access terminal, the small base station of terminal is to core net net
The access request of first forwarding terminal, authenticated two-by-two between the small base station of terminal, terminal and core network element three.Core net net
Member may include the small base-station gateway of terminated (English:T-SC Gateway, T-SC GW), equipment vendor provide core network element (English
Text:Evolved Packet Core network, EPC) and operator provide core network element (English:Operator
Evolved Packet Core network, Operator EPC), the core network element that wherein operator provides includes movement
Management entity (English:Mobility Management Entity, MME), server home signature user server (English:
Home Subscriber Server, HSS), gateway (English:Serving Gateway, S-GW) and public data network net
Close (English:Public Data Network Gateway, P-GW) etc..
Specifically, as shown in figure 5, a kind of method for authenticating, including:
Step S102:The first authentication vector group, the second authentication vector group and reference that core network element is sent is received to authorize
Value.
In the present embodiment, the first authentication vector group is used for core network element and terminal and carries out bi-directional authentification, second authenticate to
Amount group carries out bi-directional authentification for core network element and the small base station of terminated.
Optionally, the first authentication vector group includes the first random number, the first authentication parameter, first it is expected authentication parameter, the
One encryption key and the first Integrity Key;Second authentication vector group includes the second random number, the second authentication parameter, the second expectation
Authentication parameter, the second encryption key and the second Integrity Key.
Wherein, the first random number that can obtain the first authentication vector group respectively according to existing LTE authentication mechanism includes is
RAND1, the first authentication parameter are the authentication parameter AUTN1 of terminal-pair core network element, and first it is expected that authentication parameter is core net
Network element is to the authentication parameter XRES1 of terminal, and the first encryption key is CK1, and the first Integrity Key is IK1;Second authentication vector
The second random number that group includes is RAND2, the second authentication parameter for terminal-pair core network element authentication parameter AUTN2, second
It is expected authentication parameter for core network element to the authentication parameter XRES2 of terminal, the second encryption key is CK2, and the second integrality is close
Key is IK2.The authentication mechanism for the authentication vector group that core network element generates in the existing LTE used, authenticated so that compatibility is existing
Journey, improve the compatibility of authentication.
In the present embodiment, with reference to authorization value be core network element using message authentication function according to the first authentication vector group and
The generation of second authentication vector group.
According to the message authentication function f2 algorithms of existing LTE standard, specific generating process is as shown in figure 4, the first mirror
The first encryption key CK1 and the first random parameter RAND 1 in weight vector group generate the first authorization parameter W1, similarly, the second authentication
The second encryption key CK2 and the second random parameter RAND 2 in Vector Groups generate the second authorization parameter W2, then first authorize ginseng
Number and the generation of the second authorization parameter refer to authorization value WARR.
Step S104:In the case of successful according to the determination of the second authentication vector group and core network element bi-directional authentification, make
The second authorization parameter and reference authorization value generation authorization vector generated with message authentication function according to the second authentication vector group.
In the present embodiment, the small base of terminated can be determined according to the second authentication vector group according to existing LTE authentication mechanism
Stand with whether the bi-directional authentification of core network element succeeds, if so, the ginseng then sent according to core network element to the small base station of terminated
Authorization value generation authorization vector is examined, the authorization vector forms by the second authorization parameter and with reference to authorization value.
Specifically, as the expectation message authentication code XMAC2 and message authentication code MAC2 that are generated according to the second authentication vector group
When equal, and the sequence number SQN2 received is verified in effective range, the two-way mirror of the small base station of terminated and core network element
Weigh successfully.
Step S106:Terminal is sent to by the first authentication vector group, with reference to authorization value and authorization vector.
In the present embodiment, the first authentication vector group that the small base station of terminal receiving terminalization is sent, with reference to authorization value and mandate
Vector, the first authentication vector group is used for terminal and core network element carries out bi-directional authentification, is used for reference to authorization value and authorization vector
Terminal and the small base station of terminated carry out bi-directional authentification and core network element carried out to the reference authorization value of the small base station of terminated true
Recognize.
Step S108:In terminal according to the determination of the first authentication vector group and the successful situation of bi-directional authentification of core network element
Under, carry out bi-directional authentification using the first authentication vector group, authorization vector and with reference to authorization value and terminal.
In the present embodiment, terminal and core can be determined according to the first authentication vector group according to existing LTE authentication mechanism
Whether the bi-directional authentification of network element succeeds, if so, then sent using message authentication function according to the small base station of terminated to terminal
With reference to authorization value, authorization vector generation target authorization value, when target authorization value, which is equal to, refers to authorization value, the two-way mirror with terminal
Weigh successfully.
The detailed process of the bi-directional authentification of terminal and core network element:When the expectation generated according to the first authentication vector group disappears
When ceasing authentication code XMAC1 and message authentication code MAC1 equal, and the sequence number SQN1 that checking receives is in effective range, whole
End and the bi-directional authentification success of core network element.
The method flow diagram of the bi-directional authentification of the specific small base station of terminated and terminal is as shown in fig. 6, terminal uses message
Authenticate function and the 3rd authorization value W3 is generated according to the first authentication vector group, then obtain the reference authorization value and second in authorization vector
Authorization parameter W2, target authorization value is generated according to the 3rd authorization value W3 and the second authorization parameter W2 using message authentication function, most
Determine whether target authorization value is equal to afterwards and refer to authorization value, if so, the then bi-directional authentification of the small base station of terminated and terminal success.
Second aspect of the present invention provides another method for authenticating, as shown in fig. 7, a kind of method for authenticating, including:
Step S202:The first authentication vector group that the small base station of receiving terminalization is sent, with reference to authorization value and authorization vector.
In the present embodiment, the first authentication vector group is that core network element is sent by the small base station of terminated, for core
Network element and terminal carry out bi-directional authentification, including the first random number, the first authentication parameter, first it is expected authentication parameter, first plus
Key and the first Integrity Key.
Optionally, core network element is according to sequence number SQN, random parameter RAND, key K, authentication and key management field AMF
Message authentication code MAC, expected response XRES, encryption key CK, tegrity protection key IK and Anonymity Key AK are generated, then,
Authentication-tokens AUTN and Ciphering Key AV is constructed, so as to which the first random number obtained in the first authentication vector group is RAND1, first
Authentication parameter is the authentication parameter AUTN1 of terminal-pair core network element, and the first expectation authentication parameter is core network element to terminal
Authentication parameter XRES1, the first encryption key is CK1, and the first Integrity Key is IK1.Core network element generation authentication to
The authentication mechanism for the existing LTE that amount group uses, with compatible existing authentication process, improve the compatibility of authentication.
Similarly, core network element generates the second authentication vector group, for realizing the small base station of terminated and core network element
Bi-directional authentification, after it is determined that the bi-directional authentification of the small base station of terminated and core network element is successful, core network element is small to terminated
Base station is authorized, and distribution one refers to authorization value.
The existing LTE used authentication mechanism, as the expectation message authentication code XMAC2 generated according to the second authentication vector group
When equal with message authentication code MAC2, and the sequence number SQN2 received is verified in effective range, the small base station of terminated and core
The bi-directional authentification success of heart network element.
In the present embodiment, with reference to authorization value be core network element using message authentication function according to the first authentication vector group and
The generation of second authentication vector group, authorization vector is that core network element is given birth to using message authentication function according to the second authentication vector group
Into the second authorization parameter and with reference to authorization value generation.
The existing message authentication function f2 used algorithm, as shown in figure 4, the first encryption in the first authentication vector group
Ciphering key K1 and the first random parameter RAND 1 generate the first authorization parameter W1.Similarly, the second encryption in the second authentication vector group is close
Key CK2 and the second random parameter RAND 2 generate the second authorization parameter W2, are then given birth to according to the first authorization parameter and the second authorization parameter
Into with reference to authorization value WARR.
Step S204:Bi-directional authentification is carried out according to the first authentication vector group and core network element, double with core network element
To in the case of authenticating successfully, use the first authentication vector group, authorization vector and carried out with reference to authorization value and the small base station of terminated
Bi-directional authentification.
According to existing LTE authentication mechanism, as the expectation message authentication code XMAC1 generated according to the first authentication vector group
When equal with message authentication code MAC1, and the sequence number SQN1 received is verified in effective range, terminal and core network element
Bi-directional authentification success.
Reference authorization value, the authorization vector sent using message authentication function according to the small base station of terminated to terminal generates mesh
Authorization value is marked, when target authorization value, which is equal to, refers to authorization value, the bi-directional authentification success with terminal.
The method flow diagram of the bi-directional authentification of the specific small base station of terminated and terminal is as shown in fig. 6, terminal uses message
Authenticate function and the 3rd authorization value W3 is generated according to the first authentication vector group, then obtain the reference authorization value and second in authorization vector
Authorization parameter W2, target authorization value is generated according to the 3rd authorization value W3 and the second authorization parameter W2 using message authentication function, most
Determine whether target authorization value is equal to afterwards and refer to authorization value, if so, the then bi-directional authentification of the small base station of terminated and terminal success.
Third aspect present invention provides a kind of authentication device, as shown in figure 8, above-mentioned authentication device includes the first transmission mould
Block 102, the first authentication module 104, the second transport module 106 and the second authentication module 108, wherein:
First transport module 102, for receiving the first authentication vector group, the second authentication vector group of core network element transmission
With with reference to authorization value, be that core network element is reflected using message authentication function according to the first authentication vector group and second with reference to authorization value
The generation of weight vector group;
First authentication module 104, for being determined and the success of core network element bi-directional authentification according to the second authentication vector group
In the case of, the second authorization parameter and reference authorization value that are generated using message authentication function according to the second authentication vector group are generated
Authorization vector;
Second transport module 106, for being sent to terminal by the first authentication vector group, with reference to authorization value and authorization vector;
Second authentication module 108, for being determined and the two-way mirror of core network element according to the first authentication vector group in terminal
In the case of power is successful, uses the first authentication vector group, authorization vector and carry out bi-directional authentification with reference to authorization value and terminal.
With reference to the third aspect, in the first possible implementation of the third aspect, the first authentication vector group bag
Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described
Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Integrity Key.
With reference to the first possible implementation of the third aspect, in second of possible implementation of the third aspect
In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second
Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the
First encryption key and first generating random number in one authentication vector group, second authorization parameter is described
Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group
State the second generating random number.
With reference to second of possible implementation of the third aspect, in the third possible implementation of the third aspect
In, second authentication module 108 is also used for the message authentication function according to first encryption key and described
The authorization parameter of one generating random number the 3rd;Obtain second authorization parameter of the authorization vector and described refer to authorization value;
Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;Work as institute
When stating target authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
It will be appreciated that the function of each functional module of the authentication device of the light source of the present embodiment can be according to above-mentioned Fig. 5 side
The method specific implementation of method embodiment, here is omitted.
Fourth aspect present invention provides another authentication device, as shown in figure 9, above-mentioned authentication device includes the 3rd transmission
The authentication module 204 of module 202 and the 3rd, wherein:
3rd transport module 202, the first authentication vector group sent for the small base station of receiving terminalization, with reference to authorization value and
Authorization vector, the first authentication vector group are that core network element is sent by the small base station of terminated, are core nets with reference to authorization value
Network element is generated using message authentication function according to the first authentication vector group and the second authentication vector group, and authorization vector is core net
What the second authorization parameter and reference authorization value that network element is generated using message authentication function according to the second authentication vector group generated.
3rd authentication module 204, for carrying out bi-directional authentification according to the first authentication vector group and core network element, with core
In the case of heart network element bi-directional authentification is successful, using the first authentication vector group, authorization vector and authorization value and terminated are referred to
Small base station carries out bi-directional authentification.
With reference to fourth aspect, in the first possible implementation of fourth aspect, the first authentication vector group bag
Include the first random number, the first authentication parameter, the first expectation authentication parameter, the first encryption key and the first Integrity Key;It is described
Second authentication vector group includes the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Integrity Key.
With reference to the first possible implementation of fourth aspect, in second of possible implementation of fourth aspect
In, the reference authorization value is that the core network element is awarded using the message authentication function according to the first authorization parameter and second
Weight parameter generation, and first authorization parameter be the core network element using the message authentication function according to described the
First encryption key and first generating random number in one authentication vector group, second authorization parameter is described
Core network element uses second encryption key and institute of the message authentication function in the second authentication vector group
State the second generating random number.
With reference to second of possible implementation of fourth aspect, in the third possible implementation of fourth aspect
In, the 3rd authentication module 204 is also used for the message authentication function according to first encryption key and described
The authorization parameter of one generating random number the 3rd;Obtain second authorization parameter of the authorization vector and described refer to authorization value;
Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;Work as institute
When stating target authorization value equal to the reference authorization value, the bi-directional authentification success with the terminal.
It will be appreciated that the function of each functional module of the authentication device of the light source of the present embodiment can be according to above-mentioned Fig. 7 side
The method specific implementation of method embodiment, here is omitted.
In addition, fifth aspect present invention proposes a kind of right discriminating system, the authentication based on the small base station of terminated as shown in Figure 1
System, the access between the terminal of distal end and core network element is realized by the small base station of terminated.When the small base of terminal access terminal
When standing, the small base station of terminal is to the access request of core network element forwarding terminal, the small base station of terminal, terminal and core network element three
Between authenticated two-by-two.
Specifically, the timing diagram of right discriminating system as shown in Figure 10, the system includes core network element 302 and core net
The terminal 306 that the small base station 304 of terminated and base station small with terminated 304 that network element 302 connects are connected, wherein:
Step S302:Core network element 302 generates the first authentication vector group and the second authentication vector group, uses message authentication
Function refers to authorization value according to the first authentication vector group and the generation of the second authentication vector group.
In the present embodiment, the first authentication vector group is used for core network element 302 and terminal 306 and carries out bi-directional authentification, and second
Authentication vector group is used for core network element 302 and the small base station 304 of terminated carries out bi-directional authentification.Wherein, the first authentication vector group
It is expected authentication parameter, the first encryption key and the first Integrity Key including the first random number, the first authentication parameter, first;The
It is complete that two authentication vector groups include the second random number, the second authentication parameter, the second expectation authentication parameter, the second encryption key and second
Whole property key.
Optionally, the first random number that the first authentication vector group includes can be obtained respectively according to existing LTE authentication mechanism
For RAND1, the first authentication parameter is authentication parameter AUTN1 of the terminal 306 to core network element 302, and first it is expected authentication parameter
Authentication parameter XRES1 for core network element 302 to terminal 306, the first encryption key is CK1, and the first Integrity Key is
IK1;The second random number that second authentication vector group includes is RAND2, and the second authentication parameter is the small base station 304 of terminated to core
The authentication parameter AUTN2 of network element 302, second it is expected that authentication parameter is mirror of the core network element 302 to the small base station of terminated 304
Weight parameter XRES2, the second encryption key are CK2, and the second Integrity Key is IK2.The authentication vector that core network element 302 generates
The authentication mechanism for the existing LTE that group uses, with compatible existing authentication process, improve the compatibility of authentication.
It is that core network element 302 uses message authentication function according to the first authentication vector with reference to authorization value in the present embodiment
What group and the second authentication vector group generated.
According to the message authentication function f2 algorithms of existing LTE standard, specific generating process is as shown in figure 4, the first mirror
The first encryption key CK1 and the first random parameter RAND 1 in weight vector group generate the first authorization parameter W1, similarly, the second authentication
The second encryption key CK2 and the second random parameter RAND 2 in Vector Groups generate the second authorization parameter W2, then first authorize ginseng
Number W1 and the second authorization parameter W2 generations refer to authorization value WARR.
Step S304:Core network element 302 to the small base station 304 of terminated send the first authentication vector group, second authenticate to
Amount group and with reference to authorization value.
In the present embodiment, the first authentication vector group is used for terminal 306 and core network element 302 and carries out bi-directional authentification, and second
Authentication vector group is used for the small base station 304 of terminated and core network element 302 carries out bi-directional authentification, is core net net with reference to authorization value
The authorization value that first small base station 304 of 302 pairs of terminateds is distributed, available for the small base station 304 of terminated and the bi-directional authentification of terminal 306.
Step S306:The small base station 304 of terminated is two-way with core network element 302 according to the determination of the second authentication vector group
In the case of authentication is successful, authorization vector is generated according to reference to authorization value, message authentication function and the second authentication vector group.
In this implementation, the small base station 304 of terminated is additionally operable to determine and core network element 302 according to the second authentication vector group
In the case of bi-directional authentification is successful, authorization vector is generated according to reference to authorization value, message authentication function and the second authentication vector group.
The small base station of terminated and core net net can be determined according to the second authentication vector group according to existing LTE authentication mechanism
Whether the bi-directional authentification of member succeeds, if so, then being generated according to core network element to the reference authorization value that the small base station of terminated is sent
Authorization vector, the authorization vector form by the second authorization parameter and with reference to authorization value.
Specifically, as the expectation message authentication code XMAC2 and message authentication code MAC2 that are generated according to the second authentication vector group
When equal, and the sequence number SQN2 received is verified in effective range, the two-way mirror of the small base station of terminated and core network element
Weigh successfully.
Step S308:The first authentication vector group that the small base station 304 of terminated is sent to terminal 306, with reference to authorization value and award
Weight vector.
In the present embodiment, the first authentication vector group that the small base station 304 of the receiving terminalization of terminal 306 is sent, with reference to authorization value
And authorization vector, the first authentication vector group are used for terminal 306 and core network element 302 and carry out bi-directional authentification, with reference to authorization value and
Authorization vector is used for terminal 306 and the small base station 304 of terminated carries out bi-directional authentification and to core network element 302 to the small base of terminated
304 authorization values distributed of standing are confirmed.
Step S310:Terminal 306 determines the successful feelings of bi-directional authentification with core network element 302 in the first authentication vector group
Under condition, bi-directional authentification is carried out using the first authentication vector group, authorization vector and with reference to authorization value and the small base station 304 of terminated.
In the present embodiment, according to existing LTE authentication mechanism can be determined according to the first authentication vector group terminal 306 with
Whether the bi-directional authentification of core network element 302 succeeds, if so, then being given using message authentication function according to the small base station 304 of terminated
Reference authorization value, the authorization vector generation target authorization value of the transmission of terminal 306, when target authorization value, which is equal to, refers to authorization value,
With the bi-directional authentification success of terminal.
Terminal 306 and the detailed process of the bi-directional authentification of core network element 302:When what is generated according to the first authentication vector group
When it is expected message authentication code XMAC1 and message authentication code MAC1 equal, and the sequence number SQN1 that checking receives is in effective range
It is interior, the bi-directional authentification success of terminal and core network element.
The method flow diagram of the specific small base station 304 of terminated and the bi-directional authentification of terminal 306 is as shown in fig. 6, terminal makes
The 3rd authorization value W3 is generated according to the first authentication vector group with message authentication function, then obtains the reference authorization value in authorization vector
With the second authorization parameter W2, awarded using message authentication function according to the 3rd authorization value W3 and the second authorization parameter W2 generations target
Weights, finally determine whether target authorization value is equal to and refer to authorization value, if so, the then small base station 304 of terminated and pair of terminal 306
To authenticating successfully.
To sum up, after terminal request base station core network access network element small by terminated, the mirror of core network element generation first
Weight vector group and the second authentication vector group, given birth to using message authentication function according to the first authentication vector group and the second authentication vector group
Into with reference to authorization value;The small base station of terminated receive the first authentication vector group that core network element sends, the second authentication vector group and
With reference to authorization value, whether the bi-directional authentification for determining the small base station of terminated and core network element according to the second authentication vector group succeeds,
If so, according to reference to authorization value generation authorization vector;First authentication vector group of the small base station transmission of terminal receiving terminalization, reference
Authorization value and authorization vector, determine whether succeed with the bi-directional authentification of core network element according to the first authentication vector group, if so, making
Bi-directional authentification is carried out with the first authentication vector group, authorization vector and with reference to authorization value and terminal.Can be in the small base of using terminalization
Stand and authenticated when providing access service for the terminal of distal end, it is ensured that the small base station of terminal, terminated and core network element three it
Between authentication two-by-two, ensure communication safety.
Referring to Figure 11, the embodiment of the present invention also provides a kind of equipment 600, and the equipment 600 includes but is not limited to:Intelligent hand
Machine, intelligent watch, tablet personal computer, personal computer, notebook computer or computer group, as shown in figure 11, the equipment 600 wrap
Include:Processor 601, memory 602, transceiver 603 and bus 604.Transceiver 603 is used to receive and dispatch number between external equipment
According to.The quantity of processor 601 in equipment 600 can be one or more.In some embodiments of the present application, processor 601,
Memory 602 and transceiver 603 can be connected by bus system or other means.Equipment 600 can be used for performing Fig. 5, Fig. 7
Shown method.The implication for the term being related on the present embodiment and citing, it may be referred to explanation corresponding to Fig. 5, Fig. 7.This
Place repeats no more.
Wherein, store program codes in memory 602.Processor 601 is used to call the program generation stored in memory 602
Code, for perform as shown in Figure 5, Figure 7 the step of.
It should be noted that processor 601 here can be a treatment element or multiple treatment elements
It is referred to as.For example, the treatment element can be central processing unit (Central Processing Unit, CPU) or spy
Determine integrated circuit (Application Specific Integrated Circuit, ASIC), or be arranged to implement this
Apply for one or more integrated circuits of embodiment, such as:One or more microprocessors (digital signal
Processor, DSP), or, one or more field programmable gate array (Field Programmable Gate
Array, FPGA).
Memory 602 can be the general designation of a storage device or multiple memory elements, and for storing and can hold
Parameter, data etc. required for line program code or the operation of application program running gear.And memory 603 can include depositing at random
Reservoir (RAM), nonvolatile memory (non-volatile memory), such as magnetic disk storage, flash memory can also be included
(Flash) etc..
Bus 604 can be that industry standard architecture (Industry Standard Architecture, ISA) is total
Line, external equipment interconnection (Peripheral Component, PCI) bus or extended industry-standard architecture (Extended
Industry Standard Architecture, EISA) bus etc..The bus can be divided into address bus, data/address bus, control
Bus processed etc..For ease of representing, only represented in Figure 11 with a thick line, it is not intended that an only bus or a type of
Bus.
The equipment can also include input/output unit, be connected to bus 604, with by bus and the grade of processor 601 its
Its part connects.The input/output unit can provide an inputting interface for operating personnel, so that operating personnel pass through the input
Interface selects item of deploying to ensure effective monitoring and control of illegal activities, and can also be other interfaces, can pass through the external miscellaneous equipment of the interface.
In the above-described embodiments, can with it is all or part of by software, hardware, firmware or its any combination come reality
It is existing.When being realized using software program, can realize in the form of a computer program product whole or in part.The computer
Program product includes one or more computer instructions.When loading on computers and performing the computer program instructions, entirely
Portion is partly produced according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, specially
With computer, computer network or other programmable devices.The computer instruction can be stored in computer-readable storage
In medium, or the transmission from a computer-readable recording medium to another computer-readable recording medium, for example, the meter
The instruction of calculation machine can pass through wired (such as coaxial cable, light from a web-site, computer, server or data center
Fine, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, clothes
Business device or data center are transmitted.It is any available can be that computer can access for the computer-readable recording medium
Medium is either comprising data storage devices such as the integrated server of one or more usable mediums, data centers.It is described to use
Medium can be magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as it is solid
State hard disk Solid State Disk (SSD)) etc..
Above disclosure is only preferred embodiment of present invention, can not limit the right model of the present invention with this certainly
Enclose, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.
Claims (16)
1. a kind of method for authenticating, terminated small base station of the methods described based on connection terminal and core network element, it is characterised in that
Methods described includes:
Receive the first authentication vector group, the second authentication vector group that the core network element sends and with reference to authorization value, the ginseng
It is that the core network element is authenticated using message authentication function according to the first authentication vector group and described second to examine authorization value
Vector Groups generation;
In the case of successful according to the second authentication vector group determination and the core network element bi-directional authentification, message is used
The second authorization parameter and the reference authorization value generation authorization vector that authentication function generates according to the second authentication vector group;
The first authentication vector group, the reference authorization value and the authorization vector are sent to the terminal;
In the terminal according to the first authentication vector group determination and the successful situation of bi-directional authentification of the core network element
Under, carry out bi-directional authentification with the terminal using the first authentication vector group, the authorization vector and the reference authorization value.
2. according to the method for claim 1, it is characterised in that the first authentication vector group includes the first random number, the
One authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second
Key and the second Integrity Key.
3. according to the method for claim 2, it is characterised in that the reference authorization value is that the core network element uses institute
State what message authentication function generated according to the first authorization parameter and second authorization parameter, and first authorization parameter is institute
State core network element using first encryption key of the message authentication function in the first authentication vector group and
First generating random number, second authorization parameter be the core network element using the message authentication function according to
Second encryption key and second generating random number in the second authentication vector group.
4. according to the method for claim 3, it is characterised in that described to use the first authentication vector group, the mandate
Bi-directional authentification is carried out with reference to authorization value and the terminal described in vector sum, including:
Using the message authentication function according to first encryption key and the authorization parameter of the first generating random number the 3rd;
Obtain second authorization parameter of the authorization vector and described refer to authorization value;
Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;
When the target authorization value is equal to the reference authorization value, the bi-directional authentification success with the terminal.
5. a kind of method for authenticating, terminated small base station of the methods described based on connection terminal and core network element, it is characterised in that
Methods described includes:
Receive the first authentication vector group of the small base station transmission of the terminated, with reference to authorization value and authorization vector, first mirror
Weight vector group is that the core network element is sent by the small base station of the terminated, and the reference authorization value is the core net
Network element is generated using message authentication function according to the first authentication vector group and the second authentication vector group, the mandate
Vector is the second authorization parameter and institute that the core network element is generated using message authentication function according to the second authentication vector group
State with reference to authorization value generation;
Bi-directional authentification is carried out according to the first authentication vector group and the core network element, in the described and core network element
In the case of bi-directional authentification is successful, the first authentication vector group, the authorization vector and reference authorization value and the institute are used
State the small base station of terminated and carry out bi-directional authentification.
6. according to the method for claim 5, it is characterised in that the first authentication vector group includes the first random number, the
One authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second
Key and the second Integrity Key.
7. according to the method for claim 6, it is characterised in that the reference authorization value is that the core network element uses institute
State what message authentication function generated according to the first authorization parameter and with second authorization parameter, and first authorization parameter is
The core network element uses first encryption key of the message authentication function in the first authentication vector group
With first generating random number, second authorization parameter is that the core network element uses the message authentication function root
According to second encryption key in the second authentication vector group and second generating random number.
8. according to the method for claim 7, it is characterised in that described to use the first authentication vector group, the mandate
Carrying out bi-directional authentification with the terminal with reference to authorization value described in vector sum also includes:
Using the message authentication function according to first encryption key and the authorization parameter of the first generating random number the 3rd;
Obtain second authorization parameter of the authorization vector and described refer to authorization value;
Target authorization value is generated according to the 3rd authorization parameter and second authorization parameter using the message authentication function;
When the target authorization value is equal to the reference authorization value, the bi-directional authentification success with the terminal.
9. a kind of authentication device, terminated small base station of the described device based on connection terminal and core network element, it is characterised in that
Described device includes:
First transport module, for receive the first authentication vector group, the second authentication vector group that the core network element sends and
With reference to authorization value, the authorization value that refers to is that the core network element uses message authentication function according to first authentication vector
What group and the second authentication vector group generated;
First authentication module, for being determined and core network element bi-directional authentification success according to the second authentication vector group
In the case of, the second authorization parameter and the reference that are generated using message authentication function according to the second authentication vector group are awarded
Weights generate authorization vector;
Second transport module, for the first authentication vector group, the reference authorization value and the authorization vector to be sent to
The terminal;
Second authentication module, it is double with the core network element for being determined in the terminal according to the first authentication vector group
To authentication successfully in the case of, using the first authentication vector group, the authorization vector and it is described with reference to authorization value with it is described
Terminal carries out bi-directional authentification.
10. device according to claim 9, it is characterised in that the first authentication vector group includes the first random number, the
One authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second
Key and the second Integrity Key.
11. device according to claim 10, it is characterised in that the authorization value that refers to is that the core network element uses
The message authentication function generates according to the first authorization parameter and second authorization parameter, and first authorization parameter is
The core network element uses first encryption key of the message authentication function in the first authentication vector group
With first generating random number, second authorization parameter is that the core network element uses the message authentication function root
According to second encryption key in the second authentication vector group and second generating random number.
12. device according to claim 11, it is characterised in that second authentication module is also used for the message
Function is authenticated according to first encryption key and the authorization parameter of the first generating random number the 3rd;Obtain the authorization vector
Second authorization parameter and described refer to authorization value;Using the message authentication function according to the 3rd authorization parameter and
Second authorization parameter generates target authorization value;When the target authorization value is equal to the reference authorization value, with the end
The bi-directional authentification success at end.
13. a kind of authentication device, terminated small base station of the described device based on connection terminal and core network element, its feature exist
In described device includes:
3rd transport module, for receiving the first authentication vector group that the small base station of the terminated sends, with reference to authorization value and award
Weight vector, the first authentication vector group are that the core network element is sent by the small base station of the terminated, the reference
Authorization value be the core network element using message authentication function according to the first authentication vector group and described second authenticate to
The generation of amount group, the authorization vector is that the core network element is generated using message authentication function according to the second authentication vector group
The second authorization parameter and it is described with reference to authorization value generate;
3rd authentication module, for carrying out bi-directional authentification according to the first authentication vector group and the core network element, in institute
State with the core network element bi-directional authentification it is successful in the case of, using the first authentication vector group, the authorization vector and
It is described to carry out bi-directional authentification with reference to authorization value and the small base station of the terminated.
14. device according to claim 13, it is characterised in that the first authentication vector group include the first random number,
First authentication parameter, first it is expected authentication parameter, the first encryption key and the first Integrity Key;
The second authentication vector group it is expected that authentication parameter, the second encryption are close including the second random number, the second authentication parameter, second
Key and the second Integrity Key.
15. device according to claim 14, it is characterised in that the authorization value that refers to is that the core network element uses
The message authentication function generates according to the first authorization parameter and the second authorization parameter, and first authorization parameter is described
Core network element uses first encryption key and institute of the message authentication function in the first authentication vector group
The first generating random number is stated, second authorization parameter is for the core network element using the message authentication function according to institute
State second encryption key in the second authentication vector group and second generating random number.
16. device according to claim 15, it is characterised in that the 3rd authentication module is also used for the message
Function is authenticated according to first encryption key and the authorization parameter of the first generating random number the 3rd;Obtain the authorization vector
Second authorization parameter and described refer to authorization value;Using the message authentication function according to the 3rd authorization parameter and
Second authorization parameter generates target authorization value;When the target authorization value is equal to the reference authorization value, with the end
The bi-directional authentification success at end.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710481726.5A CN107466038B (en) | 2017-06-22 | 2017-06-22 | Authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710481726.5A CN107466038B (en) | 2017-06-22 | 2017-06-22 | Authentication method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107466038A true CN107466038A (en) | 2017-12-12 |
CN107466038B CN107466038B (en) | 2020-08-04 |
Family
ID=60546395
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710481726.5A Active CN107466038B (en) | 2017-06-22 | 2017-06-22 | Authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107466038B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112118549A (en) * | 2020-10-14 | 2020-12-22 | 中国联合网络通信集团有限公司 | Authentication method, SMF, CHF, computer device, and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101511084A (en) * | 2008-02-15 | 2009-08-19 | 中国移动通信集团公司 | Authentication and cipher key negotiation method of mobile communication system |
CN102143489A (en) * | 2010-02-01 | 2011-08-03 | 华为技术有限公司 | Method, device and system for authenticating relay node |
CN104159223A (en) * | 2014-07-15 | 2014-11-19 | 清华大学 | Identification method for relay communication user |
WO2017026465A1 (en) * | 2015-08-07 | 2017-02-16 | シャープ株式会社 | Terminal device, base station device, method for controlling communication of terminal device, and method for controlling communication of base station device |
-
2017
- 2017-06-22 CN CN201710481726.5A patent/CN107466038B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101511084A (en) * | 2008-02-15 | 2009-08-19 | 中国移动通信集团公司 | Authentication and cipher key negotiation method of mobile communication system |
CN102143489A (en) * | 2010-02-01 | 2011-08-03 | 华为技术有限公司 | Method, device and system for authenticating relay node |
CN104159223A (en) * | 2014-07-15 | 2014-11-19 | 清华大学 | Identification method for relay communication user |
WO2017026465A1 (en) * | 2015-08-07 | 2017-02-16 | シャープ株式会社 | Terminal device, base station device, method for controlling communication of terminal device, and method for controlling communication of base station device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112118549A (en) * | 2020-10-14 | 2020-12-22 | 中国联合网络通信集团有限公司 | Authentication method, SMF, CHF, computer device, and storage medium |
CN112118549B (en) * | 2020-10-14 | 2021-09-03 | 中国联合网络通信集团有限公司 | Authentication method, SMF, CHF, computer device, and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107466038B (en) | 2020-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105101194B (en) | Terminal security authentication method, apparatus and system | |
CN104169952B (en) | A kind of method of network payment, apparatus and system | |
CN104838385B (en) | Use the device authentication of the key generation system based on the unclonable function of physics | |
CN109699031A (en) | Using the verification method and device of shared key, public key and private key | |
CN108012268A (en) | A kind of mobile phone terminal SIM card and the method for safe handling App, medium | |
CN103188229B (en) | The method and apparatus accessed for secure content | |
CN106779716A (en) | Authentication method, apparatus and system based on block chain account address | |
CN109218263A (en) | A kind of control method and device | |
CN107529160A (en) | A kind of VoWiFi method for network access and system, terminal and wireless access points equipment | |
EP2693787A1 (en) | Secure key distribution with general purpose mobile device | |
CN107615705A (en) | In the dynamic assets certification based in neighbouring network of communication equipment | |
CN106027250A (en) | Identity card information safety transmission method and system | |
CN109639644A (en) | Authority checking method, apparatus, storage medium and electronic equipment | |
CN110505627A (en) | A kind of authentication method and device based on access node group | |
CN108769054B (en) | A kind of block chain transaction verification method and device based on equivalent test promise | |
CN108024243A (en) | A kind of eSIM is caught in Network Communication method and its system | |
CN106792699A (en) | A kind of Wireless Fidelity Wi Fi connection methods and mobile terminal | |
CN107689864A (en) | A kind of authentication method, server, terminal and gateway | |
CN109561429A (en) | A kind of method for authenticating and equipment | |
CN102932787A (en) | Service test system for extensible authentication protocol (EAP)-subscriber identity module (SIM) user authentication | |
CN110191467A (en) | A kind of method for authenticating of internet of things equipment, unit and storage medium | |
CN106941405A (en) | A kind of method and apparatus of terminal authentication in a wireless local area network | |
CN107508804A (en) | The method, device and mobile terminal of key and certificate in a kind of protection mobile terminal | |
CN107466038A (en) | Method for authenticating and device | |
CN104335619B (en) | The remote de-locking of telecommunication apparatus function |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |