CN107770770A - A kind of access authentication method, UE and access device - Google Patents

A kind of access authentication method, UE and access device Download PDF

Info

Publication number
CN107770770A
CN107770770A CN201610676117.0A CN201610676117A CN107770770A CN 107770770 A CN107770770 A CN 107770770A CN 201610676117 A CN201610676117 A CN 201610676117A CN 107770770 A CN107770770 A CN 107770770A
Authority
CN
China
Prior art keywords
network function
user terminal
access
network
temporary mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610676117.0A
Other languages
Chinese (zh)
Inventor
侯云静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Telecommunications Technology CATT
Original Assignee
China Academy of Telecommunications Technology CATT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Telecommunications Technology CATT filed Critical China Academy of Telecommunications Technology CATT
Priority to CN201610676117.0A priority Critical patent/CN107770770A/en
Priority to PCT/CN2017/095922 priority patent/WO2018032984A1/en
Priority to TW106126677A priority patent/TWI641271B/en
Publication of CN107770770A publication Critical patent/CN107770770A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a kind of access authentication method, UE and access device, and this method may include:Whether UE sends a temporary mark to access network, so that the access network sends the temporary mark to network function, judge UE certifications according to the temporary mark by the network function.The embodiment of the present invention can reduce signaling waste.

Description

A kind of access authentication method, UE and access device
Technical field
The present invention relates to communication technical field, more particularly to a kind of access authentication method, user terminal (User Equipment, UE) and access device.
Background technology
In a communications system, UE is frequently necessary to pass through difference when diverse location or different scenes Access network connection core net, such as:After UE is connected to core net by an access network, UE passes through again Another access network connects core net.However, at present in communication system, UE connects core by access network every time During heart net, it is required for performing verification process.And verification process all has the interaction of signaling every time, thus can The problem of signaling waste be present.
The content of the invention
It is an object of the invention to provide a kind of access authentication method, UE and access device, solves signaling wave The problem of taking.
In order to achieve the above object, the embodiment of the present invention provides a kind of access authentication method, including:
UE sends a temporary mark to access network, so that the access network is described interim to network function transmission Whether mark, judge UE certifications by the network function according to the temporary mark.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution.
Optionally, methods described also includes:
If the UE is unverified, the UE performs the verification process that the network function is initiated, wherein, The UE is unverified not to find the upper and lower of the UE for the network function according to the temporary mark Text.
Optionally, the UE is also sent to the access network secure authentication information, and the access network is also Being sent to the network function has the secure authentication information, so that the network function is believed according to safety verification Breath judges the UE legitimacies.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, methods described also includes:
If the checking is by the way that the UE performs the verification process that the network function is initiated;Or
If the checking is by the way that the UE receives what the network function had been connected by the UE The new mark that access network is sent;Or
If the checking is by the way that the user terminal receives the refuse information that the network function returns.
The embodiment of the present invention also provides a kind of access authentication method, including:
Access device receives the temporary mark that UE is sent;
The access device sends the temporary mark to network function, so that the network function is according to Whether temporary mark judges UE certifications.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set It is standby.
Optionally, methods described also includes:
If the network function finds the context of the UE according to the temporary mark, then it represents that described UE certifications, the access device receive the prompting letter for the UE certifications that the network function is sent Breath.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects Network also to send to the network function and have the secure authentication information, so that the network function is according to safety Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
The embodiment of the present invention also provides a kind of UE, including:
Sending module, for sending a temporary mark to access network, so that the access network is sent out to network function The temporary mark is sent, whether UE certifications are judged according to the temporary mark by the network function.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution.
Optionally, the UE also includes:
First execution module, if unverified for the UE, perform authenticating for the network function initiation Journey, wherein, the UE it is unverified for the network function according to not being found the temporary mark UE context.
Optionally, the UE is also sent to the access network secure authentication information, and the access network is also Being sent to the network function has the secure authentication information, so that the network function is believed according to safety verification Breath judges the UE legitimacies.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, the UE also includes:
Second execution module, if for the checking not by performing authenticating for the network function initiation Journey;Or
First receiving module, if for the checking not by receiving the network function and passing through the UE The new mark that the access network connected is sent;Or
Second receiving module, if for the checking not by receiving the refusal that the network function returns and disappearing Breath.
The present invention implements also to provide a kind of access device, including:
First receiving module, for receiving a temporary mark of UE transmissions;
Sending module, for sending the temporary mark to network function, so that the network function is according to institute State temporary mark and judge the UE whether certifications.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set It is standby.
Optionally, the access device also includes:
Second receiving module, if finding the UE's according to the temporary mark for the network function Context, then it represents that UE certifications, receive the UE certifications that the network function is sent Prompt message.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects Network also to send to the network function and have the secure authentication information, so that the network function is according to safety Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
The above-mentioned technical proposal of the present invention at least has the advantages that:
The embodiment of the present invention, UE send a temporary mark to access network, so that the access network is to network work( The temporary mark can be sent, judges the UE whether according to the temporary mark by the network function Certification.So UE only needs to send a temporary mark to access network, and network function can is according to interim mark Whether knowledge judges UE certifications, when being often connected to core net by an access network so as to avoid UE, It is required for performing verification process, to reduce signaling waste.
Brief description of the drawings
Fig. 1 is the schematic network structure that the embodiment of the present invention can be applied to;
Fig. 2 is a kind of schematic flow sheet of access authentication method provided in an embodiment of the present invention;
Fig. 3 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 4 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 7 is the schematic flow sheet of another access authentication method provided in an embodiment of the present invention;
Fig. 8 is a kind of UE structural representation provided in an embodiment of the present invention;
Fig. 9 is another UE provided in an embodiment of the present invention structural representation;
Figure 10 is another UE provided in an embodiment of the present invention structural representation;
Figure 11 is a kind of structural representation of access device provided in an embodiment of the present invention;
Figure 12 is the structural representation of another access device provided in an embodiment of the present invention;
Figure 13 is another UE provided in an embodiment of the present invention structural representation;
Figure 14 is the structural representation of another access device provided in an embodiment of the present invention.
Embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with attached Figure and specific embodiment are described in detail.
Referring to Fig. 1, Fig. 1 is the schematic network structure that the embodiment of the present invention can be applied to, as shown in figure 1, Including UE, non-3 GPP access network entity, non-3 GPP access layer function (Non-3GPP Access Stratum Function, N3ASF), chain of command function (CP functions), user plane functions (UP functions), Application function (Application Function, AF) and data network (Data Network, DN).Its In, Y1 represent positioned at UE and non-3 GPP access network (such as:WLAN) the interface between entity, Y2 represents interface positioned at UE and N3ASF entities between, and Y4 represents to be located at N3ASF entities and non- Interface between 3GPP access network entities, NG1 represent the interface between UE and chain of command function, NG2 represents the interface between N3ASF chain of command functions, it is understood that is wireless access network The interface of (Radio Access Network, RAN) between chain of command function, NG3 represent to be located at Interface between N3ASF and user plane functions, it is understood that connecing between RAN and user plane functions Mouthful, NG4 represents the interface between chain of command function and user plane functions, and NG5 is represented positioned at control Interface between face function and AF, NG6 represent the interface between user plane functions and DN.In addition, Above-mentioned N3ASF is the logic part for accessing network, and it terminates NG2 or NG3 interfaces.UE and The agreement used between N3ASF is N3-AS, and the agreement can be used for transparent between UE and core net Ground transmission NAS message, the information of user plane bearer and security information.Certainly, in above-mentioned network structure Other access network entities such as 3GPP access network entities can also be included, the contrast embodiment of the present invention is not construed as limiting. Realized it should be noted that not being limited in above-mentioned network structure in the embodiment of the present invention, above-mentioned network knot Structure is only a citing.
In addition, UE can be mobile phone, tablet personal computer (Tablet Personal Computer), electricity on knee Brain (Laptop Computer), personal digital assistant (personal digital assistant, abbreviation PDA), Mobile Internet access device (Mobile Internet Device, MID) or wearable device (Wearable Device) Deng terminal side equipment, it is necessary to illustrate, UE particular type is not limited in embodiments of the present invention.
Referring to Fig. 2, the embodiment of the present invention provides a kind of access authentication method, as shown in Fig. 2 including with Lower step:
201st, UE sends a temporary mark to access network, so that described in the access network to network function transmission Temporary mark, whether UE certifications are judged according to the temporary mark by the network function.
In the embodiment of the present invention, it can realize that UE sends above-mentioned temporary mark to access network by above-mentioned steps, Can realizes that whether network function judges UR certifications according to the temporary mark, such as:Network function Above-mentioned UE context can be found by the temporary mark, then it represents that the UE is authenticated, that is, illustrates The UE is connected to core net by other access networks.And network function determines UE after certification, just Verification process need not be initiated to the UE.So as to realize that avoiding UE passes through or not above-mentioned steps When same access network is connected to core net, multiple verification process is performed, to reduce signaling waste.
In the embodiment of the present invention, above-mentioned network function can be chain of command function.
Optionally, when above-mentioned temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution.
In the embodiment, when above-mentioned temporary mark is that UE connects core net by other access networks, network Function is the temporary mark of its distribution.Wherein, other above-mentioned access networks can be and the access in step 201 The different access network of the access technology of net, such as:Access network in step 201 is 3GPP access networks, and Other above-mentioned access networks can be then the access network in addition to 3GPP access networks, such as non-3 GPP access network.
Optionally, the above method also includes:
If the UE is unverified, the UE performs the verification process that the network function is initiated, wherein, The UE is unverified not to find the upper and lower of the UE for the network function according to the temporary mark Text.
In the embodiment, it is possible to achieve if above-mentioned network function determines above-mentioned UE according to above-mentioned temporary mark It is unverified, such as:For UE before step 201 is performed, the UE connects core not over other access networks Heart net, then network function can be to above-mentioned UE initiation verification process, the i.e. above-mentioned network work(of above-mentioned UE execution The verification process that can be initiated.
Optionally, above-mentioned UE is also sent to the access network secure authentication information, and the access network (step Access network in rapid 201) also there is the secure authentication information to network function transmission, so that the net Network function judges the UE legitimacies according to secure authentication information.
Wherein, above-mentioned secure authentication information can be sent together with above-mentioned temporary mark, such as:Upwards State access network and send the message for carrying above-mentioned secure authentication information and above-mentioned temporary mark.In addition, upper State after access network receives the secure authentication information, the secure authentication information can be also sent to above-mentioned network work( Can, so as to which the network function can judges above-mentioned UE legitimacy according to secure authentication information.So may be used To avoid the occurrence of the mark that malicious peer intercepts and captures UE, UE is pretended to be to be connected to the situation of core net.In addition, Above-mentioned secure authentication information can be that UE is consulted in advance with network function, or above-mentioned safety verification letter Breath can be that network function is preassigned etc..
Optionally, above-mentioned secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Wherein, above-mentioned request message can be attach request or connection core network requests, if above-mentioned safety is tested Card information includes above-mentioned request message, then network function can be complete in the context using above-mentioned UE Whole property key checks the integrality of request message, and is disappeared using the secret key decryption request in above-mentioned context Breath, if successful decryption, it is determined that be verified, that is, it is legal to determine above-mentioned UE.
Wherein, above-mentioned mark can be international mobile subscriber identity (International Mobile Subscriber Identification Number, IMSI:) or International Mobile Station Equipment Identification (International Mobile Equipment Identity, IMEI) etc..If above-mentioned secure authentication information includes above-mentioned mark, Then network function can be that above-mentioned mark is decrypted the security information in the context using above-mentioned UE, If successful decryption, it is determined that be verified, that is, it is legal to determine above-mentioned UE.
Wherein, above-mentioned signature can be digital signature.Network function can be the context using above-mentioned UE In signature matched with the signature in above-mentioned secure authentication information, if the match is successful, it is determined that checking is logical Cross, that is, it is legal to determine above-mentioned UE.
Optionally, the above method also includes:
If the checking is by the way that the UE performs the verification process that the network function is initiated;Or
If the checking is by the way that the UE receives what the network function had been connected by the UE The new mark that access network is sent;Or
If the checking is by the way that the UE receives the refuse information that the network function returns.
In the embodiment, it is possible to achieve if checking is by the way that UE performs to be recognized by what network function was initiated Card process.Or if checking is by the way that UE receives the access network that network function has been connected by UE The new mark sent, so as to which UE can be authenticated using the new mark.In addition, checking not by, The refuse information that network function returns is received, that is, represents that network function refusal UE is connected by above-mentioned access network Core net, so as to avoid the occurrence of the mark that malicious peer intercepts and captures UE, UE is pretended to be to be connected to core net Situation.
Optionally, UE can send above-mentioned temporary mark to access network by a RRC information, and should RRC information also includes attach request.Such as:Access network in step 201 is 3GPP access networks, and UE connects core net by non-3 GPP access network, then can be with as shown in figure 3, comprising the following steps:
Step 1, UE send RRC information to 3GPP access networks, and the RRC information includes attachment please Summation temporary mark, the attach request can be the attach requests of encryption;
Step 2,3GPP access networks obtain distributing the network function of the temporary mark according to temporary mark, and NG2 interface messages are sent to network function, message includes attach request and temporary mark;
Step 3, network function find UE context according to temporary mark, use the peace in context Full information judges the security of attach request, if attach request is safe (such as using Integrity Key The integrality of message is checked, can successful decryption attach request using key), then network function is in the upper of UE Hereinafter store new access network (the 3GPP access networks belonging to i.e. above-mentioned 3GPP access network entities) Information, then returns to NG2 interface messages to 3GPP access networks, and message includes adhering to received message;
Step 4,3GPP access networks return to RRC information to UE, and message includes adhering to received message.
In addition, UE can also establish message by connection sends above-mentioned temporary mark to access network, such as: The message parameter that message is established in the connection includes above-mentioned temporary mark.Such as:Access network in step 201 is Non-3 GPP access network, and UE has connected core net by 3GPP access networks, then can be such as Fig. 4 institutes Show, comprise the following steps:
Step 1, UE send connection to non-3 GPP access network and establish message, and message parameter passes through including UE When 3GPP accesses are connected to core net, network function is the temporary mark of its distribution;
Step 2, non-3 GPP access network send connection request message to N3ASF, and message parameter carries for UE The temporary mark of confession.It should be noted that if N3ASF and non-3 GPP access network are closed and set, do not hold This step of row;
Step 3, N3ASF send NG2 interface messages to network function, and message parameter includes access technology The temporary mark provided with UE.
Step 4, network function find UE context according to UE temporary mark, have found UE Core net is connected to by 3GPP access networks, network function sends NG2 interface messages to N3ASF, disappeared The prompt message of certification is carried in breath;
Step 5, N3ASF send connection to non-3 GPP access network and replied message, and certification is carried in message Prompt message.It should be noted that if N3ASF and non-3 GPP access network are closed and set, do not perform This step;
Step 6, non-3 GPP access network send connection setup complete message to UE.
In addition, in the embodiment, message is established in above-mentioned connection can also include the mark or signature of encryption, Such as:In this embodiment, also safe context can be used to carry out UE IMSI or IMEI for UE Encryption, and the IMSI after encryption or IMEI is sent to non-3 GPP access network entity by step 1. In i.e. above-mentioned embodiment, steps 1 and 2 and 3 message also carry IMSI or IMEI after encryption, Or signature.In step 3, network function finds UE context using temporary mark, then uses Security information in context is decrypted to IMSI and IMEI, or signature is verified, if it is possible to is solved It is close go out UE IMSI and IMEI or signature it is correct, then it is correct UE to illustrate the UE.If decryption The mark gone out is incorrect different from the IMSI or IMEI in UE contexts, or signature, then illustrates the UE It is that malicious peer is pretended to be.
In addition, in the embodiment, because what is transmitted between UE and access network is that message and company are established in connection Completion message is connect, so as to realize the agreement between extension UE and non-3 GPP access network.
In addition, above-mentioned UE can also pass through Extensible Authentication Protocol (Extensible authentication Protocol, EAP) response message sends above-mentioned temporary mark to access network.Such as:In step 201 Access network can be non-3 GPP access network, and UE has been connected to core net by 3GPP access networks, Can be with as shown in figure 5, comprising the following steps:
Connection is established between step 1, UE and non-3 GPP access network;
Step 2, non-3 GPP access network send EAP-REQ/Identity message to UE, initiate EAP and recognize Card process;
Step 3, UE return to EAP-RSP/Identity message to non-3 GPP access network, are carried in message UE temporary mark.
EAP-RSP/Identity message is sent to N3ASF, it is necessary to say by step 4, non-3 GPP access network If bright is that N3ASF and non-3 GPP access network are closed and set, this step is not performed;
EAP-RSP/Identity message is sent to network function by step 5, N3ASF;
Step 6, network function find that UE is connected to core net by 3GPP accesses, and network function is not Verification process is performed to UE again, it returns to EAP-Success message to N3ASF.
Step 7, N3ASF return to EAP-Success message, it is necessary to illustrate to non-3 GPP access network, Set if N3ASF and non-3GPP access network are closed, do not perform this step;
Step 8, non-3 GPP access network return to EAP-Success message to UE.
Wherein, in order to ensure UE is legal UE, UE can also take in EAP-RSP/Identity message With IMSI, IMEI or signature after encryption.
In addition, in the embodiment, it is not necessary to extend the agreement between UE and non-3 GPP access network.
Above-mentioned UE can also send above-mentioned temporary mark by a Protocol Request message to access network, such as: Access network in step 201 can include N3ASF access network, and UE passes through 3GPP access networks Core net is connected, can be with as shown in fig. 6, comprising the following steps:
Step 1, UE send N3-AS request messages to N3ASF, and message includes UE and passes through 3GPP Network function is the temporary mark of its distribution during core network access;
Step 2, N3ASF obtain distributing the network function of the temporary mark according to temporary mark, then to net Network function sends NG2 interface messages, and message includes access technology and temporary mark;
Step 3, network function find UE context according to temporary mark, and this explanation UE has passed through 3GPP accesses performed verification process, and it returns to NG2 interface messages to N3ASF, and message is included Authorization prompt information.
Step 4, N3ASF return to N3-AS to UE and replied message, and message includes authorization prompt letter Breath.
In addition, in order to ensure UE is legal UE, encryption can also be included in step 1 and 2 message IMSI, IMEI or signature afterwards
, each other can be with it should be noted that in the embodiment for the plurality of optional introduced in the embodiment of the present invention Be combined with each other realization, can also be implemented separately, and this embodiment of the present invention is not construed as limiting.
The embodiment of the present invention, UE send a temporary mark to access network, so that the access network is to network work( The temporary mark can be sent, judges the UE whether according to the temporary mark by the network function Certification.So UE only needs to send a temporary mark to access network, and network function can is according to interim mark Whether knowledge judges UE certifications, when being often connected to core net by an access network so as to avoid UE, It is required for performing verification process, to reduce signaling waste.
Referring to Fig. 7, Fig. 7 is another access authentication method provided in an embodiment of the present invention, as shown in fig. 7, Comprise the following steps:
701st, access device receives the temporary mark that UE is sent;
702nd, access device sends the temporary mark to network function, so that the network function is according to institute State temporary mark and judge the UE whether certifications.
It should be noted that above-mentioned access device can be connecing in step 201 in embodiment shown in Fig. 2 Access device in networking, wherein, any reality of the access network in the embodiment shown in Fig. 2 in step 201 The mode of applying can realize the access device entity, not repeat herein.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set It is standby.
Optionally, methods described also includes:
If the network function finds the context of the UE according to the temporary mark, then it represents that described UE certifications, the access device receive the prompting letter for the UE certifications that the network function is sent Breath.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects Network also to send to the network function and have the secure authentication information, so that the network function is according to safety Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
It should be noted that the present embodiment is as access network corresponding with the embodiment shown in Fig. 2-6 (step Access network in rapid 201) embodiment, its specific embodiment may refer to the reality shown in Fig. 2-6 The related description of example is applied, thinks and avoids repeat specification, the present embodiment repeats no more.In the present embodiment, equally It can realize that reducing signaling wastes.
Fig. 8 is referred to, a kind of UE structures are shown in figure, as shown in figure 8, UE800 includes following module:
Sending module 801, for sending a temporary mark to access network, so that the access network is to network work( The temporary mark can be sent, judges the UE whether according to the temporary mark by the network function Certification.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution.
Optionally, as shown in figure 9, UE800 also includes:
First execution module 802, if unverified for the UE, perform recognizing for the network function initiation Card process, wherein, the UE is unverified not to be found for the network function according to the temporary mark The context of the UE.
Optionally, the UE is also sent to the access network secure authentication information, and the access network is also Being sent to the network function has the secure authentication information, so that the network function is believed according to safety verification Breath judges the UE legitimacies.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, as shown in Figure 10, UE800 also includes:
Second execution module 803, if for the checking not by performing recognizing for the network function initiation Card process;Or
First receiving module 804, if for it is described checking not by, receive the network function pass through it is described The new mark that the access network that UE has been connected is sent;Or
Second receiving module 805, if for the checking not by receiving refusing for the network function return Exhausted message.
It should be noted that above-mentioned UE800 can be that method is implemented in the embodiment of the present invention in the present embodiment The UE of any embodiment in example, in the embodiment of the present invention in embodiment of the method UE any embodiment It can be realized by the above-mentioned UE800 in the present embodiment, and reach identical beneficial effect, herein Repeat no more.
Figure 11 is referred to, the embodiment of the present invention provides a kind of access device, as shown in figure 11, access device 1100 are included with lower module:
First receiving module 1101, for receiving a temporary mark of UE transmissions;
Sending module 1102, for sending the temporary mark to network function, so that the network function Whether UE certifications are judged according to the temporary mark.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set It is standby.
Optionally, as shown in figure 12, access device 1100 also includes:
Second receiving module 1103, if for the network function according to being found the temporary mark UE context, then it represents that UE certifications, received the UE of the network function transmission The prompt message of certification.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects Network also to send to the network function and have the secure authentication information, so that the network function is according to safety Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
It should be noted that above-mentioned access device 1100 can be side in the embodiment of the present invention in the present embodiment The access device of any embodiment in method embodiment, access device in embodiment of the method in the embodiment of the present invention Any embodiment can be realized by the above-mentioned access device 1100 in the present embodiment, and reach Identical beneficial effect, here is omitted.
Referring to Figure 13, a kind of UE structure is shown in figure, the UE includes:Processor 1300, transmitting-receiving Machine 1310, memory 1320, user interface 1330 and EBI, wherein:
Processor 1300, for reading the program in memory 1320, perform following process:
One temporary mark is sent to access network by transceiver 1310, so that the access network is to network function The temporary mark is sent, judges whether the UE has recognized according to the temporary mark by the network function Card.
Wherein, transceiver 1310, for data to be received and sent under the control of processor 1300.
In fig. 13, bus architecture can include the bus and bridge of any number of interconnection, specifically by handling The various circuits link for the memory that the one or more processors and memory 1320 that device 1300 represents represent Together.Bus architecture can also be by each of such as ancillary equipment, voltage-stablizer and management circuit or the like Other circuits of kind link together, and these are all it is known in the art, therefore, no longer being carried out herein to it Further describe.EBI provides interface.Transceiver 1310 can be multiple element, that is, include sending Machine and receiver, there is provided for the unit to be communicated over a transmission medium with various other devices.For different User equipment, user interface 1330, which be can also be, external the interface for needing equipment is inscribed, and connection is set Standby including but not limited to keypad, display, loudspeaker, microphone, control stick etc..
Processor 1300 is responsible for bus architecture and common processing, and memory 1320 can store processing The used data when performing operation of device 1300.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution.
Optionally, processor 1300 is additionally operable to:
If the UE is unverified, the verification process that the network function is initiated is performed, wherein, the UE The unverified context for not finding the UE according to the temporary mark for the network function.
Optionally, processor 1300 is also sent by transceiver 1310 to the access network safety verification letter Breath, and the access network also has the secure authentication information to network function transmission, so that the network Function judges the UE legitimacies according to secure authentication information.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, processor 1300 is additionally operable to:
If the checking is not by performing the verification process that the network function is initiated;Or
If the checking is not by receiving the access network that the network function has been connected by the UE and sending out The new mark sent;Or
If the checking is by the way that the UE connects the request of core net by the net by the access network Network function is refused.
It should be noted that above-mentioned UE can be in the embodiment of the present invention in embodiment of the method in the present embodiment The UE of any embodiment, UE any embodiment all may be used in embodiment of the method in the embodiment of the present invention To be realized by the above-mentioned UE in the present embodiment, and reach identical beneficial effect, here is omitted.
Referring to Figure 14, a kind of structure of access device is shown in figure, the access device includes:Processor 1400, Transceiver 1410, memory 1420, user interface 1430 and EBI, wherein:
Processor 1400, for reading the program in memory 1420, perform following process:
A temporary mark of UE transmissions is received by transceiver 1410;
The temporary mark is sent to network function by transceiver 1410 so that the network function according to Whether the temporary mark judges UE certifications.
Wherein, transceiver 1410, for data to be received and sent under the control of processor 1400.
In fig. 14, bus architecture can include the bus and bridge of any number of interconnection, specifically by handling The various circuits link for the memory that the one or more processors and memory 1420 that device 1400 represents represent Together.Bus architecture can also be by each of such as ancillary equipment, voltage-stablizer and management circuit or the like Other circuits of kind link together, and these are all it is known in the art, therefore, no longer being carried out herein to it Further describe.EBI provides interface.Transceiver 1410 can be multiple element, that is, include sending Machine and receiver, there is provided for the unit to be communicated over a transmission medium with various other devices.For different User equipment, user interface 1430, which be can also be, external the interface for needing equipment is inscribed, and connection is set Standby including but not limited to keypad, display, loudspeaker, microphone, control stick etc..
Processor 1400 is responsible for bus architecture and common processing, and memory 1420 can store processing The used data when performing operation of device 1400.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set It is standby.
Optionally, processor 1400 is additionally operable to:
If the network function finds the context of the UE according to the temporary mark, then it represents that described UE certifications, receive the prompt message for the UE certifications that the network function is sent.
Optionally, processor 1400 also receives the safety verification for having the UE to send by transceiver 1410 Information, and also have the secure authentication information to network function transmission by transceiver 1410, so that The network function is authenticated according to secure authentication information to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
It should be noted that above-mentioned access device can be that method is implemented in the embodiment of the present invention in the present embodiment The access device of any embodiment in example, in the embodiment of the present invention in embodiment of the method access device it is any Embodiment can be realized by the above-mentioned access device in the present embodiment, and reach identical beneficial to effect Fruit, here is omitted.
In several embodiments provided herein, it should be understood that disclosed method and apparatus, can be with Realize by another way.For example, device embodiment described above is only schematical, for example, The division of the unit, only a kind of division of logic function, can there is other division side when actually realizing Formula, such as multiple units or component can combine or be desirably integrated into another system, or some features can To ignore, or do not perform.It is another, shown or discussed mutual coupling or direct-coupling or logical Letter connection can be by some interfaces, the INDIRECT COUPLING or communication connection of device or unit, can be it is electrical, Mechanical or other forms.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, Can also be that the independent physics of unit includes, can also two or more units be integrated in a unit In.Above-mentioned integrated unit can both be realized in the form of hardware, can also add software function using hardware The form of unit is realized.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in a computer can Read in storage medium.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used To cause a computer equipment (can be personal computer, server, or network equipment etc.) to perform The part steps of receiving/transmission method described in each embodiment of the present invention.And foregoing storage medium includes:USB flash disk, Mobile hard disk, read-only storage (Read-Only Memory, abbreviation ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic disc or CD etc. are various can be with storage program generation The medium of code.
Described above is the preferred embodiment of the present invention, it is noted that for the common skill of the art For art personnel, on the premise of principle of the present invention is not departed from, some improvements and modifications can also be made, These improvements and modifications also should be regarded as protection scope of the present invention.

Claims (22)

  1. A kind of 1. access authentication method, it is characterised in that including:
    User terminal sends a temporary mark to access network, so that described in the access network to network function transmission Temporary mark, whether user terminal certification is judged according to the temporary mark by the network function.
  2. 2. the method as described in claim 1, it is characterised in that the temporary mark is that the user is whole When end connects core net by other access networks, the network function is the interim mark of user terminal distribution Know.
  3. 3. the method as described in claim 1, it is characterised in that methods described also includes:
    If the user terminal is unverified, the user terminal performs authenticating for the network function initiation Journey, wherein, the user terminal is unverified not to be found for the network function according to the temporary mark The context of the user terminal.
  4. 4. such as the method any one of claim 1-3, it is characterised in that the user terminal is also Being sent to the access network has secure authentication information, and the access network is also sent to the network function Secure authentication information is stated, so that the network function judges that the user terminal is legal according to secure authentication information Property.
  5. 5. method as claimed in claim 4, it is characterised in that the secure authentication information includes as follows One or more:
    The mark of encryption, the request message or signature of encryption.
  6. 6. method as claimed in claim 4, it is characterised in that methods described also includes:
    If the checking is by the way that the user terminal performs the verification process that the network function is initiated;Or Person
    If the checking does not receive the network function by the user terminal by, the user terminal The new mark that access network through connection is sent;Or
    If the checking is by the way that the user terminal receives the refuse information that the network function returns.
  7. A kind of 7. access authentication method, it is characterised in that including:
    Access device receives the temporary mark that user terminal is sent;
    The access device sends the temporary mark to network function, so that the network function is according to Whether temporary mark judges user terminal certification.
  8. 8. method as claimed in claim 7, it is characterised in that the temporary mark is that the user is whole When end connects core net by other access networks, the network function is the interim mark of user terminal distribution Know, wherein, other described access networks do not include the access device.
  9. 9. method as claimed in claim 8, it is characterised in that methods described also includes:
    If the network function finds the context of the user terminal according to the temporary mark, then it represents that User terminal certification, the access device have received the user terminal of the network function transmission The prompt message of certification.
  10. 10. method as claimed in any one of claims 7-9, it is characterised in that the access device is also The secure authentication information for having the user terminal to send is received, and the access network is also sent out to the network function Sent the secure authentication information so that the network function according to secure authentication information to the user terminal It is authenticated.
  11. 11. method as claimed in claim 10, it is characterised in that the secure authentication information is included such as The next item down is multinomial:
    The mark of encryption, the request message or signature of encryption.
  12. A kind of 12. user terminal, it is characterised in that including:
    Sending module, for sending a temporary mark to access network, so that the access network is sent out to network function The temporary mark is sent, judges the user terminal whether according to the temporary mark by the network function Certification.
  13. 13. user terminal as claimed in claim 12, it is characterised in that the temporary mark is described When user terminal connects core net by other access networks, the network function is user terminal distribution Temporary mark.
  14. 14. user terminal as claimed in claim 12, it is characterised in that the user terminal also includes:
    First execution module, if unverified for the user terminal, perform recognizing for the network function initiation Card process, wherein, the user terminal is unverified not to be looked into for the network function according to the temporary mark Find the context of the user terminal.
  15. 15. such as the user terminal any one of claim 12-14, it is characterised in that the user Terminal is also sent to the access network secure authentication information, and the access network is also sent out to the network function The secure authentication information is sent, so that the network function judges that the user is whole according to secure authentication information Hold legitimacy.
  16. 16. user terminal as claimed in claim 15, it is characterised in that the secure authentication information bag Include following one or more:
    The mark of encryption, the request message or signature of encryption.
  17. 17. user terminal as claimed in claim 15, it is characterised in that the user terminal also includes:
    Second execution module, if for the checking not by performing authenticating for the network function initiation Journey;Or
    First receiving module, if for the checking not by receiving the network function and passing through the user The new mark that the access network that terminal has connected is sent;Or
    Second receiving module, if for the checking not by receiving the refusal that the network function returns and disappearing Breath.
  18. A kind of 18. access device, it is characterised in that including:
    First receiving module, for receiving a temporary mark of user terminal transmission;
    Sending module, for sending the temporary mark to network function, so that the network function is according to institute State temporary mark and judge the user terminal whether certification.
  19. 19. access device as claimed in claim 18, it is characterised in that the temporary mark is described When user terminal connects core net by other access networks, the network function is user terminal distribution Temporary mark, wherein, other described access networks do not include the access device.
  20. 20. access device as claimed in claim 19, it is characterised in that the access device also includes:
    Second receiving module, if finding user's end according to the temporary mark for the network function The context at end, then it represents that user terminal certification, receive the user that the network function is sent The prompt message of terminal certification.
  21. 21. such as the access device any one of claim 18-20, it is characterised in that the access Equipment also receives the secure authentication information that the user terminal is sent, and the access network is also to the network Function send have the secure authentication information so that the network function according to secure authentication information to the use Family terminal is authenticated.
  22. 22. access device as claimed in claim 21, it is characterised in that the secure authentication information bag Include following one or more:
    The mark of encryption, the request message or signature of encryption.
CN201610676117.0A 2016-08-16 2016-08-16 A kind of access authentication method, UE and access device Pending CN107770770A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201610676117.0A CN107770770A (en) 2016-08-16 2016-08-16 A kind of access authentication method, UE and access device
PCT/CN2017/095922 WO2018032984A1 (en) 2016-08-16 2017-08-04 Access authentication method, ue, and access device
TW106126677A TWI641271B (en) 2016-08-16 2017-08-08 Access authentication method, UE and access equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610676117.0A CN107770770A (en) 2016-08-16 2016-08-16 A kind of access authentication method, UE and access device

Publications (1)

Publication Number Publication Date
CN107770770A true CN107770770A (en) 2018-03-06

Family

ID=61196332

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610676117.0A Pending CN107770770A (en) 2016-08-16 2016-08-16 A kind of access authentication method, UE and access device

Country Status (3)

Country Link
CN (1) CN107770770A (en)
TW (1) TWI641271B (en)
WO (1) WO2018032984A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798833B (en) * 2018-08-03 2023-10-24 华为技术有限公司 Method and device for verifying user equipment identification in authentication process

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808321A (en) * 2009-02-16 2010-08-18 中兴通讯股份有限公司 Security authentication method
CN101835155A (en) * 2010-03-31 2010-09-15 中兴通讯股份有限公司 Method and system for accessing terminal to fusion network
CN104506406A (en) * 2011-11-03 2015-04-08 华为技术有限公司 Processing method and equipment for secure data channel
CN104871511A (en) * 2012-12-19 2015-08-26 瑞典爱立信有限公司 Device authentication by tagging
CN104902473A (en) * 2014-04-21 2015-09-09 孟俊 Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067337B (en) * 2011-10-19 2017-02-15 中兴通讯股份有限公司 Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN105451284A (en) * 2014-07-10 2016-03-30 华为技术有限公司 Network switching method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808321A (en) * 2009-02-16 2010-08-18 中兴通讯股份有限公司 Security authentication method
CN101835155A (en) * 2010-03-31 2010-09-15 中兴通讯股份有限公司 Method and system for accessing terminal to fusion network
CN104506406A (en) * 2011-11-03 2015-04-08 华为技术有限公司 Processing method and equipment for secure data channel
CN104871511A (en) * 2012-12-19 2015-08-26 瑞典爱立信有限公司 Device authentication by tagging
CN104902473A (en) * 2014-04-21 2015-09-09 孟俊 Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication

Also Published As

Publication number Publication date
WO2018032984A1 (en) 2018-02-22
TWI641271B (en) 2018-11-11
TW201808028A (en) 2018-03-01

Similar Documents

Publication Publication Date Title
CN106664554B (en) The security configuration of Service Ticket
US11432150B2 (en) Method and apparatus for authenticating network access of terminal
CN108848112B (en) Cut-in method, equipment and the system of user equipment (UE)
CN102783080B (en) Safety many UIM certification and cipher key change
CN100544478C (en) Handle the method for security message in the mobile communication system
TWI425802B (en) Method and wireless transmit/receive unit for securing wireless communications
CN101366299B (en) Bootstrapping authentication using distinguished random challenges
MX2007009705A (en) Method and apparatus for providing bootstrapping procedures in a communication network.
CN105323754B (en) A kind of distributed method for authenticating based on wildcard
CN108880813A (en) A kind of implementation method and device of attachment flow
Rosa Bypassing passkey authentication in bluetooth low energy
CN100571460C (en) The method and apparatus of secure roaming
CN107820242A (en) A kind of machinery of consultation of authentication mechanism and device
CN103391540A (en) Method and system for generating secret key information, terminal device and access network device
CN106465109A (en) Cellular network authentication
CN107209817A (en) Verification method
CN103312678A (en) Client security login method, device and system
EP3163831B1 (en) Secure pairing with help of challenge-response-test image
CN102892114A (en) Method and device for checking equipment validity
Baek et al. Secure and lightweight authentication protocol for NFC tag based services
CN104901796A (en) Authentication method and equipment
CN107770770A (en) A kind of access authentication method, UE and access device
CN114765805A (en) Communication method, network equipment, base station and computer readable storage medium
CN101521867A (en) Connection establishing method and device
Zidouni et al. New safety measure to protect the 3G/4G SIM cards against cloning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180306

RJ01 Rejection of invention patent application after publication