CN107770770A - A kind of access authentication method, UE and access device - Google Patents
A kind of access authentication method, UE and access device Download PDFInfo
- Publication number
- CN107770770A CN107770770A CN201610676117.0A CN201610676117A CN107770770A CN 107770770 A CN107770770 A CN 107770770A CN 201610676117 A CN201610676117 A CN 201610676117A CN 107770770 A CN107770770 A CN 107770770A
- Authority
- CN
- China
- Prior art keywords
- network function
- user terminal
- access
- network
- temporary mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention provides a kind of access authentication method, UE and access device, and this method may include:Whether UE sends a temporary mark to access network, so that the access network sends the temporary mark to network function, judge UE certifications according to the temporary mark by the network function.The embodiment of the present invention can reduce signaling waste.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of access authentication method, user terminal (User
Equipment, UE) and access device.
Background technology
In a communications system, UE is frequently necessary to pass through difference when diverse location or different scenes
Access network connection core net, such as:After UE is connected to core net by an access network, UE passes through again
Another access network connects core net.However, at present in communication system, UE connects core by access network every time
During heart net, it is required for performing verification process.And verification process all has the interaction of signaling every time, thus can
The problem of signaling waste be present.
The content of the invention
It is an object of the invention to provide a kind of access authentication method, UE and access device, solves signaling wave
The problem of taking.
In order to achieve the above object, the embodiment of the present invention provides a kind of access authentication method, including:
UE sends a temporary mark to access network, so that the access network is described interim to network function transmission
Whether mark, judge UE certifications by the network function according to the temporary mark.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution.
Optionally, methods described also includes:
If the UE is unverified, the UE performs the verification process that the network function is initiated, wherein,
The UE is unverified not to find the upper and lower of the UE for the network function according to the temporary mark
Text.
Optionally, the UE is also sent to the access network secure authentication information, and the access network is also
Being sent to the network function has the secure authentication information, so that the network function is believed according to safety verification
Breath judges the UE legitimacies.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, methods described also includes:
If the checking is by the way that the UE performs the verification process that the network function is initiated;Or
If the checking is by the way that the UE receives what the network function had been connected by the UE
The new mark that access network is sent;Or
If the checking is by the way that the user terminal receives the refuse information that the network function returns.
The embodiment of the present invention also provides a kind of access authentication method, including:
Access device receives the temporary mark that UE is sent;
The access device sends the temporary mark to network function, so that the network function is according to
Whether temporary mark judges UE certifications.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set
It is standby.
Optionally, methods described also includes:
If the network function finds the context of the UE according to the temporary mark, then it represents that described
UE certifications, the access device receive the prompting letter for the UE certifications that the network function is sent
Breath.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects
Network also to send to the network function and have the secure authentication information, so that the network function is according to safety
Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
The embodiment of the present invention also provides a kind of UE, including:
Sending module, for sending a temporary mark to access network, so that the access network is sent out to network function
The temporary mark is sent, whether UE certifications are judged according to the temporary mark by the network function.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution.
Optionally, the UE also includes:
First execution module, if unverified for the UE, perform authenticating for the network function initiation
Journey, wherein, the UE it is unverified for the network function according to not being found the temporary mark
UE context.
Optionally, the UE is also sent to the access network secure authentication information, and the access network is also
Being sent to the network function has the secure authentication information, so that the network function is believed according to safety verification
Breath judges the UE legitimacies.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, the UE also includes:
Second execution module, if for the checking not by performing authenticating for the network function initiation
Journey;Or
First receiving module, if for the checking not by receiving the network function and passing through the UE
The new mark that the access network connected is sent;Or
Second receiving module, if for the checking not by receiving the refusal that the network function returns and disappearing
Breath.
The present invention implements also to provide a kind of access device, including:
First receiving module, for receiving a temporary mark of UE transmissions;
Sending module, for sending the temporary mark to network function, so that the network function is according to institute
State temporary mark and judge the UE whether certifications.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set
It is standby.
Optionally, the access device also includes:
Second receiving module, if finding the UE's according to the temporary mark for the network function
Context, then it represents that UE certifications, receive the UE certifications that the network function is sent
Prompt message.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects
Network also to send to the network function and have the secure authentication information, so that the network function is according to safety
Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
The above-mentioned technical proposal of the present invention at least has the advantages that:
The embodiment of the present invention, UE send a temporary mark to access network, so that the access network is to network work(
The temporary mark can be sent, judges the UE whether according to the temporary mark by the network function
Certification.So UE only needs to send a temporary mark to access network, and network function can is according to interim mark
Whether knowledge judges UE certifications, when being often connected to core net by an access network so as to avoid UE,
It is required for performing verification process, to reduce signaling waste.
Brief description of the drawings
Fig. 1 is the schematic network structure that the embodiment of the present invention can be applied to;
Fig. 2 is a kind of schematic flow sheet of access authentication method provided in an embodiment of the present invention;
Fig. 3 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 4 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of another access authentication method provided in an embodiment of the present invention;
Fig. 7 is the schematic flow sheet of another access authentication method provided in an embodiment of the present invention;
Fig. 8 is a kind of UE structural representation provided in an embodiment of the present invention;
Fig. 9 is another UE provided in an embodiment of the present invention structural representation;
Figure 10 is another UE provided in an embodiment of the present invention structural representation;
Figure 11 is a kind of structural representation of access device provided in an embodiment of the present invention;
Figure 12 is the structural representation of another access device provided in an embodiment of the present invention;
Figure 13 is another UE provided in an embodiment of the present invention structural representation;
Figure 14 is the structural representation of another access device provided in an embodiment of the present invention.
Embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with attached
Figure and specific embodiment are described in detail.
Referring to Fig. 1, Fig. 1 is the schematic network structure that the embodiment of the present invention can be applied to, as shown in figure 1,
Including UE, non-3 GPP access network entity, non-3 GPP access layer function (Non-3GPP Access Stratum
Function, N3ASF), chain of command function (CP functions), user plane functions (UP functions),
Application function (Application Function, AF) and data network (Data Network, DN).Its
In, Y1 represent positioned at UE and non-3 GPP access network (such as:WLAN) the interface between entity,
Y2 represents interface positioned at UE and N3ASF entities between, and Y4 represents to be located at N3ASF entities and non-
Interface between 3GPP access network entities, NG1 represent the interface between UE and chain of command function,
NG2 represents the interface between N3ASF chain of command functions, it is understood that is wireless access network
The interface of (Radio Access Network, RAN) between chain of command function, NG3 represent to be located at
Interface between N3ASF and user plane functions, it is understood that connecing between RAN and user plane functions
Mouthful, NG4 represents the interface between chain of command function and user plane functions, and NG5 is represented positioned at control
Interface between face function and AF, NG6 represent the interface between user plane functions and DN.In addition,
Above-mentioned N3ASF is the logic part for accessing network, and it terminates NG2 or NG3 interfaces.UE and
The agreement used between N3ASF is N3-AS, and the agreement can be used for transparent between UE and core net
Ground transmission NAS message, the information of user plane bearer and security information.Certainly, in above-mentioned network structure
Other access network entities such as 3GPP access network entities can also be included, the contrast embodiment of the present invention is not construed as limiting.
Realized it should be noted that not being limited in above-mentioned network structure in the embodiment of the present invention, above-mentioned network knot
Structure is only a citing.
In addition, UE can be mobile phone, tablet personal computer (Tablet Personal Computer), electricity on knee
Brain (Laptop Computer), personal digital assistant (personal digital assistant, abbreviation PDA),
Mobile Internet access device (Mobile Internet Device, MID) or wearable device (Wearable Device)
Deng terminal side equipment, it is necessary to illustrate, UE particular type is not limited in embodiments of the present invention.
Referring to Fig. 2, the embodiment of the present invention provides a kind of access authentication method, as shown in Fig. 2 including with
Lower step:
201st, UE sends a temporary mark to access network, so that described in the access network to network function transmission
Temporary mark, whether UE certifications are judged according to the temporary mark by the network function.
In the embodiment of the present invention, it can realize that UE sends above-mentioned temporary mark to access network by above-mentioned steps,
Can realizes that whether network function judges UR certifications according to the temporary mark, such as:Network function
Above-mentioned UE context can be found by the temporary mark, then it represents that the UE is authenticated, that is, illustrates
The UE is connected to core net by other access networks.And network function determines UE after certification, just
Verification process need not be initiated to the UE.So as to realize that avoiding UE passes through or not above-mentioned steps
When same access network is connected to core net, multiple verification process is performed, to reduce signaling waste.
In the embodiment of the present invention, above-mentioned network function can be chain of command function.
Optionally, when above-mentioned temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution.
In the embodiment, when above-mentioned temporary mark is that UE connects core net by other access networks, network
Function is the temporary mark of its distribution.Wherein, other above-mentioned access networks can be and the access in step 201
The different access network of the access technology of net, such as:Access network in step 201 is 3GPP access networks, and
Other above-mentioned access networks can be then the access network in addition to 3GPP access networks, such as non-3 GPP access network.
Optionally, the above method also includes:
If the UE is unverified, the UE performs the verification process that the network function is initiated, wherein,
The UE is unverified not to find the upper and lower of the UE for the network function according to the temporary mark
Text.
In the embodiment, it is possible to achieve if above-mentioned network function determines above-mentioned UE according to above-mentioned temporary mark
It is unverified, such as:For UE before step 201 is performed, the UE connects core not over other access networks
Heart net, then network function can be to above-mentioned UE initiation verification process, the i.e. above-mentioned network work(of above-mentioned UE execution
The verification process that can be initiated.
Optionally, above-mentioned UE is also sent to the access network secure authentication information, and the access network (step
Access network in rapid 201) also there is the secure authentication information to network function transmission, so that the net
Network function judges the UE legitimacies according to secure authentication information.
Wherein, above-mentioned secure authentication information can be sent together with above-mentioned temporary mark, such as:Upwards
State access network and send the message for carrying above-mentioned secure authentication information and above-mentioned temporary mark.In addition, upper
State after access network receives the secure authentication information, the secure authentication information can be also sent to above-mentioned network work(
Can, so as to which the network function can judges above-mentioned UE legitimacy according to secure authentication information.So may be used
To avoid the occurrence of the mark that malicious peer intercepts and captures UE, UE is pretended to be to be connected to the situation of core net.In addition,
Above-mentioned secure authentication information can be that UE is consulted in advance with network function, or above-mentioned safety verification letter
Breath can be that network function is preassigned etc..
Optionally, above-mentioned secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Wherein, above-mentioned request message can be attach request or connection core network requests, if above-mentioned safety is tested
Card information includes above-mentioned request message, then network function can be complete in the context using above-mentioned UE
Whole property key checks the integrality of request message, and is disappeared using the secret key decryption request in above-mentioned context
Breath, if successful decryption, it is determined that be verified, that is, it is legal to determine above-mentioned UE.
Wherein, above-mentioned mark can be international mobile subscriber identity (International Mobile
Subscriber Identification Number, IMSI:) or International Mobile Station Equipment Identification (International
Mobile Equipment Identity, IMEI) etc..If above-mentioned secure authentication information includes above-mentioned mark,
Then network function can be that above-mentioned mark is decrypted the security information in the context using above-mentioned UE,
If successful decryption, it is determined that be verified, that is, it is legal to determine above-mentioned UE.
Wherein, above-mentioned signature can be digital signature.Network function can be the context using above-mentioned UE
In signature matched with the signature in above-mentioned secure authentication information, if the match is successful, it is determined that checking is logical
Cross, that is, it is legal to determine above-mentioned UE.
Optionally, the above method also includes:
If the checking is by the way that the UE performs the verification process that the network function is initiated;Or
If the checking is by the way that the UE receives what the network function had been connected by the UE
The new mark that access network is sent;Or
If the checking is by the way that the UE receives the refuse information that the network function returns.
In the embodiment, it is possible to achieve if checking is by the way that UE performs to be recognized by what network function was initiated
Card process.Or if checking is by the way that UE receives the access network that network function has been connected by UE
The new mark sent, so as to which UE can be authenticated using the new mark.In addition, checking not by,
The refuse information that network function returns is received, that is, represents that network function refusal UE is connected by above-mentioned access network
Core net, so as to avoid the occurrence of the mark that malicious peer intercepts and captures UE, UE is pretended to be to be connected to core net
Situation.
Optionally, UE can send above-mentioned temporary mark to access network by a RRC information, and should
RRC information also includes attach request.Such as:Access network in step 201 is 3GPP access networks, and
UE connects core net by non-3 GPP access network, then can be with as shown in figure 3, comprising the following steps:
Step 1, UE send RRC information to 3GPP access networks, and the RRC information includes attachment please
Summation temporary mark, the attach request can be the attach requests of encryption;
Step 2,3GPP access networks obtain distributing the network function of the temporary mark according to temporary mark, and
NG2 interface messages are sent to network function, message includes attach request and temporary mark;
Step 3, network function find UE context according to temporary mark, use the peace in context
Full information judges the security of attach request, if attach request is safe (such as using Integrity Key
The integrality of message is checked, can successful decryption attach request using key), then network function is in the upper of UE
Hereinafter store new access network (the 3GPP access networks belonging to i.e. above-mentioned 3GPP access network entities)
Information, then returns to NG2 interface messages to 3GPP access networks, and message includes adhering to received message;
Step 4,3GPP access networks return to RRC information to UE, and message includes adhering to received message.
In addition, UE can also establish message by connection sends above-mentioned temporary mark to access network, such as:
The message parameter that message is established in the connection includes above-mentioned temporary mark.Such as:Access network in step 201 is
Non-3 GPP access network, and UE has connected core net by 3GPP access networks, then can be such as Fig. 4 institutes
Show, comprise the following steps:
Step 1, UE send connection to non-3 GPP access network and establish message, and message parameter passes through including UE
When 3GPP accesses are connected to core net, network function is the temporary mark of its distribution;
Step 2, non-3 GPP access network send connection request message to N3ASF, and message parameter carries for UE
The temporary mark of confession.It should be noted that if N3ASF and non-3 GPP access network are closed and set, do not hold
This step of row;
Step 3, N3ASF send NG2 interface messages to network function, and message parameter includes access technology
The temporary mark provided with UE.
Step 4, network function find UE context according to UE temporary mark, have found UE
Core net is connected to by 3GPP access networks, network function sends NG2 interface messages to N3ASF, disappeared
The prompt message of certification is carried in breath;
Step 5, N3ASF send connection to non-3 GPP access network and replied message, and certification is carried in message
Prompt message.It should be noted that if N3ASF and non-3 GPP access network are closed and set, do not perform
This step;
Step 6, non-3 GPP access network send connection setup complete message to UE.
In addition, in the embodiment, message is established in above-mentioned connection can also include the mark or signature of encryption,
Such as:In this embodiment, also safe context can be used to carry out UE IMSI or IMEI for UE
Encryption, and the IMSI after encryption or IMEI is sent to non-3 GPP access network entity by step 1.
In i.e. above-mentioned embodiment, steps 1 and 2 and 3 message also carry IMSI or IMEI after encryption,
Or signature.In step 3, network function finds UE context using temporary mark, then uses
Security information in context is decrypted to IMSI and IMEI, or signature is verified, if it is possible to is solved
It is close go out UE IMSI and IMEI or signature it is correct, then it is correct UE to illustrate the UE.If decryption
The mark gone out is incorrect different from the IMSI or IMEI in UE contexts, or signature, then illustrates the UE
It is that malicious peer is pretended to be.
In addition, in the embodiment, because what is transmitted between UE and access network is that message and company are established in connection
Completion message is connect, so as to realize the agreement between extension UE and non-3 GPP access network.
In addition, above-mentioned UE can also pass through Extensible Authentication Protocol (Extensible authentication
Protocol, EAP) response message sends above-mentioned temporary mark to access network.Such as:In step 201
Access network can be non-3 GPP access network, and UE has been connected to core net by 3GPP access networks,
Can be with as shown in figure 5, comprising the following steps:
Connection is established between step 1, UE and non-3 GPP access network;
Step 2, non-3 GPP access network send EAP-REQ/Identity message to UE, initiate EAP and recognize
Card process;
Step 3, UE return to EAP-RSP/Identity message to non-3 GPP access network, are carried in message
UE temporary mark.
EAP-RSP/Identity message is sent to N3ASF, it is necessary to say by step 4, non-3 GPP access network
If bright is that N3ASF and non-3 GPP access network are closed and set, this step is not performed;
EAP-RSP/Identity message is sent to network function by step 5, N3ASF;
Step 6, network function find that UE is connected to core net by 3GPP accesses, and network function is not
Verification process is performed to UE again, it returns to EAP-Success message to N3ASF.
Step 7, N3ASF return to EAP-Success message, it is necessary to illustrate to non-3 GPP access network,
Set if N3ASF and non-3GPP access network are closed, do not perform this step;
Step 8, non-3 GPP access network return to EAP-Success message to UE.
Wherein, in order to ensure UE is legal UE, UE can also take in EAP-RSP/Identity message
With IMSI, IMEI or signature after encryption.
In addition, in the embodiment, it is not necessary to extend the agreement between UE and non-3 GPP access network.
Above-mentioned UE can also send above-mentioned temporary mark by a Protocol Request message to access network, such as:
Access network in step 201 can include N3ASF access network, and UE passes through 3GPP access networks
Core net is connected, can be with as shown in fig. 6, comprising the following steps:
Step 1, UE send N3-AS request messages to N3ASF, and message includes UE and passes through 3GPP
Network function is the temporary mark of its distribution during core network access;
Step 2, N3ASF obtain distributing the network function of the temporary mark according to temporary mark, then to net
Network function sends NG2 interface messages, and message includes access technology and temporary mark;
Step 3, network function find UE context according to temporary mark, and this explanation UE has passed through
3GPP accesses performed verification process, and it returns to NG2 interface messages to N3ASF, and message is included
Authorization prompt information.
Step 4, N3ASF return to N3-AS to UE and replied message, and message includes authorization prompt letter
Breath.
In addition, in order to ensure UE is legal UE, encryption can also be included in step 1 and 2 message
IMSI, IMEI or signature afterwards
, each other can be with it should be noted that in the embodiment for the plurality of optional introduced in the embodiment of the present invention
Be combined with each other realization, can also be implemented separately, and this embodiment of the present invention is not construed as limiting.
The embodiment of the present invention, UE send a temporary mark to access network, so that the access network is to network work(
The temporary mark can be sent, judges the UE whether according to the temporary mark by the network function
Certification.So UE only needs to send a temporary mark to access network, and network function can is according to interim mark
Whether knowledge judges UE certifications, when being often connected to core net by an access network so as to avoid UE,
It is required for performing verification process, to reduce signaling waste.
Referring to Fig. 7, Fig. 7 is another access authentication method provided in an embodiment of the present invention, as shown in fig. 7,
Comprise the following steps:
701st, access device receives the temporary mark that UE is sent;
702nd, access device sends the temporary mark to network function, so that the network function is according to institute
State temporary mark and judge the UE whether certifications.
It should be noted that above-mentioned access device can be connecing in step 201 in embodiment shown in Fig. 2
Access device in networking, wherein, any reality of the access network in the embodiment shown in Fig. 2 in step 201
The mode of applying can realize the access device entity, not repeat herein.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set
It is standby.
Optionally, methods described also includes:
If the network function finds the context of the UE according to the temporary mark, then it represents that described
UE certifications, the access device receive the prompting letter for the UE certifications that the network function is sent
Breath.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects
Network also to send to the network function and have the secure authentication information, so that the network function is according to safety
Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
It should be noted that the present embodiment is as access network corresponding with the embodiment shown in Fig. 2-6 (step
Access network in rapid 201) embodiment, its specific embodiment may refer to the reality shown in Fig. 2-6
The related description of example is applied, thinks and avoids repeat specification, the present embodiment repeats no more.In the present embodiment, equally
It can realize that reducing signaling wastes.
Fig. 8 is referred to, a kind of UE structures are shown in figure, as shown in figure 8, UE800 includes following module:
Sending module 801, for sending a temporary mark to access network, so that the access network is to network work(
The temporary mark can be sent, judges the UE whether according to the temporary mark by the network function
Certification.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution.
Optionally, as shown in figure 9, UE800 also includes:
First execution module 802, if unverified for the UE, perform recognizing for the network function initiation
Card process, wherein, the UE is unverified not to be found for the network function according to the temporary mark
The context of the UE.
Optionally, the UE is also sent to the access network secure authentication information, and the access network is also
Being sent to the network function has the secure authentication information, so that the network function is believed according to safety verification
Breath judges the UE legitimacies.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, as shown in Figure 10, UE800 also includes:
Second execution module 803, if for the checking not by performing recognizing for the network function initiation
Card process;Or
First receiving module 804, if for it is described checking not by, receive the network function pass through it is described
The new mark that the access network that UE has been connected is sent;Or
Second receiving module 805, if for the checking not by receiving refusing for the network function return
Exhausted message.
It should be noted that above-mentioned UE800 can be that method is implemented in the embodiment of the present invention in the present embodiment
The UE of any embodiment in example, in the embodiment of the present invention in embodiment of the method UE any embodiment
It can be realized by the above-mentioned UE800 in the present embodiment, and reach identical beneficial effect, herein
Repeat no more.
Figure 11 is referred to, the embodiment of the present invention provides a kind of access device, as shown in figure 11, access device
1100 are included with lower module:
First receiving module 1101, for receiving a temporary mark of UE transmissions;
Sending module 1102, for sending the temporary mark to network function, so that the network function
Whether UE certifications are judged according to the temporary mark.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set
It is standby.
Optionally, as shown in figure 12, access device 1100 also includes:
Second receiving module 1103, if for the network function according to being found the temporary mark
UE context, then it represents that UE certifications, received the UE of the network function transmission
The prompt message of certification.
Optionally, the access device also receives the secure authentication information that the UE is sent, and described connects
Network also to send to the network function and have the secure authentication information, so that the network function is according to safety
Checking information is authenticated to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
It should be noted that above-mentioned access device 1100 can be side in the embodiment of the present invention in the present embodiment
The access device of any embodiment in method embodiment, access device in embodiment of the method in the embodiment of the present invention
Any embodiment can be realized by the above-mentioned access device 1100 in the present embodiment, and reach
Identical beneficial effect, here is omitted.
Referring to Figure 13, a kind of UE structure is shown in figure, the UE includes:Processor 1300, transmitting-receiving
Machine 1310, memory 1320, user interface 1330 and EBI, wherein:
Processor 1300, for reading the program in memory 1320, perform following process:
One temporary mark is sent to access network by transceiver 1310, so that the access network is to network function
The temporary mark is sent, judges whether the UE has recognized according to the temporary mark by the network function
Card.
Wherein, transceiver 1310, for data to be received and sent under the control of processor 1300.
In fig. 13, bus architecture can include the bus and bridge of any number of interconnection, specifically by handling
The various circuits link for the memory that the one or more processors and memory 1320 that device 1300 represents represent
Together.Bus architecture can also be by each of such as ancillary equipment, voltage-stablizer and management circuit or the like
Other circuits of kind link together, and these are all it is known in the art, therefore, no longer being carried out herein to it
Further describe.EBI provides interface.Transceiver 1310 can be multiple element, that is, include sending
Machine and receiver, there is provided for the unit to be communicated over a transmission medium with various other devices.For different
User equipment, user interface 1330, which be can also be, external the interface for needing equipment is inscribed, and connection is set
Standby including but not limited to keypad, display, loudspeaker, microphone, control stick etc..
Processor 1300 is responsible for bus architecture and common processing, and memory 1320 can store processing
The used data when performing operation of device 1300.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution.
Optionally, processor 1300 is additionally operable to:
If the UE is unverified, the verification process that the network function is initiated is performed, wherein, the UE
The unverified context for not finding the UE according to the temporary mark for the network function.
Optionally, processor 1300 is also sent by transceiver 1310 to the access network safety verification letter
Breath, and the access network also has the secure authentication information to network function transmission, so that the network
Function judges the UE legitimacies according to secure authentication information.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
Optionally, processor 1300 is additionally operable to:
If the checking is not by performing the verification process that the network function is initiated;Or
If the checking is not by receiving the access network that the network function has been connected by the UE and sending out
The new mark sent;Or
If the checking is by the way that the UE connects the request of core net by the net by the access network
Network function is refused.
It should be noted that above-mentioned UE can be in the embodiment of the present invention in embodiment of the method in the present embodiment
The UE of any embodiment, UE any embodiment all may be used in embodiment of the method in the embodiment of the present invention
To be realized by the above-mentioned UE in the present embodiment, and reach identical beneficial effect, here is omitted.
Referring to Figure 14, a kind of structure of access device is shown in figure, the access device includes:Processor 1400,
Transceiver 1410, memory 1420, user interface 1430 and EBI, wherein:
Processor 1400, for reading the program in memory 1420, perform following process:
A temporary mark of UE transmissions is received by transceiver 1410;
The temporary mark is sent to network function by transceiver 1410 so that the network function according to
Whether the temporary mark judges UE certifications.
Wherein, transceiver 1410, for data to be received and sent under the control of processor 1400.
In fig. 14, bus architecture can include the bus and bridge of any number of interconnection, specifically by handling
The various circuits link for the memory that the one or more processors and memory 1420 that device 1400 represents represent
Together.Bus architecture can also be by each of such as ancillary equipment, voltage-stablizer and management circuit or the like
Other circuits of kind link together, and these are all it is known in the art, therefore, no longer being carried out herein to it
Further describe.EBI provides interface.Transceiver 1410 can be multiple element, that is, include sending
Machine and receiver, there is provided for the unit to be communicated over a transmission medium with various other devices.For different
User equipment, user interface 1430, which be can also be, external the interface for needing equipment is inscribed, and connection is set
Standby including but not limited to keypad, display, loudspeaker, microphone, control stick etc..
Processor 1400 is responsible for bus architecture and common processing, and memory 1420 can store processing
The used data when performing operation of device 1400.
Optionally, when the temporary mark is that the UE connects core net by other access networks, the net
Network function is the temporary mark of UE distribution, wherein, other described access networks do not include the access and set
It is standby.
Optionally, processor 1400 is additionally operable to:
If the network function finds the context of the UE according to the temporary mark, then it represents that described
UE certifications, receive the prompt message for the UE certifications that the network function is sent.
Optionally, processor 1400 also receives the safety verification for having the UE to send by transceiver 1410
Information, and also have the secure authentication information to network function transmission by transceiver 1410, so that
The network function is authenticated according to secure authentication information to the UE.
Optionally, the secure authentication information includes following one or more:
The mark of encryption, the request message or signature of encryption.
It should be noted that above-mentioned access device can be that method is implemented in the embodiment of the present invention in the present embodiment
The access device of any embodiment in example, in the embodiment of the present invention in embodiment of the method access device it is any
Embodiment can be realized by the above-mentioned access device in the present embodiment, and reach identical beneficial to effect
Fruit, here is omitted.
In several embodiments provided herein, it should be understood that disclosed method and apparatus, can be with
Realize by another way.For example, device embodiment described above is only schematical, for example,
The division of the unit, only a kind of division of logic function, can there is other division side when actually realizing
Formula, such as multiple units or component can combine or be desirably integrated into another system, or some features can
To ignore, or do not perform.It is another, shown or discussed mutual coupling or direct-coupling or logical
Letter connection can be by some interfaces, the INDIRECT COUPLING or communication connection of device or unit, can be it is electrical,
Mechanical or other forms.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit,
Can also be that the independent physics of unit includes, can also two or more units be integrated in a unit
In.Above-mentioned integrated unit can both be realized in the form of hardware, can also add software function using hardware
The form of unit is realized.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in a computer can
Read in storage medium.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used
To cause a computer equipment (can be personal computer, server, or network equipment etc.) to perform
The part steps of receiving/transmission method described in each embodiment of the present invention.And foregoing storage medium includes:USB flash disk,
Mobile hard disk, read-only storage (Read-Only Memory, abbreviation ROM), random access memory
(Random Access Memory, abbreviation RAM), magnetic disc or CD etc. are various can be with storage program generation
The medium of code.
Described above is the preferred embodiment of the present invention, it is noted that for the common skill of the art
For art personnel, on the premise of principle of the present invention is not departed from, some improvements and modifications can also be made,
These improvements and modifications also should be regarded as protection scope of the present invention.
Claims (22)
- A kind of 1. access authentication method, it is characterised in that including:User terminal sends a temporary mark to access network, so that described in the access network to network function transmission Temporary mark, whether user terminal certification is judged according to the temporary mark by the network function.
- 2. the method as described in claim 1, it is characterised in that the temporary mark is that the user is whole When end connects core net by other access networks, the network function is the interim mark of user terminal distribution Know.
- 3. the method as described in claim 1, it is characterised in that methods described also includes:If the user terminal is unverified, the user terminal performs authenticating for the network function initiation Journey, wherein, the user terminal is unverified not to be found for the network function according to the temporary mark The context of the user terminal.
- 4. such as the method any one of claim 1-3, it is characterised in that the user terminal is also Being sent to the access network has secure authentication information, and the access network is also sent to the network function Secure authentication information is stated, so that the network function judges that the user terminal is legal according to secure authentication information Property.
- 5. method as claimed in claim 4, it is characterised in that the secure authentication information includes as follows One or more:The mark of encryption, the request message or signature of encryption.
- 6. method as claimed in claim 4, it is characterised in that methods described also includes:If the checking is by the way that the user terminal performs the verification process that the network function is initiated;Or PersonIf the checking does not receive the network function by the user terminal by, the user terminal The new mark that access network through connection is sent;OrIf the checking is by the way that the user terminal receives the refuse information that the network function returns.
- A kind of 7. access authentication method, it is characterised in that including:Access device receives the temporary mark that user terminal is sent;The access device sends the temporary mark to network function, so that the network function is according to Whether temporary mark judges user terminal certification.
- 8. method as claimed in claim 7, it is characterised in that the temporary mark is that the user is whole When end connects core net by other access networks, the network function is the interim mark of user terminal distribution Know, wherein, other described access networks do not include the access device.
- 9. method as claimed in claim 8, it is characterised in that methods described also includes:If the network function finds the context of the user terminal according to the temporary mark, then it represents that User terminal certification, the access device have received the user terminal of the network function transmission The prompt message of certification.
- 10. method as claimed in any one of claims 7-9, it is characterised in that the access device is also The secure authentication information for having the user terminal to send is received, and the access network is also sent out to the network function Sent the secure authentication information so that the network function according to secure authentication information to the user terminal It is authenticated.
- 11. method as claimed in claim 10, it is characterised in that the secure authentication information is included such as The next item down is multinomial:The mark of encryption, the request message or signature of encryption.
- A kind of 12. user terminal, it is characterised in that including:Sending module, for sending a temporary mark to access network, so that the access network is sent out to network function The temporary mark is sent, judges the user terminal whether according to the temporary mark by the network function Certification.
- 13. user terminal as claimed in claim 12, it is characterised in that the temporary mark is described When user terminal connects core net by other access networks, the network function is user terminal distribution Temporary mark.
- 14. user terminal as claimed in claim 12, it is characterised in that the user terminal also includes:First execution module, if unverified for the user terminal, perform recognizing for the network function initiation Card process, wherein, the user terminal is unverified not to be looked into for the network function according to the temporary mark Find the context of the user terminal.
- 15. such as the user terminal any one of claim 12-14, it is characterised in that the user Terminal is also sent to the access network secure authentication information, and the access network is also sent out to the network function The secure authentication information is sent, so that the network function judges that the user is whole according to secure authentication information Hold legitimacy.
- 16. user terminal as claimed in claim 15, it is characterised in that the secure authentication information bag Include following one or more:The mark of encryption, the request message or signature of encryption.
- 17. user terminal as claimed in claim 15, it is characterised in that the user terminal also includes:Second execution module, if for the checking not by performing authenticating for the network function initiation Journey;OrFirst receiving module, if for the checking not by receiving the network function and passing through the user The new mark that the access network that terminal has connected is sent;OrSecond receiving module, if for the checking not by receiving the refusal that the network function returns and disappearing Breath.
- A kind of 18. access device, it is characterised in that including:First receiving module, for receiving a temporary mark of user terminal transmission;Sending module, for sending the temporary mark to network function, so that the network function is according to institute State temporary mark and judge the user terminal whether certification.
- 19. access device as claimed in claim 18, it is characterised in that the temporary mark is described When user terminal connects core net by other access networks, the network function is user terminal distribution Temporary mark, wherein, other described access networks do not include the access device.
- 20. access device as claimed in claim 19, it is characterised in that the access device also includes:Second receiving module, if finding user's end according to the temporary mark for the network function The context at end, then it represents that user terminal certification, receive the user that the network function is sent The prompt message of terminal certification.
- 21. such as the access device any one of claim 18-20, it is characterised in that the access Equipment also receives the secure authentication information that the user terminal is sent, and the access network is also to the network Function send have the secure authentication information so that the network function according to secure authentication information to the use Family terminal is authenticated.
- 22. access device as claimed in claim 21, it is characterised in that the secure authentication information bag Include following one or more:The mark of encryption, the request message or signature of encryption.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610676117.0A CN107770770A (en) | 2016-08-16 | 2016-08-16 | A kind of access authentication method, UE and access device |
PCT/CN2017/095922 WO2018032984A1 (en) | 2016-08-16 | 2017-08-04 | Access authentication method, ue, and access device |
TW106126677A TWI641271B (en) | 2016-08-16 | 2017-08-08 | Access authentication method, UE and access equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610676117.0A CN107770770A (en) | 2016-08-16 | 2016-08-16 | A kind of access authentication method, UE and access device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107770770A true CN107770770A (en) | 2018-03-06 |
Family
ID=61196332
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610676117.0A Pending CN107770770A (en) | 2016-08-16 | 2016-08-16 | A kind of access authentication method, UE and access device |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN107770770A (en) |
TW (1) | TWI641271B (en) |
WO (1) | WO2018032984A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110798833B (en) * | 2018-08-03 | 2023-10-24 | 华为技术有限公司 | Method and device for verifying user equipment identification in authentication process |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101808321A (en) * | 2009-02-16 | 2010-08-18 | 中兴通讯股份有限公司 | Security authentication method |
CN101835155A (en) * | 2010-03-31 | 2010-09-15 | 中兴通讯股份有限公司 | Method and system for accessing terminal to fusion network |
CN104506406A (en) * | 2011-11-03 | 2015-04-08 | 华为技术有限公司 | Processing method and equipment for secure data channel |
CN104871511A (en) * | 2012-12-19 | 2015-08-26 | 瑞典爱立信有限公司 | Device authentication by tagging |
CN104902473A (en) * | 2014-04-21 | 2015-09-09 | 孟俊 | Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103067337B (en) * | 2011-10-19 | 2017-02-15 | 中兴通讯股份有限公司 | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system |
CN105451284A (en) * | 2014-07-10 | 2016-03-30 | 华为技术有限公司 | Network switching method and device |
-
2016
- 2016-08-16 CN CN201610676117.0A patent/CN107770770A/en active Pending
-
2017
- 2017-08-04 WO PCT/CN2017/095922 patent/WO2018032984A1/en active Application Filing
- 2017-08-08 TW TW106126677A patent/TWI641271B/en active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101808321A (en) * | 2009-02-16 | 2010-08-18 | 中兴通讯股份有限公司 | Security authentication method |
CN101835155A (en) * | 2010-03-31 | 2010-09-15 | 中兴通讯股份有限公司 | Method and system for accessing terminal to fusion network |
CN104506406A (en) * | 2011-11-03 | 2015-04-08 | 华为技术有限公司 | Processing method and equipment for secure data channel |
CN104871511A (en) * | 2012-12-19 | 2015-08-26 | 瑞典爱立信有限公司 | Device authentication by tagging |
CN104902473A (en) * | 2014-04-21 | 2015-09-09 | 孟俊 | Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication |
Also Published As
Publication number | Publication date |
---|---|
WO2018032984A1 (en) | 2018-02-22 |
TWI641271B (en) | 2018-11-11 |
TW201808028A (en) | 2018-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106664554B (en) | The security configuration of Service Ticket | |
US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
CN108848112B (en) | Cut-in method, equipment and the system of user equipment (UE) | |
CN102783080B (en) | Safety many UIM certification and cipher key change | |
CN100544478C (en) | Handle the method for security message in the mobile communication system | |
TWI425802B (en) | Method and wireless transmit/receive unit for securing wireless communications | |
CN101366299B (en) | Bootstrapping authentication using distinguished random challenges | |
MX2007009705A (en) | Method and apparatus for providing bootstrapping procedures in a communication network. | |
CN105323754B (en) | A kind of distributed method for authenticating based on wildcard | |
CN108880813A (en) | A kind of implementation method and device of attachment flow | |
Rosa | Bypassing passkey authentication in bluetooth low energy | |
CN100571460C (en) | The method and apparatus of secure roaming | |
CN107820242A (en) | A kind of machinery of consultation of authentication mechanism and device | |
CN103391540A (en) | Method and system for generating secret key information, terminal device and access network device | |
CN106465109A (en) | Cellular network authentication | |
CN107209817A (en) | Verification method | |
CN103312678A (en) | Client security login method, device and system | |
EP3163831B1 (en) | Secure pairing with help of challenge-response-test image | |
CN102892114A (en) | Method and device for checking equipment validity | |
Baek et al. | Secure and lightweight authentication protocol for NFC tag based services | |
CN104901796A (en) | Authentication method and equipment | |
CN107770770A (en) | A kind of access authentication method, UE and access device | |
CN114765805A (en) | Communication method, network equipment, base station and computer readable storage medium | |
CN101521867A (en) | Connection establishing method and device | |
Zidouni et al. | New safety measure to protect the 3G/4G SIM cards against cloning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180306 |
|
RJ01 | Rejection of invention patent application after publication |