CN108112012A - The method for network authorization and device of a kind of group endpoints - Google Patents
The method for network authorization and device of a kind of group endpoints Download PDFInfo
- Publication number
- CN108112012A CN108112012A CN201611052482.0A CN201611052482A CN108112012A CN 108112012 A CN108112012 A CN 108112012A CN 201611052482 A CN201611052482 A CN 201611052482A CN 108112012 A CN108112012 A CN 108112012A
- Authority
- CN
- China
- Prior art keywords
- group
- terminal
- authentication
- key
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses the method for network authorization and device of a kind of group endpoints, to solve the problem of that equipment O&M cost is high, authentication efficiency is not high in the verification process of group endpoints access network and authentication security is not high.This method is:First terminal is encrypted the identity information of first terminal based on the physical layer shared key generated by the channel characteristics parameter between local and base station, and encrypted identity information is sent to network server, receive group's Ciphering Key of network server identity-based information generation, and it completes network authentication based on group's Ciphering Key and triggers network server notice to carry out network authentication using group's Ciphering Key with other group endpoints of group with first terminal.Using the above method, terminal is transmitted again after the identity information of terminal being encrypted by the physical layer shared key generated based on the channel characteristics parameter between local and base station, and this reduces the probability of terminal identity information leakage.
Description
Technical field
The present invention relates to field of communication security, the method for network authorization and device of more particularly to a kind of group endpoints.
Background technology
With the development of the communication technology, machine kind equipment communication (Machine Type Communication, MTC) is long
Phase evolution (Long Term Evolution, LTE) and following 5th third-generation mobile communication technology (5-Generation, 5G) net
An important application scenarios in network.According to existing third generation partner program (3rd Generation Partnership
Project, 3GPP) standard, when substantial amounts of group device accesses network simultaneously, network needs independent to each group device
Once certification is done, thus may result in network congestion, at present, generally use is based on main equipment (Group Leader)
The method of 3GPP network group certifications solves the problems, such as above-mentioned network congestion.
During group establishes, operator is first all group devices (User Equipment, UE) point in group
With identical group identities mark and key etc., then it is individually for each UE and pre-sets equipment identities mark, device keys etc.,
And home signature user server (Home Subscriber Server, HSS) is saved it in, finally, a UE is selected to make
For the main equipment of the group.
First method is:Group device supports the Radio Transmission Technology outside 3GPP, and main equipment is initiated to 3GPP networks
Access application, the flow of main equipment access network are as follows:Main equipment is by international mobile subscriber identity (International
Mobile SubscriberIdentification Number, IMSI) and electronic ID card (Electronic Identity,
EID mobile management entity (Mobile Managenment Entity, MME)) is sent to, MME sends authentication data to HSS please
After asking, the Ciphering Key (Authentication Vector, AV) that HSS is returned, the certification that main equipment is returned based on HSS are received
Vector completes network authentication.After main equipment is successfully accessed, Ciphering Key is obtained, and Ciphering Key is wirelessly connect by non-3GPP
Enter and be transmitted to other equipment in group, then group generates new device authentication vector using technologies such as aggregate signatures, for group
The 3GPP certifications of other equipment in group.
However, using the above method, it is necessary to which group device supports the wireless connection technology outside 3GPP, in this way, being increased by
Equipment cost and power consumption, and verification process is complicated, authentication efficiency is not high.
Second method is:Group device does not support the Radio Transmission Technology outside 3GPP, and main equipment is sent out to 3GPP networks
Access application is played, the flow of main equipment access network is as follows:IMSI and eID are sent to MME by main equipment, and MME recognizes to HSS transmissions
After demonstrate,proving request of data, receive and preserve the Ciphering Key AV of HSS returns, main equipment completes net based on the Ciphering Key that HSS is returned
Network certification.At this point, the Ciphering Key that HSS is generated when main equipment access network is preserved in MME, which can be for group
Interior other equipment carries out use during network authentication.
But above-mentioned authentication method is used, it is necessary to which equipment vendors set an equipment respectively for each group device in advance
Key, and need to store corresponding device keys information in HSS, in this way, increasing the manufacturing cost and fortune of equipment vendors
Seek the operation cost of business.
Moreover, above two group device authentication method is all based on the Authentication and Key Agreement (EPS-AKA) of LTE system
Verification process, it is impossible to solve safety problem (e.g., the international mobile subscriber identity being inherently present based on EPS-AKA certifications
The leakage problem of (International Mobile SubscriberIdentification Number, IMSI) and Ki), from
And cause the information leakage of group device.
In summary, it is necessary to a kind of new group endpoints method for network authorization be designed, to solve to exist in the prior art
The defects of and shortcoming.
The content of the invention
An embodiment of the present invention provides the method for network authorization and device of a kind of group endpoints, to solve in the prior art
In the verification process that existing equipment O&M cost is high, accesses network in group endpoints, authentication efficiency is not high and certification is safe
The problem of property is not high.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of method for network authorization of group endpoints, including:
First terminal generates physical layer shared key based on the channel characteristics parameter between local and base station;
First terminal is based on the physical layer shared key, and the identity information of the first terminal is encrypted, and will
Encrypted identity information is sent to network server;
First terminal receives group's Ciphering Key that the network server is generated based on the identity information, and based on institute
Group's Ciphering Key is stated to complete network authentication and trigger other groups of network server notice with the first terminal with group
Terminal carries out network authentication using group's Ciphering Key.
Optionally, first terminal generates physical layer shared key, tool based on the channel characteristics parameter between local and base station
Body includes:
First terminal often receives the detectable signal that a base station is sent, based on the channel characteristics ginseng between local and base station
Number calculates the corresponding signal characteristic of detectable signal of reception, and each signal characteristic of generation is formed signal characteristic sequence;
First terminal carries out quantization correction process for the signal characteristic sequence, the signal characteristic sequence that obtains that treated
Row;
Treated that signal characteristic sequence is converted to physical layer shared key by described for first terminal.
Optionally, first terminal is based on the physical layer shared key, and the identity information of the first terminal is added
It is close, and encrypted identity information is sent to network server, it specifically includes:
First terminal is based on the physical layer shared key, to the international mobile subscriber identity IMSI of the first terminal
And/or electronic ID card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server by first terminal.
Optionally, first terminal receives group's Ciphering Key that the network server is generated based on the identity information,
And network authentication is completed based on group's Ciphering Key, it specifically includes:
First terminal receives the authentication request message that network server is sent, wherein, the authentication request message carries
Group's Ciphering Key;
It is legal that first terminal carries out the authentication request message based on the parameters for authentication that group's Ciphering Key includes
Property verification, and when determining that the authentication request message is legal, generate authentication response corresponding with the authentication request message and disappear
Breath;
The authentication response message is returned to network server by first terminal.
Optionally, first terminal based on the parameters for authentication that group's Ciphering Key includes to the authentication request message into
Row legitimate verification, and when determining that the authentication request message is legal, generate certification corresponding with the authentication request message
Response message specifically includes:
First terminal generates corresponding authentication data information based on the authentication token AUTN that group's Ciphering Key includes,
And when judging that the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, determine described
Authentication request message is legal;
First terminal is based on the authentication request message and generates corresponding response data, and based on group key to the sound
Data is answered to be encrypted, obtain corresponding authentication response message, wherein, the group key is for where first terminal
The default key of all terminals in group.
Optionally, first terminal is based on after group's Ciphering Key completion network authentication, is further comprised:
First terminal is based on physical layer shared key and group key generates corresponding session key, and the session key should
For the service data interaction flow between the first terminal and network server.
A kind of method for network authorization of group endpoints, including:
Network server receives what first terminal was sent, the identity information after being encrypted based on physical layer shared key,
Wherein, the physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station;
The encrypted identity information is decrypted in network server, and generates phase based on the identity information after decryption
The group's Ciphering Key answered;
Group's Ciphering Key is sent to first terminal by network server, and is triggered first terminal and be based on the group
Ciphering Key completes network authentication;
Network server notify with the first terminal with group other group endpoints using group's Ciphering Key into
Row network authentication.
Optionally, network server notice uses group's certification with the first terminal with other group endpoints of group
Vector carries out network authentication, including:
After definite first terminal completes network authentication, sent to the first terminal with other group endpoints of group
It is instructed into certification;The completion certification, which instructs, is used for triggering and same other group endpoints organized of the first terminal from network service
Device obtains group's Ciphering Key, and carries out network authentication using group's Ciphering Key.
A kind of network authentication device of group endpoints, including:
Generation unit, for based on the channel characteristics parameter between local and base station, generating physical layer shared key;
Encryption unit for being based on the physical layer shared key, is encrypted the identity information of described device, and will
Encrypted identity information is sent to network server;
First receiving unit, for receive the network server based on group's certification that the identity information generates to
Amount, and network authentication is completed based on group's Ciphering Key and triggers network server notice with described device with group
Other group endpoints carry out network authentication using group's Ciphering Key.
Optionally, described device is based on the channel characteristics parameter between local and base station, when generating physical layer shared key,
The generation unit is used for:
The detectable signal that a base station is sent often is received, based on the channel characteristics parameter between local and base station, calculating connects
The corresponding signal characteristic of detectable signal of receipts, and each signal characteristic of generation is formed into signal characteristic sequence;
Quantization correction process is carried out for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described.
Optionally, described device is based on the physical layer shared key, and the identity information of described device is encrypted, and
When encrypted identity information is sent to network server, the encryption unit is used for:
Based on the physical layer shared key, to the international mobile subscriber identity IMSI of described device and/or electronics body
Part card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server.
Optionally, described device receives group's Ciphering Key that the network server is generated based on the identity information,
And during based on group's Ciphering Key completion network authentication, first receiving unit is used for:
The authentication request message that network server is sent is received, wherein, the authentication request message carries the group
Ciphering Key;
Legitimate verification is carried out to the authentication request message based on the parameters for authentication that group's Ciphering Key includes, and
When determining that the authentication request message is legal, authentication response message corresponding with the authentication request message is generated;
The authentication response message is returned into network server.
Optionally, described device based on the parameters for authentication that group's Ciphering Key includes to the authentication request message into
Row legitimate verification, and when determining that the authentication request message is legal, generate certification corresponding with the authentication request message
During response message, first receiving unit is used for:
Corresponding authentication data information is generated based on the authentication token AUTN that group's Ciphering Key includes, and is being judged
When the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the certification request is determined
Message is legal;
Corresponding response data is generated based on the authentication request message, and based on group key to the response data into
Row encryption obtains corresponding authentication response message, wherein, the group key is in the described device group
All default keys of terminal.
Optionally, described device is based on after group's Ciphering Key completion network authentication, first receiving unit
It is further used for:
Corresponding session key is generated based on physical layer shared key and group key, the session key is applied to described
Service data interaction flow between device and network server.
Optionally, described device triggering with described device with group other group endpoints using group's Ciphering Key into
During row network authentication, first receiving unit is used for:
After network authentication is completed, certification instruction is sent completely with other group endpoints of group to described device;It is described
It completes certification instruction and obtains group's certification from network server with other group endpoints of group with described device for triggering
Vector, and network authentication is carried out using group's Ciphering Key.
A kind of network authentication device of group endpoints, including:
Second receiving unit, for receiving first terminal transmission, the body after being encrypted based on physical layer shared key
Part information, wherein, the physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station
's;
Decryption unit, for the encrypted identity information to be decrypted, and based on the identity information life after decryption
Into corresponding group's Ciphering Key;
Transmitting element for group's Ciphering Key to be sent to first terminal, and triggers first terminal based on described
Group's Ciphering Key completes network authentication;
Notification unit, for notifying to use group's Ciphering Key with other group endpoints of group with the first terminal
Carry out network authentication.
Optionally, described device notice with the first terminal with group other group endpoints using group's certification to
When amount carries out network authentication, the notification unit is used for:
After definite first terminal completes network authentication, sought to the first terminal with other group endpoints transmission of group
Exhale message;The paging message obtains institute for notifying other group endpoints with the same group of the first terminal from network server
Group's Ciphering Key is stated, and network authentication is carried out using group's Ciphering Key.
The embodiment of the present invention has the beneficial effect that:
In conclusion in the embodiment of the present invention, during network authentication is carried out, first terminal is based on logical group endpoints
The physical layer shared key for the channel characteristics parameter generation crossed between local and base station adds the identity information of first terminal
It is close, and encrypted identity information is sent to network server, receive the group of network server identity-based information generation
Ciphering Key, and network authentication and triggering network server notice and same group of first terminal are completed based on group's Ciphering Key
Other group endpoints network authentication is carried out using group Ciphering Key.
Using the above method, operator need to be only that all terminals in group preset an identical IMSI, identical group
Group key and an eID is preset respectively for each terminal, reduce O&M cost, each terminal can be by being based on this
The identity information of terminal is encrypted in the corresponding physical layer shared key of channel characteristics parameter generation between ground and base station
It transmits again afterwards, in this way, just reducing the probability of terminal identity information leakage, further, terminal is shared based on above-mentioned physical layer
Response data is encrypted to obtain authentication response message key and network server is directed to above-mentioned authentication response message
It is decrypted, in this way, the security of terminal authentication procedure is just further enhanced, finally, terminal and network server
Based on physical layer shared key and the key K based on group key generationASMECorresponding session key is generated, in this way, can just protect
The uniqueness and privacy of session key are demonstrate,proved, so as to improve the peace that service data interaction is carried out between equipment and network server
Quan Xing.
Description of the drawings
Fig. 1 is system architecture schematic diagram in the embodiment of the present invention;
Fig. 2 is the method flow diagram that first terminal carries out network authentication in the embodiment of the present invention;
Fig. 3 is that first terminal based on the channel characteristics parameter between local and base station, generates physics in the embodiment of the present invention
The process schematic of layer shared key Kp;
Fig. 4 is the detail flowchart that the embodiment of the present invention is applied in practical business scene;
Fig. 5 is the structure diagram of first terminal in the embodiment of the present invention;
Fig. 6 is the structure diagram of network server in the embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, is not whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work
Embodiment belongs to the scope of protection of the invention.
In order to solve to exist in the prior art in the verification process that equipment O&M cost is high, accesses network in group endpoints,
Authentication efficiency is not high and the problem of authentication security is not high, in the embodiment of the present invention, devises a kind of new group endpoints
Method for network authorization and device, this method are:First terminal generates physics based on the channel characteristics parameter between local and base station
Layer shared key, is encrypted the identity information of first terminal, and encrypted identity information is sent to network server,
Group's Ciphering Key of network server identity-based information generation is received, and network is completed based on group's Ciphering Key and is recognized
Card and triggering carry out network authentication with other group endpoints of group with first terminal using group's Ciphering Key.
The present invention program is described in detail below by specific embodiment, certainly, the present invention is not limited to following realities
Apply example.
In pretreatment stage, several machine kind equipments communication (Machine Type Communication, MTC) equipment bases
In the principle (physical location of such as equipment, capacity of equipment belong to a user) of user preset, a group is formed.
For example, all intelligent electric meters composition group 1 in a certain residential building;Alternatively, belong to all intelligence of company's first
Can meter group into group 2.
Operator is that each group endpoints in group provide identical group identification (e.g., international mobile subscriber identity
(International Mobile SubscriberIdentification Number, IMSI)) and group key, Yi Jifen
Not Wei each group endpoints provide different unique device identities (e.g., electronic ID card (Electronic Identity,
eID))。
For example, operator is provided for all " intelligent electric meters " in group 1 in an identical IMSI and identical group
The key K1 and be respectively that " intelligent electric meter 1 " provides eID1 that all terminals can share, are provided for " intelligent electric meter 2 "
EID2 ... provides eIDn for " intelligent electric meter n ".
It is set based on user, chooses a group endpoints in all group endpoints as master terminal.
For example, being set based on user, " intelligent electric meter 1 " in group group 1 is selected to be used as main intelligent electric meter;Alternatively, based on use
Family is set, and " the total ammeter of company " chosen in group 2 is used as main intelligent electric meter.
As shown in fig.1, in the embodiment of the present invention, there are several user equipmenies (User Equipment, UE) in system,
Network server and several base stations (evolved Node B, eNB), UE access network server by eNB, wherein, this hair
In bright embodiment, user equipment is in hereinafter referred to as group endpoints.
As shown in fig.2, in the embodiment of the present invention, the idiographic flow of the method for network authorization of first terminal is as follows:
Step 201:First terminal initiates network insertion application to network server.
Specifically, when first terminal detect itself need access network when, by base station to where terminal network take
Business device initiates network insertion application, wherein, first terminal is set based on user, whole from all groups for belonging to same group
The master terminal selected in end.
It is all intelligent electric meters in a certain cell to network server for example, it is assumed that the 12 noon on every month 15
Report the time of business datum, then, first terminal is just needed after by network access authentication, could report business datum
To network server, at this time, it is necessary to which network insertion application is initiated to network server by base station.
Step 202:Network server sends identity request message to first terminal.
In practical application, after network server receives the network insertion application of first terminal initiation, by base station to the
One terminal sends " identity request message ", to obtain the identity information of first terminal.
For example, " the net that " intelligent electric meter 1 " of the network server in the group for receiving several intelligent electric meter compositions is initiated
Network accesses solicitation message " after, corresponding " identity request message " is generated based on above-mentioned " network insertion solicitation message ", and is returned to
" intelligent electric meter 1 ".
Step 203:First terminal generates physical layer shared key based on the channel characteristics parameter between local and base station.
Specifically, in practical applications, first terminal sends detectable signal to base station, base station is receiving first terminal hair
After the detectable signal sent, a corresponding detectable signal can be returned to first terminal, first terminal often receives a base station and sends
Detectable signal, based on the channel characteristics parameter between local and base station, calculate the corresponding signal characteristic of detectable signal of reception,
And each signal characteristic of generation is formed into signal characteristic sequence, quantization correction process is carried out for above-mentioned signal characteristic sequence,
The signal characteristic sequence that obtains that treated, and treated that signal characteristic sequence is converted to physical layer shared key by described.
Further, base station is in every detectable signal for receiving first terminal and sending, based on local and first terminal it
Between channel characteristics parameter, calculate the corresponding signal characteristic of detectable signal of reception, and each signal characteristic of generation formed
Signal characteristic sequence carries out quantization correction process for above-mentioned signal characteristic sequence, the signal characteristic sequence that obtains that treated, and
Treated that signal characteristic sequence is converted to physical layer shared key by described.
For example, the interaction between terminal and base station is based on time division duplex (Time Division Duplexing, TDD)
What channel carried out, as shown in fig.3, terminal sends UE detectable signals 1 to base station, base station is receiving the UE detections of terminal transmission
ENB detectable signals 1 are returned to terminal after signal 1, terminal and base station often receive other side and send a detectable signal, can all calculate
The corresponding signal characteristic of detectable signal received, after n times are sent (N >=1), terminal and base station generate a signal respectively
Characteristic sequence, due between terminal and base station there are the factors such as noise and detection time difference, terminal and base station need pin
Quantization correction process is carried out to the signal characteristic sequence of each self-generating, and treated signal characteristic sequence is converted into phase
The physical layer shared key Kp answered.
Step 204:First terminal is based on above-mentioned physical layer shared key, and the identity information of first terminal is encrypted,
And encrypted identity information is sent to network server.
Specifically, first terminal is based on above-mentioned physical layer shared key, the IMSI and/or eID of first terminal are added
Close processing, and encrypted IMSI and/or eID are sent to network server.
Wherein, the IMSI of above-mentioned first terminal is the default key of all terminals being directed in the first terminal group,
The eID of above-mentioned first terminal is to be directed to first terminal individually default terminal unique mark.
For example, it is assumed that the identity information of first terminal includes the IMSI1 and eID1 of first terminal, then, first terminal makes
The IMSI1 and eID1 of first terminal are encrypted with encryption function Enc (x1, y1) and physical layer shared key Kp,
In, the parameter x1 in encryption function Enc (x1, y1) is object to be encrypted, and parameter y1 is encryption key, and first terminal is encrypted
Identity information is GID=Enc ((IMSI, eID), Kp), after the encryption for first terminal identity information is completed, first terminal
Encrypted identity information GID is sent to base station, then, then by base station by the encrypted identity information GID of first terminal and
The physical layer shared key Kp that base station generates sends jointly to network server.
Step 205:Network server receives first terminal and sends encrypted identity information, and to above-mentioned encrypted body
Part information is decrypted.
Believed specifically, network server receives first terminal by the encrypted identity of first terminal that base station is sent
After the physical layer shared key that the base station that breath and reception base station are sent generates, network server is based on and above-mentioned encryption
Place is decrypted in the identity information of the first terminal of the corresponding decryption function of function and physical layer shared key to receiving
Reason.
For example, the encrypted identity that network server receives the first terminal that first terminal is sent by base station 1 is believed
Cease GID=Enc ((IMSI1, eID1), Kp) and base station send physical layer shared key Kp after, network server use with
The corresponding decryption function Dec (x2, y2) of encryption function Enc (x1, y1) and physical layer shared key Kp add first terminal
Identity information GID after close is decrypted, wherein, the parameter x2 in decryption function Dec (x2, y2) is object to be decrypted,
Parameter y2 be decruption key, the identity information (IMSI1, Eid1) of first terminal=Dec (GID, Kp) after being decrypted.
Step 206:Network server generates corresponding group's Ciphering Key based on the identity information after decryption.
Specifically, IMSI of the network server based on first terminal generates corresponding group's Ciphering Key.
In practical application, the mobile management entity of network server local (Mobile Managenment Entity,
MME the service network of the IMSI of the first terminal received and local) is identified into (Serving Network identity, SN
Id the home signature user server (Home Subscriber Server, HSS) of network server local, HSS roots) are sent to
It is verified according to the SN id service networks accessed to first terminal application, and after by verification, the discriminating service in HSS is real
Body (Authentication Service Entity, ASE) verifies the IMSI of first terminal, and after being verified,
HSS generates corresponding sequence number SNQHSSAnd random parameter RAND, while generate one group of Ciphering Key
(AuthenticationVector, AV), and above-mentioned one group of AV is sent to MME, wherein, any one AV in one group of AV
All include following parameters for authentication:Random number (RAND), authentication token (Authentication Token, AUTN), prospective users
Respond (Expected Response, XRES) and key KASME(the K based on the generation of default group keyASMEKey).
Step 207:Above-mentioned group's Ciphering Key is sent to first terminal by network server.
Specifically, after MME receives one group of AV of HSS transmissions, above-mentioned one group of AV is ranked up according to default regulation,
Using an AV minimum after sequence as group's Ciphering Key, and by parameters for authentication RAND, AUTN of group's Ciphering Key and
Key KASMEIt is sent to first terminal.
For example, it is assumed that MME receive HSS transmission AV1, AV2 and AV3, MME to above-mentioned 3 AV according to vectorial sequence number into
Then row sequence, using the AV1 of sequence number minimum as group's Ciphering Key of the first terminal group, and the certification of AV1 is joined
Number is sent to first terminal.
Step 208:First terminal receive network server based on first terminal identity information generation group's certification to
Amount.
Specifically, first, first terminal receives the authentication request message that network server is sent, wherein, the certification request
Message carries group's Ciphering Key;Then, the parameters for authentication that first terminal is included based on group's Ciphering Key is to the certification
Request message carries out legitimate verification, and when the definite authentication request message is legal, generation is corresponding to the authentication request message
Authentication response message;Finally, which is returned to network server by first terminal.
In practical application, first terminal receives the authentication request message that network server is sent, and the authentication request message is extremely
Include parameters for authentication, the first terminals such as RAND, AUTN that group's Ciphering Key includes less to include based on group's Ciphering Key
AUTN generates corresponding authentication data information, and is judging the authentication data information of the generation and the original number of above-mentioned AUTN carryings
During according to information match, determine that above-mentioned authentication request message is legal.
For example, first terminal discerns pipe after the AV1 of network server transmission is received for the AV1 AUTN included
Reason domain (Authentication Management Field, AMF) is verified, if by verification, generates corresponding message
Authentication code (Message Authentication Code, MAC), and judge that the MAC and AUTN of above-mentioned generation are carried original disappears
When breath authentication code is identical, first terminal determines that authentication request message is legal.
First terminal generates corresponding response data based on above-mentioned legal authentication request message, and is spread out based on group key
The key K bornASMEAbove-mentioned response data is encrypted, obtains corresponding authentication response message, wherein, above-mentioned group
Key is for the default key of all terminals in the first terminal group.
For example, first terminal after definite authentication request message is legal, calculates user response (Response, RES), and makes
With encryption function Enc (x3, y3) and key KASMEThe eID of RES and first terminal is encrypted, wherein, encryption
Parameter x3 in function Enc (x3, y3) is object to be encrypted, and parameter y3 is encryption key, obtains corresponding authentication response message
RES '=Enc ((RES, eID), KASME), wherein, KASMEIt is based on being preset for all terminals in the first terminal group
Group key generation key.
Further, authentication response message is returned to network server by first terminal, and network server is receiving first
After the authentication response message that terminal returns, it is decrypted for the content of the authentication response message, verifies the authentication response
The legitimacy of message.
For example, network server is receiving RES '=Enc ((RES, eID), the K of first terminal returnASME) after, it uses
Decryption function Dec (x4, y4) corresponding with encryption function Enc (x3, y3) and key KASMETo RES '=Enc ((RES,
EID), KASME) be decrypted, (RES, eID)=Dec (RES ', KASME), wherein, it decrypts in close function Dec (x4, y4)
Parameter x4 is object to be decrypted, and parameter y4 is decruption key, if included in the RES and group's Ciphering Key that are obtained after decryption
XRES is identical, it is determined that the authentication response message is legal.
Step 209:First terminal is based on physical layer shared key and group key generates corresponding session key, completes net
Network certification.
Specifically, key K of the first terminal based on physical layer shared key and based on group key generationASMEGenerate phase
The session key answered, wherein, which is applied to the service data interaction flow between first terminal and network server.
For example, first terminal is by " physical layer shared key+key KASME" as with network server carry out business datum
Interactive session key;Alternatively, first terminal is by " key KASME+ physical layer shared key " as between network server into
The session key of row service data interaction.
First terminal is based on physical layer shared key and the key K based on group key generationASMEGenerate session key
Mode is not specifically limited herein.
Step 210:Network server is triggered obtains group with other group endpoints of group with first terminal from network server
Group Ciphering Key, and network authentication is carried out using above-mentioned group's Ciphering Key.
Specifically, network server definite first terminal complete network authentication after, to first terminal with group other
Group endpoints transmission paging message, the paging message are used for triggering and same other group endpoints organized of first terminal from network service
Device obtains group's Ciphering Key, and carries out network authentication using group's Ciphering Key.
Wherein, above-mentioned other group endpoints with first terminal with group are based on set by user, belong to same group
All group endpoints in slave terminal.
Further, from terminal receive network server determine first terminal complete network authentication when, transmission is sought
After exhaling message, access application is initiated to network server, after the identity request message of network server transmission is received, is based on
Channel characteristics parameter between local and base station generates corresponding physical layer shared key, and with above-mentioned physical layer shared key pair
Identity information is sent to network server after being encrypted, at this point, network server is not required to again according to the body from terminal
Part information generation group Ciphering Key, group's Ciphering Key of generation can be complete when need to only use first terminal progress network authentication
Into the network authentication from terminal.
As shown in fig.3, in the embodiment of the present invention, first terminal that above-mentioned steps 203 refer to be based on it is local with base station it
Between channel characteristics parameter, generate physical layer shared key idiographic flow it is as follows:First terminal sends UE detection letters to base station
Number 1, after UE detectable signals 1 are received, the UE signal characteristics 1 for calculating UE detectable signals 1 simultaneously return to eNB to first terminal for base station
Detectable signal 1, first terminal calculate the eNB signals of eNB detectable signals 1 after the eNB detectable signals 1 of base station transmission are received
Feature 1;…;First terminal sends UE detectable signal n to base station, and base station calculates UE detection letters after UE detectable signals n is received
The UE signal characteristics n of number n simultaneously returns to eNB detectable signal n to first terminal, and first terminal is visited in the eNB for receiving base station transmission
After surveying signal n, the eNB signal characteristic n of eNB detectable signals n are calculated, wherein, n >=1.After n times are sent (n >=1), first eventually
End and base station generate a corresponding signal characteristic sequence respectively based on the detectable signal feature being each calculated, due to first
There are the factors such as noise and detection time difference between terminal and base station, therefore, first terminal and base station are needed for each spontaneous
Into signal characteristic sequence carry out quantization correction process, and treated signal characteristic sequence is converted into corresponding physics
Layer shared key Kp.
Application of the embodiment of the present invention in practical business scene will be illustrated with below.
For example, as shown in fig.4, in the embodiment of the present invention, main equipment initiates access application to 3GPP networks, and MME is connecing
Receive access application after, by base station to main equipment send identity request message, main equipment after identity request message is received,
According to the corresponding physical layer shared key Kp of channel characteristics parameter generation between local and base station, encryption function and Kp pairs are used
IMSI and eID are encrypted, and obtain encrypted identity information GID, and GID is sent to base station, and base station is receiving
GID and Kp are reported to MME after GID, MME uses after the GID and Kp that base station reports is received are corresponding with encryption function
Decryption function and Kp GID is decrypted, obtain the IMSI and eID of master terminal, and IMSI, SN id and eID sent
To HSS, HSS is based on IMSI, and SN id and eID generate an AV group, and the AV groups of generation are sent to MME, and MME chooses one
The AV of sequence number minimum is as group's Ciphering Key, and parameters for authentication RAND, AUTN that group's Ciphering Key is included, KSIASMEHair
Master terminal is given, after master terminal receives the parameters for authentication that group's Ciphering Key includes, verifies AUTN, and after being verified,
It calculates RES and uses encryption function and KASMERES is encrypted, obtains RES ', and RES ' is returned into MME,
And based on Kp and KASMEGenerate session key Ks, MME after RES ' is received, by decryption function corresponding with encryption function with
And KASMEIt is decrypted, obtains RES, whether verification RES and XRES is identical, and after being verified, based on Kp and KASMEIt is raw
Into session key Ks.
Based on above-described embodiment, as shown in fig.5, in the embodiment of the present invention, a kind of network authentication device of group endpoints
(e.g., first terminal), including at least generation unit 50,51 and first receiving unit 52 of encryption unit, wherein,
Generation unit 50, for based on the channel characteristics parameter between local and base station, generating physical layer shared key;
Encryption unit 51 for being based on the physical layer shared key, is encrypted the identity information of described device, and
Encrypted identity information is sent to network server;
First receiving unit 52, for receive the network server based on group's certification that the identity information generates to
Amount, and network authentication is completed based on group's Ciphering Key and triggers network server notice with described device with group
Other group endpoints carry out network authentication using group's Ciphering Key.
Optionally, described device is based on the channel characteristics parameter between local and base station, when generating physical layer shared key,
Generation unit 50 is used for:
The detectable signal that a base station is sent often is received, based on the channel characteristics parameter between local and base station, calculating connects
The corresponding signal characteristic of detectable signal of receipts, and each signal characteristic of generation is formed into signal characteristic sequence;
Quantization correction process is carried out for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described.
Optionally, described device is based on the physical layer shared key, and the identity information of described device is encrypted, and
When encrypted identity information is sent to network server, encryption unit 51 is used for:
Based on the physical layer shared key, to the international mobile subscriber identity IMSI of described device and/or electronics body
Part card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server.
Optionally, described device receives group's Ciphering Key that the network server is generated based on the identity information,
And during based on group's Ciphering Key completion network authentication, the first receiving unit 52 is used for:
The authentication request message that network server is sent is received, wherein, the authentication request message carries the group
Ciphering Key;
Legitimate verification is carried out to the authentication request message based on the parameters for authentication that group's Ciphering Key includes, and
When determining that the authentication request message is legal, authentication response message corresponding with the authentication request message is generated;
The authentication response message is returned into network server.
Optionally, described device based on the parameters for authentication that group's Ciphering Key includes to the authentication request message into
Row legitimate verification, and when determining that the authentication request message is legal, generate certification corresponding with the authentication request message
During response message, the first receiving unit 52 is used for:
Corresponding authentication data information is generated based on the authentication token AUTN that group's Ciphering Key includes, and is being judged
When the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the certification request is determined
Message is legal;
Corresponding response data is generated based on the authentication request message, and based on group key to the response data into
Row encryption obtains corresponding authentication response message, wherein, the group key is in the described device group
All default keys of terminal.
Optionally, described device be based on group's Ciphering Key complete network authentication after, the first receiving unit 52 into
One step is used for:
Corresponding session key is generated based on physical layer shared key and group key, the session key is applied to described
Service data interaction flow between device and network server.
As shown in fig.6, in the embodiment of the present invention, a kind of network authentication device (e.g., network server) of group endpoints,
Including at least the second receiving unit 60, decryption unit 61 and transmitting element 62, wherein,
Second receiving unit 60, for receiving first terminal transmission, after being encrypted based on physical layer shared key
Identity information, wherein, the physical layer shared key is first terminal based on the channel characteristics parameter life between local and base station
Into;
Decryption unit 61, for the encrypted identity information to be decrypted, and based on the identity information after decryption
Generate corresponding group's Ciphering Key;
Transmitting element 62 for group's Ciphering Key to be sent to first terminal, and triggers first terminal and is based on institute
It states group's Ciphering Key and completes network authentication;
Notification unit 63, for notify with the first terminal with group other group endpoints using group's certification to
Amount carries out network authentication.
Optionally, described device notice with the first terminal with group other group endpoints using group's certification to
When amount carries out network authentication, notification unit 63 is used for:
After definite first terminal completes network authentication, sent to the first terminal with other group endpoints of group
It is instructed into certification;Described other group endpoints for completing certification instruction for triggering with the same group of described device are obtained from network server
Group's Ciphering Key is taken, and network authentication is carried out using group's Ciphering Key.
In conclusion in the embodiment of the present invention, during network authentication is carried out, first terminal is based on logical group endpoints
The physical layer shared key for the channel characteristics parameter generation crossed between local and base station adds the identity information of first terminal
It is close, and encrypted identity information is sent to network server, receive the group of network server identity-based information generation
Ciphering Key, and network authentication and triggering network server notice and same group of first terminal are completed based on group's Ciphering Key
Other group endpoints network authentication is carried out using group Ciphering Key.
Using the above method, operator need to be only that all terminals in group preset an identical IMSI, identical group
Group key and an eID is preset respectively for each terminal, reduce O&M cost, each terminal can be by being based on this
The identity information of terminal is encrypted in the corresponding physical layer shared key of channel characteristics parameter generation between ground and base station
It transmits again afterwards, in this way, just reducing the probability of terminal identity information leakage, further, terminal is shared based on above-mentioned physical layer
Response data is encrypted to obtain authentication response message key and network server is directed to above-mentioned authentication response message
It is decrypted, in this way, the security of terminal authentication procedure is just further enhanced, finally, terminal and network server
Based on physical layer shared key and the key K based on group key generationASMECorresponding session key is generated, in this way, can just protect
The uniqueness and privacy of session key are demonstrate,proved, so as to improve the peace that service data interaction is carried out between equipment and network server
Quan Xing.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware can be used in the present invention
Apply the form of example.Moreover, the computer for wherein including computer usable program code in one or more can be used in the present invention
The computer program production that usable storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
The processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction generation being stored in the computer-readable memory includes referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to generate computer implemented processing, so as in computer or
The instruction offer performed on other programmable devices is used to implement in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation
Property concept, then can make these embodiments other change and modification.So appended claims be intended to be construed to include it is excellent
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out the embodiment of the present invention various modification and variations without departing from this hair
The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention
And its within the scope of equivalent technologies, then the present invention is also intended to comprising including these modification and variations.
Claims (16)
1. a kind of method for network authorization of group endpoints, which is characterized in that including:
First terminal generates physical layer shared key based on the channel characteristics parameter between local and base station;
First terminal is based on the physical layer shared key, and the identity information of the first terminal is encrypted, and will encryption
Identity information afterwards is sent to network server;
First terminal receives group's Ciphering Key that the network server is generated based on the identity information, and based on the group
Group Ciphering Key completes network authentication and triggers other group endpoints of network server notice with the first terminal with group
Network authentication is carried out using group's Ciphering Key.
2. the method as described in claim 1, which is characterized in that first terminal is joined based on the channel characteristics between local and base station
Number generates physical layer shared key, specifically includes:
First terminal often receives the detectable signal that a base station is sent, based on the channel characteristics parameter between local and base station, meter
The corresponding signal characteristic of detectable signal received is calculated, and each signal characteristic of generation is formed into signal characteristic sequence;
First terminal carries out quantization correction process for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described for first terminal.
3. the method as described in claim 1, which is characterized in that first terminal is based on the physical layer shared key, to described
The identity information of first terminal is encrypted, and encrypted identity information is sent to network server, specifically includes:
First terminal is based on the physical layer shared key, to the international mobile subscriber identity IMSI of the first terminal and/
Or electronic ID card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server by first terminal.
4. the method as described in claim 1,2 or 3, which is characterized in that first terminal receives the network server and is based on institute
It states group's Ciphering Key of identity information generation and network authentication is completed based on group's Ciphering Key, specifically include:
First terminal receives the authentication request message that network server is sent, wherein, the authentication request message carries described
Group's Ciphering Key;
First terminal carries out legitimacy to the authentication request message based on the parameters for authentication that group's Ciphering Key includes and tests
Card, and when determining that the authentication request message is legal, generate authentication response message corresponding with the authentication request message;
The authentication response message is returned to network server by first terminal.
5. method as claimed in claim 4, which is characterized in that the certification that first terminal is included based on group's Ciphering Key
Parameter carries out the authentication request message legitimate verification, and when determining that the authentication request message is legal, generation and institute
The corresponding authentication response message of authentication request message is stated, is specifically included:
The corresponding authentication data information of authentication token AUTN generations that first terminal is included based on group's Ciphering Key, and
When judging that the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the certification is determined
Request message is legal;
First terminal is based on the authentication request message and generates corresponding response data, and based on group key to the number of responses
According to being encrypted, corresponding authentication response message is obtained, wherein, the group key is for the first terminal group
In the default key of all terminals.
6. method as claimed in claim 5, which is characterized in that first terminal, which is based on group's Ciphering Key completion network, to be recognized
After card, further comprise:
First terminal is based on physical layer shared key and group key generates corresponding session key, and the session key is applied to
Service data interaction flow between the first terminal and network server.
7. a kind of method for network authorization of group endpoints, which is characterized in that including:
Network server receives what first terminal was sent, the identity information after being encrypted based on physical layer shared key, wherein,
The physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station;
The encrypted identity information is decrypted in network server, and corresponding based on the identity information generation after decryption
Group's Ciphering Key;
Group's Ciphering Key is sent to first terminal by network server, and is triggered first terminal and be based on group's certification
Vector completes network authentication;
Network server notifies that carrying out network using group's Ciphering Key with other group endpoints of group with first terminal recognizes
Card.
8. the method for claim 7, which is characterized in that other of network server notice and the same group of the first terminal
Group endpoints carry out network authentication using group's Ciphering Key, including:
Network server is after definite first terminal completes network authentication, to other group endpoints with the first terminal with group
Send paging message;The paging message is used for notice and same other group endpoints organized of the first terminal from network server
Group's Ciphering Key is obtained, and network authentication is carried out using group's Ciphering Key.
9. a kind of network authentication device of group endpoints, which is characterized in that including:
Generation unit, for based on the channel characteristics parameter between local and base station, generating physical layer shared key;
Encryption unit for being based on the physical layer shared key, is encrypted the identity information of described device, and will encryption
Identity information afterwards is sent to network server;
First receiving unit, for receiving group's Ciphering Key that the network server is generated based on the identity information, and
Network authentication is completed based on group's Ciphering Key and triggers other groups of network server notice with described device with group
Group terminal carries out network authentication using group's Ciphering Key.
10. device as claimed in claim 9, which is characterized in that described device is based on the channel characteristics between local and base station
Parameter, when generating physical layer shared key, the generation unit is used for:
The detectable signal that a base station is sent often is received, based on the channel characteristics parameter between local and base station, calculates reception
The corresponding signal characteristic of detectable signal, and each signal characteristic of generation is formed into signal characteristic sequence;
Quantization correction process is carried out for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described.
11. device as claimed in claim 9, which is characterized in that described device is based on the physical layer shared key, to described
The identity information of device is encrypted, and when encrypted identity information is sent to network server, the encryption unit is used
In:
Based on the physical layer shared key, to the international mobile subscriber identity IMSI and/or electronic ID card of described device
EID is encrypted;
Encrypted IMSI and/or eID are sent to network server.
12. the device as described in claim 9,10 or 11, which is characterized in that described device receives the network server and is based on
Group's Ciphering Key of identity information generation and when completing network authentication based on group's Ciphering Key, described the
One receiving unit is used for:
The authentication request message that network server is sent is received, wherein, the authentication request message carries group's certification
Vector;
Legitimate verification is carried out to the authentication request message based on the parameters for authentication that group's Ciphering Key includes, and true
When the authentication request message is legal calmly, authentication response message corresponding with the authentication request message is generated;
The authentication response message is returned into network server.
13. device as claimed in claim 12, which is characterized in that described device is recognized based on what group's Ciphering Key included
Demonstrate,prove parameter and legitimate verification carried out to the authentication request message, and when determining that the authentication request message is legal, generation with
During the corresponding authentication response message of the authentication request message, first receiving unit is used for:
Corresponding authentication data information is generated based on the authentication token AUTN that group's Ciphering Key includes, and described in judgement
When authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the authentication request message is determined
It is legal;
Corresponding response data is generated based on the authentication request message, and the response data is added based on group key
Close processing obtains corresponding authentication response message, wherein, the group key is for all in the described device group
The default key of terminal.
14. device as claimed in claim 13, which is characterized in that described device is based on group's Ciphering Key and completes network
After certification, first receiving unit is further used for:
Corresponding session key is generated based on physical layer shared key and group key, the session key is applied to described device
Service data interaction flow between network server.
15. a kind of network authentication device of group endpoints, which is characterized in that including:
Second receiving unit, for receiving first terminal transmission, the identity letter after being encrypted based on physical layer shared key
Breath, wherein, the physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station;
Decryption unit for the encrypted identity information to be decrypted, and generates phase based on the identity information after decryption
The group's Ciphering Key answered;
Transmitting element for group's Ciphering Key to be sent to first terminal, and triggers first terminal and is based on the group
Ciphering Key completes network authentication;
Notification unit, for notifying to carry out using group's Ciphering Key with other group endpoints of group with the first terminal
Network authentication.
16. device as claimed in claim 15, which is characterized in that other of described device notice and the same group of the first terminal
When group endpoints carry out network authentication using group's Ciphering Key, the notification unit is used for:
After definite first terminal completes network authentication, disappear to paging is sent with other group endpoints of group with the first terminal
Breath;The paging message obtains the group for notifying other group endpoints with the same group of the first terminal from network server
Group Ciphering Key, and network authentication is carried out using group's Ciphering Key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611052482.0A CN108112012A (en) | 2016-11-24 | 2016-11-24 | The method for network authorization and device of a kind of group endpoints |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611052482.0A CN108112012A (en) | 2016-11-24 | 2016-11-24 | The method for network authorization and device of a kind of group endpoints |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108112012A true CN108112012A (en) | 2018-06-01 |
Family
ID=62204056
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611052482.0A Pending CN108112012A (en) | 2016-11-24 | 2016-11-24 | The method for network authorization and device of a kind of group endpoints |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108112012A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108924838A (en) * | 2018-09-11 | 2018-11-30 | 中国联合网络通信集团有限公司 | Method for switching network, device, Provider Equipment and the terminal of cross operator |
CN109819444A (en) * | 2019-01-11 | 2019-05-28 | 杭州电子科技大学 | A kind of physical layer initial authentication method and system based on radio channel characteristic |
CN109840407A (en) * | 2018-12-24 | 2019-06-04 | 航天信息股份有限公司 | Intelligent personnel's verification system and method |
CN110012467A (en) * | 2019-04-18 | 2019-07-12 | 苏州博联科技有限公司 | The packet authentication method of narrowband Internet of Things |
CN110769420A (en) * | 2018-07-25 | 2020-02-07 | 中兴通讯股份有限公司 | Network access method, device, terminal, base station and readable storage medium |
CN112887981A (en) * | 2021-01-12 | 2021-06-01 | 国网电力科学研究院有限公司 | Authentication method and system for power wireless private network terminal access |
CN113302895A (en) * | 2018-11-23 | 2021-08-24 | 泰雷兹数字安全法国股份有限公司 | Method and apparatus for authenticating a group of wireless communication devices |
CN113905379A (en) * | 2021-10-15 | 2022-01-07 | 绍兴建元电力集团有限公司 | Method for 5G base station to participate in local optimization of terminal security communication authentication |
CN114339744A (en) * | 2020-10-10 | 2022-04-12 | 中移(成都)信息通信科技有限公司 | Communication method, device, equipment and storage medium |
CN114362967A (en) * | 2022-03-09 | 2022-04-15 | 南京易科腾信息技术有限公司 | Authentication method, device and storage medium |
CN114760626A (en) * | 2021-10-18 | 2022-07-15 | 西安电子科技大学 | Self-adaptive combined authentication method for 5G large-scale terminal |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101699890A (en) * | 2009-10-30 | 2010-04-28 | 天津工业大学 | 3G-WLAN authentication method |
CN102088668A (en) * | 2011-03-10 | 2011-06-08 | 西安电子科技大学 | Group-based authentication method of machine type communication (MTC) devices |
CN102137397A (en) * | 2011-03-10 | 2011-07-27 | 西安电子科技大学 | Authentication method based on shared group key in machine type communication (MTC) |
CN102238484A (en) * | 2010-04-22 | 2011-11-09 | 中兴通讯股份有限公司 | Method and system for group-based authentication in machine to machine communication systems |
CN102469458A (en) * | 2010-11-19 | 2012-05-23 | 中兴通讯股份有限公司 | Group authentication method and group authentication system in M2M communication |
CN102905265A (en) * | 2012-10-11 | 2013-01-30 | 大唐移动通信设备有限公司 | Mobile equipment (ME) attaching method and device |
CN103039053A (en) * | 2010-06-10 | 2013-04-10 | 阿尔卡特朗讯公司 | Secure registration of group of clients using single registration procedure |
US20160262019A1 (en) * | 2013-11-04 | 2016-09-08 | Samsung Electronics Co., Ltd. | Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment |
-
2016
- 2016-11-24 CN CN201611052482.0A patent/CN108112012A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101699890A (en) * | 2009-10-30 | 2010-04-28 | 天津工业大学 | 3G-WLAN authentication method |
CN102238484A (en) * | 2010-04-22 | 2011-11-09 | 中兴通讯股份有限公司 | Method and system for group-based authentication in machine to machine communication systems |
CN103039053A (en) * | 2010-06-10 | 2013-04-10 | 阿尔卡特朗讯公司 | Secure registration of group of clients using single registration procedure |
CN102469458A (en) * | 2010-11-19 | 2012-05-23 | 中兴通讯股份有限公司 | Group authentication method and group authentication system in M2M communication |
CN102088668A (en) * | 2011-03-10 | 2011-06-08 | 西安电子科技大学 | Group-based authentication method of machine type communication (MTC) devices |
CN102137397A (en) * | 2011-03-10 | 2011-07-27 | 西安电子科技大学 | Authentication method based on shared group key in machine type communication (MTC) |
CN102905265A (en) * | 2012-10-11 | 2013-01-30 | 大唐移动通信设备有限公司 | Mobile equipment (ME) attaching method and device |
US20160262019A1 (en) * | 2013-11-04 | 2016-09-08 | Samsung Electronics Co., Ltd. | Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment |
Non-Patent Citations (2)
Title |
---|
CHINA MOBILE: "[MTCe] A new solution for group based authentication", 《3GPP TSG SA WG3 (SECURITY) MEETING #81 S3-152327》 * |
CHINA MOBILE: "[MTCe] group authentication mechanism", 《3GPP TSG SA WG3 (SECURITY) MEETING #78 S3-151076》 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110769420B (en) * | 2018-07-25 | 2022-05-13 | 中兴通讯股份有限公司 | Network access method, device, terminal, base station and readable storage medium |
CN110769420A (en) * | 2018-07-25 | 2020-02-07 | 中兴通讯股份有限公司 | Network access method, device, terminal, base station and readable storage medium |
CN108924838A (en) * | 2018-09-11 | 2018-11-30 | 中国联合网络通信集团有限公司 | Method for switching network, device, Provider Equipment and the terminal of cross operator |
CN108924838B (en) * | 2018-09-11 | 2021-09-14 | 中国联合网络通信集团有限公司 | Inter-operator network switching method and device, operator equipment and terminal |
CN113302895A (en) * | 2018-11-23 | 2021-08-24 | 泰雷兹数字安全法国股份有限公司 | Method and apparatus for authenticating a group of wireless communication devices |
CN113302895B (en) * | 2018-11-23 | 2023-04-18 | 泰雷兹数字安全法国简易股份公司 | Method and apparatus for authenticating a group of wireless communication devices |
CN109840407A (en) * | 2018-12-24 | 2019-06-04 | 航天信息股份有限公司 | Intelligent personnel's verification system and method |
CN109819444A (en) * | 2019-01-11 | 2019-05-28 | 杭州电子科技大学 | A kind of physical layer initial authentication method and system based on radio channel characteristic |
CN109819444B (en) * | 2019-01-11 | 2021-07-30 | 杭州电子科技大学 | Physical layer initial authentication method and system based on wireless channel characteristics |
CN110012467A (en) * | 2019-04-18 | 2019-07-12 | 苏州博联科技有限公司 | The packet authentication method of narrowband Internet of Things |
CN114339744A (en) * | 2020-10-10 | 2022-04-12 | 中移(成都)信息通信科技有限公司 | Communication method, device, equipment and storage medium |
CN112887981A (en) * | 2021-01-12 | 2021-06-01 | 国网电力科学研究院有限公司 | Authentication method and system for power wireless private network terminal access |
CN112887981B (en) * | 2021-01-12 | 2022-10-04 | 国网电力科学研究院有限公司 | Authentication method and system for power wireless private network terminal access |
CN113905379B (en) * | 2021-10-15 | 2024-05-03 | 绍兴建元电力集团有限公司 | Method for locally optimizing security communication authentication of 5G base station participation terminal |
CN113905379A (en) * | 2021-10-15 | 2022-01-07 | 绍兴建元电力集团有限公司 | Method for 5G base station to participate in local optimization of terminal security communication authentication |
CN114760626A (en) * | 2021-10-18 | 2022-07-15 | 西安电子科技大学 | Self-adaptive combined authentication method for 5G large-scale terminal |
CN114760626B (en) * | 2021-10-18 | 2024-04-02 | 西安电子科技大学 | Self-adaptive combined authentication method for 5G large-scale terminal |
CN114362967A (en) * | 2022-03-09 | 2022-04-15 | 南京易科腾信息技术有限公司 | Authentication method, device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108112012A (en) | The method for network authorization and device of a kind of group endpoints | |
CN106899410B (en) | A kind of method and device of equipment identities certification | |
RU2663972C1 (en) | Security assurance at connection between communication device and network device | |
Lai et al. | A novel group access authentication and key agreement protocol for machine‐type communication | |
CN102215474B (en) | Method and device for carrying out authentication on communication equipment | |
CN101816199B (en) | It is attached to the authentication method of the mobile unit of Femto cell with the security kernel network service of such as IMS | |
US20180034635A1 (en) | GPRS System Key Enhancement Method, SGSN Device, UE, HLR/HSS, and GPRS System | |
CN101926188B (en) | Security policy distribution to communication terminal | |
CN103220671B (en) | Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access | |
CN106888092B (en) | Information processing method and device | |
CN102318386A (en) | Service-based authentication to a network | |
CN106304264B (en) | Wireless network access method and device | |
Xu et al. | An anonymous handover authentication scheme based on LTE‐A for vehicular networks | |
CN107820239A (en) | Information processing method and device | |
CN108809903A (en) | A kind of authentication method, apparatus and system | |
Kumar et al. | Design of a USIM and ECC based handover authentication scheme for 5G-WLAN heterogeneous networks | |
CN112235799B (en) | Network access authentication method and system for terminal equipment | |
US11202192B2 (en) | Registering user equipment with a visited public land mobile network | |
CN104168566B (en) | A kind of method and device of access network | |
CN101610509B (en) | Method, device and system for protecting communication security | |
CN102905267B (en) | ME identifies authentication, security mode control method and device | |
Lin et al. | A fast iterative localized re-authentication protocol for heterogeneous mobile networks | |
CN108183925A (en) | narrow band communication method based on LoT | |
CN108271154A (en) | A kind of authentication method and device | |
Alezabi et al. | On the authentication and re‐authentication protocols in LTE‐WLAN interworking architecture |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180601 |