CN108112012A - The method for network authorization and device of a kind of group endpoints - Google Patents

The method for network authorization and device of a kind of group endpoints Download PDF

Info

Publication number
CN108112012A
CN108112012A CN201611052482.0A CN201611052482A CN108112012A CN 108112012 A CN108112012 A CN 108112012A CN 201611052482 A CN201611052482 A CN 201611052482A CN 108112012 A CN108112012 A CN 108112012A
Authority
CN
China
Prior art keywords
group
terminal
authentication
key
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611052482.0A
Other languages
Chinese (zh)
Inventor
李笑如
左敏
庄小君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611052482.0A priority Critical patent/CN108112012A/en
Publication of CN108112012A publication Critical patent/CN108112012A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses the method for network authorization and device of a kind of group endpoints, to solve the problem of that equipment O&M cost is high, authentication efficiency is not high in the verification process of group endpoints access network and authentication security is not high.This method is:First terminal is encrypted the identity information of first terminal based on the physical layer shared key generated by the channel characteristics parameter between local and base station, and encrypted identity information is sent to network server, receive group's Ciphering Key of network server identity-based information generation, and it completes network authentication based on group's Ciphering Key and triggers network server notice to carry out network authentication using group's Ciphering Key with other group endpoints of group with first terminal.Using the above method, terminal is transmitted again after the identity information of terminal being encrypted by the physical layer shared key generated based on the channel characteristics parameter between local and base station, and this reduces the probability of terminal identity information leakage.

Description

The method for network authorization and device of a kind of group endpoints
Technical field
The present invention relates to field of communication security, the method for network authorization and device of more particularly to a kind of group endpoints.
Background technology
With the development of the communication technology, machine kind equipment communication (Machine Type Communication, MTC) is long Phase evolution (Long Term Evolution, LTE) and following 5th third-generation mobile communication technology (5-Generation, 5G) net An important application scenarios in network.According to existing third generation partner program (3rd Generation Partnership Project, 3GPP) standard, when substantial amounts of group device accesses network simultaneously, network needs independent to each group device Once certification is done, thus may result in network congestion, at present, generally use is based on main equipment (Group Leader) The method of 3GPP network group certifications solves the problems, such as above-mentioned network congestion.
During group establishes, operator is first all group devices (User Equipment, UE) point in group With identical group identities mark and key etc., then it is individually for each UE and pre-sets equipment identities mark, device keys etc., And home signature user server (Home Subscriber Server, HSS) is saved it in, finally, a UE is selected to make For the main equipment of the group.
First method is:Group device supports the Radio Transmission Technology outside 3GPP, and main equipment is initiated to 3GPP networks Access application, the flow of main equipment access network are as follows:Main equipment is by international mobile subscriber identity (International Mobile SubscriberIdentification Number, IMSI) and electronic ID card (Electronic Identity, EID mobile management entity (Mobile Managenment Entity, MME)) is sent to, MME sends authentication data to HSS please After asking, the Ciphering Key (Authentication Vector, AV) that HSS is returned, the certification that main equipment is returned based on HSS are received Vector completes network authentication.After main equipment is successfully accessed, Ciphering Key is obtained, and Ciphering Key is wirelessly connect by non-3GPP Enter and be transmitted to other equipment in group, then group generates new device authentication vector using technologies such as aggregate signatures, for group The 3GPP certifications of other equipment in group.
However, using the above method, it is necessary to which group device supports the wireless connection technology outside 3GPP, in this way, being increased by Equipment cost and power consumption, and verification process is complicated, authentication efficiency is not high.
Second method is:Group device does not support the Radio Transmission Technology outside 3GPP, and main equipment is sent out to 3GPP networks Access application is played, the flow of main equipment access network is as follows:IMSI and eID are sent to MME by main equipment, and MME recognizes to HSS transmissions After demonstrate,proving request of data, receive and preserve the Ciphering Key AV of HSS returns, main equipment completes net based on the Ciphering Key that HSS is returned Network certification.At this point, the Ciphering Key that HSS is generated when main equipment access network is preserved in MME, which can be for group Interior other equipment carries out use during network authentication.
But above-mentioned authentication method is used, it is necessary to which equipment vendors set an equipment respectively for each group device in advance Key, and need to store corresponding device keys information in HSS, in this way, increasing the manufacturing cost and fortune of equipment vendors Seek the operation cost of business.
Moreover, above two group device authentication method is all based on the Authentication and Key Agreement (EPS-AKA) of LTE system Verification process, it is impossible to solve safety problem (e.g., the international mobile subscriber identity being inherently present based on EPS-AKA certifications The leakage problem of (International Mobile SubscriberIdentification Number, IMSI) and Ki), from And cause the information leakage of group device.
In summary, it is necessary to a kind of new group endpoints method for network authorization be designed, to solve to exist in the prior art The defects of and shortcoming.
The content of the invention
An embodiment of the present invention provides the method for network authorization and device of a kind of group endpoints, to solve in the prior art In the verification process that existing equipment O&M cost is high, accesses network in group endpoints, authentication efficiency is not high and certification is safe The problem of property is not high.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of method for network authorization of group endpoints, including:
First terminal generates physical layer shared key based on the channel characteristics parameter between local and base station;
First terminal is based on the physical layer shared key, and the identity information of the first terminal is encrypted, and will Encrypted identity information is sent to network server;
First terminal receives group's Ciphering Key that the network server is generated based on the identity information, and based on institute Group's Ciphering Key is stated to complete network authentication and trigger other groups of network server notice with the first terminal with group Terminal carries out network authentication using group's Ciphering Key.
Optionally, first terminal generates physical layer shared key, tool based on the channel characteristics parameter between local and base station Body includes:
First terminal often receives the detectable signal that a base station is sent, based on the channel characteristics ginseng between local and base station Number calculates the corresponding signal characteristic of detectable signal of reception, and each signal characteristic of generation is formed signal characteristic sequence;
First terminal carries out quantization correction process for the signal characteristic sequence, the signal characteristic sequence that obtains that treated Row;
Treated that signal characteristic sequence is converted to physical layer shared key by described for first terminal.
Optionally, first terminal is based on the physical layer shared key, and the identity information of the first terminal is added It is close, and encrypted identity information is sent to network server, it specifically includes:
First terminal is based on the physical layer shared key, to the international mobile subscriber identity IMSI of the first terminal And/or electronic ID card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server by first terminal.
Optionally, first terminal receives group's Ciphering Key that the network server is generated based on the identity information, And network authentication is completed based on group's Ciphering Key, it specifically includes:
First terminal receives the authentication request message that network server is sent, wherein, the authentication request message carries Group's Ciphering Key;
It is legal that first terminal carries out the authentication request message based on the parameters for authentication that group's Ciphering Key includes Property verification, and when determining that the authentication request message is legal, generate authentication response corresponding with the authentication request message and disappear Breath;
The authentication response message is returned to network server by first terminal.
Optionally, first terminal based on the parameters for authentication that group's Ciphering Key includes to the authentication request message into Row legitimate verification, and when determining that the authentication request message is legal, generate certification corresponding with the authentication request message Response message specifically includes:
First terminal generates corresponding authentication data information based on the authentication token AUTN that group's Ciphering Key includes, And when judging that the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, determine described Authentication request message is legal;
First terminal is based on the authentication request message and generates corresponding response data, and based on group key to the sound Data is answered to be encrypted, obtain corresponding authentication response message, wherein, the group key is for where first terminal The default key of all terminals in group.
Optionally, first terminal is based on after group's Ciphering Key completion network authentication, is further comprised:
First terminal is based on physical layer shared key and group key generates corresponding session key, and the session key should For the service data interaction flow between the first terminal and network server.
A kind of method for network authorization of group endpoints, including:
Network server receives what first terminal was sent, the identity information after being encrypted based on physical layer shared key, Wherein, the physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station;
The encrypted identity information is decrypted in network server, and generates phase based on the identity information after decryption The group's Ciphering Key answered;
Group's Ciphering Key is sent to first terminal by network server, and is triggered first terminal and be based on the group Ciphering Key completes network authentication;
Network server notify with the first terminal with group other group endpoints using group's Ciphering Key into Row network authentication.
Optionally, network server notice uses group's certification with the first terminal with other group endpoints of group Vector carries out network authentication, including:
After definite first terminal completes network authentication, sent to the first terminal with other group endpoints of group It is instructed into certification;The completion certification, which instructs, is used for triggering and same other group endpoints organized of the first terminal from network service Device obtains group's Ciphering Key, and carries out network authentication using group's Ciphering Key.
A kind of network authentication device of group endpoints, including:
Generation unit, for based on the channel characteristics parameter between local and base station, generating physical layer shared key;
Encryption unit for being based on the physical layer shared key, is encrypted the identity information of described device, and will Encrypted identity information is sent to network server;
First receiving unit, for receive the network server based on group's certification that the identity information generates to Amount, and network authentication is completed based on group's Ciphering Key and triggers network server notice with described device with group Other group endpoints carry out network authentication using group's Ciphering Key.
Optionally, described device is based on the channel characteristics parameter between local and base station, when generating physical layer shared key, The generation unit is used for:
The detectable signal that a base station is sent often is received, based on the channel characteristics parameter between local and base station, calculating connects The corresponding signal characteristic of detectable signal of receipts, and each signal characteristic of generation is formed into signal characteristic sequence;
Quantization correction process is carried out for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described.
Optionally, described device is based on the physical layer shared key, and the identity information of described device is encrypted, and When encrypted identity information is sent to network server, the encryption unit is used for:
Based on the physical layer shared key, to the international mobile subscriber identity IMSI of described device and/or electronics body Part card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server.
Optionally, described device receives group's Ciphering Key that the network server is generated based on the identity information, And during based on group's Ciphering Key completion network authentication, first receiving unit is used for:
The authentication request message that network server is sent is received, wherein, the authentication request message carries the group Ciphering Key;
Legitimate verification is carried out to the authentication request message based on the parameters for authentication that group's Ciphering Key includes, and When determining that the authentication request message is legal, authentication response message corresponding with the authentication request message is generated;
The authentication response message is returned into network server.
Optionally, described device based on the parameters for authentication that group's Ciphering Key includes to the authentication request message into Row legitimate verification, and when determining that the authentication request message is legal, generate certification corresponding with the authentication request message During response message, first receiving unit is used for:
Corresponding authentication data information is generated based on the authentication token AUTN that group's Ciphering Key includes, and is being judged When the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the certification request is determined Message is legal;
Corresponding response data is generated based on the authentication request message, and based on group key to the response data into Row encryption obtains corresponding authentication response message, wherein, the group key is in the described device group All default keys of terminal.
Optionally, described device is based on after group's Ciphering Key completion network authentication, first receiving unit It is further used for:
Corresponding session key is generated based on physical layer shared key and group key, the session key is applied to described Service data interaction flow between device and network server.
Optionally, described device triggering with described device with group other group endpoints using group's Ciphering Key into During row network authentication, first receiving unit is used for:
After network authentication is completed, certification instruction is sent completely with other group endpoints of group to described device;It is described It completes certification instruction and obtains group's certification from network server with other group endpoints of group with described device for triggering Vector, and network authentication is carried out using group's Ciphering Key.
A kind of network authentication device of group endpoints, including:
Second receiving unit, for receiving first terminal transmission, the body after being encrypted based on physical layer shared key Part information, wherein, the physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station 's;
Decryption unit, for the encrypted identity information to be decrypted, and based on the identity information life after decryption Into corresponding group's Ciphering Key;
Transmitting element for group's Ciphering Key to be sent to first terminal, and triggers first terminal based on described Group's Ciphering Key completes network authentication;
Notification unit, for notifying to use group's Ciphering Key with other group endpoints of group with the first terminal Carry out network authentication.
Optionally, described device notice with the first terminal with group other group endpoints using group's certification to When amount carries out network authentication, the notification unit is used for:
After definite first terminal completes network authentication, sought to the first terminal with other group endpoints transmission of group Exhale message;The paging message obtains institute for notifying other group endpoints with the same group of the first terminal from network server Group's Ciphering Key is stated, and network authentication is carried out using group's Ciphering Key.
The embodiment of the present invention has the beneficial effect that:
In conclusion in the embodiment of the present invention, during network authentication is carried out, first terminal is based on logical group endpoints The physical layer shared key for the channel characteristics parameter generation crossed between local and base station adds the identity information of first terminal It is close, and encrypted identity information is sent to network server, receive the group of network server identity-based information generation Ciphering Key, and network authentication and triggering network server notice and same group of first terminal are completed based on group's Ciphering Key Other group endpoints network authentication is carried out using group Ciphering Key.
Using the above method, operator need to be only that all terminals in group preset an identical IMSI, identical group Group key and an eID is preset respectively for each terminal, reduce O&M cost, each terminal can be by being based on this The identity information of terminal is encrypted in the corresponding physical layer shared key of channel characteristics parameter generation between ground and base station It transmits again afterwards, in this way, just reducing the probability of terminal identity information leakage, further, terminal is shared based on above-mentioned physical layer Response data is encrypted to obtain authentication response message key and network server is directed to above-mentioned authentication response message It is decrypted, in this way, the security of terminal authentication procedure is just further enhanced, finally, terminal and network server Based on physical layer shared key and the key K based on group key generationASMECorresponding session key is generated, in this way, can just protect The uniqueness and privacy of session key are demonstrate,proved, so as to improve the peace that service data interaction is carried out between equipment and network server Quan Xing.
Description of the drawings
Fig. 1 is system architecture schematic diagram in the embodiment of the present invention;
Fig. 2 is the method flow diagram that first terminal carries out network authentication in the embodiment of the present invention;
Fig. 3 is that first terminal based on the channel characteristics parameter between local and base station, generates physics in the embodiment of the present invention The process schematic of layer shared key Kp;
Fig. 4 is the detail flowchart that the embodiment of the present invention is applied in practical business scene;
Fig. 5 is the structure diagram of first terminal in the embodiment of the present invention;
Fig. 6 is the structure diagram of network server in the embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, is not whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work Embodiment belongs to the scope of protection of the invention.
In order to solve to exist in the prior art in the verification process that equipment O&M cost is high, accesses network in group endpoints, Authentication efficiency is not high and the problem of authentication security is not high, in the embodiment of the present invention, devises a kind of new group endpoints Method for network authorization and device, this method are:First terminal generates physics based on the channel characteristics parameter between local and base station Layer shared key, is encrypted the identity information of first terminal, and encrypted identity information is sent to network server, Group's Ciphering Key of network server identity-based information generation is received, and network is completed based on group's Ciphering Key and is recognized Card and triggering carry out network authentication with other group endpoints of group with first terminal using group's Ciphering Key.
The present invention program is described in detail below by specific embodiment, certainly, the present invention is not limited to following realities Apply example.
In pretreatment stage, several machine kind equipments communication (Machine Type Communication, MTC) equipment bases In the principle (physical location of such as equipment, capacity of equipment belong to a user) of user preset, a group is formed.
For example, all intelligent electric meters composition group 1 in a certain residential building;Alternatively, belong to all intelligence of company's first Can meter group into group 2.
Operator is that each group endpoints in group provide identical group identification (e.g., international mobile subscriber identity (International Mobile SubscriberIdentification Number, IMSI)) and group key, Yi Jifen Not Wei each group endpoints provide different unique device identities (e.g., electronic ID card (Electronic Identity, eID))。
For example, operator is provided for all " intelligent electric meters " in group 1 in an identical IMSI and identical group The key K1 and be respectively that " intelligent electric meter 1 " provides eID1 that all terminals can share, are provided for " intelligent electric meter 2 " EID2 ... provides eIDn for " intelligent electric meter n ".
It is set based on user, chooses a group endpoints in all group endpoints as master terminal.
For example, being set based on user, " intelligent electric meter 1 " in group group 1 is selected to be used as main intelligent electric meter;Alternatively, based on use Family is set, and " the total ammeter of company " chosen in group 2 is used as main intelligent electric meter.
As shown in fig.1, in the embodiment of the present invention, there are several user equipmenies (User Equipment, UE) in system, Network server and several base stations (evolved Node B, eNB), UE access network server by eNB, wherein, this hair In bright embodiment, user equipment is in hereinafter referred to as group endpoints.
As shown in fig.2, in the embodiment of the present invention, the idiographic flow of the method for network authorization of first terminal is as follows:
Step 201:First terminal initiates network insertion application to network server.
Specifically, when first terminal detect itself need access network when, by base station to where terminal network take Business device initiates network insertion application, wherein, first terminal is set based on user, whole from all groups for belonging to same group The master terminal selected in end.
It is all intelligent electric meters in a certain cell to network server for example, it is assumed that the 12 noon on every month 15 Report the time of business datum, then, first terminal is just needed after by network access authentication, could report business datum To network server, at this time, it is necessary to which network insertion application is initiated to network server by base station.
Step 202:Network server sends identity request message to first terminal.
In practical application, after network server receives the network insertion application of first terminal initiation, by base station to the One terminal sends " identity request message ", to obtain the identity information of first terminal.
For example, " the net that " intelligent electric meter 1 " of the network server in the group for receiving several intelligent electric meter compositions is initiated Network accesses solicitation message " after, corresponding " identity request message " is generated based on above-mentioned " network insertion solicitation message ", and is returned to " intelligent electric meter 1 ".
Step 203:First terminal generates physical layer shared key based on the channel characteristics parameter between local and base station.
Specifically, in practical applications, first terminal sends detectable signal to base station, base station is receiving first terminal hair After the detectable signal sent, a corresponding detectable signal can be returned to first terminal, first terminal often receives a base station and sends Detectable signal, based on the channel characteristics parameter between local and base station, calculate the corresponding signal characteristic of detectable signal of reception, And each signal characteristic of generation is formed into signal characteristic sequence, quantization correction process is carried out for above-mentioned signal characteristic sequence, The signal characteristic sequence that obtains that treated, and treated that signal characteristic sequence is converted to physical layer shared key by described.
Further, base station is in every detectable signal for receiving first terminal and sending, based on local and first terminal it Between channel characteristics parameter, calculate the corresponding signal characteristic of detectable signal of reception, and each signal characteristic of generation formed Signal characteristic sequence carries out quantization correction process for above-mentioned signal characteristic sequence, the signal characteristic sequence that obtains that treated, and Treated that signal characteristic sequence is converted to physical layer shared key by described.
For example, the interaction between terminal and base station is based on time division duplex (Time Division Duplexing, TDD) What channel carried out, as shown in fig.3, terminal sends UE detectable signals 1 to base station, base station is receiving the UE detections of terminal transmission ENB detectable signals 1 are returned to terminal after signal 1, terminal and base station often receive other side and send a detectable signal, can all calculate The corresponding signal characteristic of detectable signal received, after n times are sent (N >=1), terminal and base station generate a signal respectively Characteristic sequence, due between terminal and base station there are the factors such as noise and detection time difference, terminal and base station need pin Quantization correction process is carried out to the signal characteristic sequence of each self-generating, and treated signal characteristic sequence is converted into phase The physical layer shared key Kp answered.
Step 204:First terminal is based on above-mentioned physical layer shared key, and the identity information of first terminal is encrypted, And encrypted identity information is sent to network server.
Specifically, first terminal is based on above-mentioned physical layer shared key, the IMSI and/or eID of first terminal are added Close processing, and encrypted IMSI and/or eID are sent to network server.
Wherein, the IMSI of above-mentioned first terminal is the default key of all terminals being directed in the first terminal group, The eID of above-mentioned first terminal is to be directed to first terminal individually default terminal unique mark.
For example, it is assumed that the identity information of first terminal includes the IMSI1 and eID1 of first terminal, then, first terminal makes The IMSI1 and eID1 of first terminal are encrypted with encryption function Enc (x1, y1) and physical layer shared key Kp, In, the parameter x1 in encryption function Enc (x1, y1) is object to be encrypted, and parameter y1 is encryption key, and first terminal is encrypted Identity information is GID=Enc ((IMSI, eID), Kp), after the encryption for first terminal identity information is completed, first terminal Encrypted identity information GID is sent to base station, then, then by base station by the encrypted identity information GID of first terminal and The physical layer shared key Kp that base station generates sends jointly to network server.
Step 205:Network server receives first terminal and sends encrypted identity information, and to above-mentioned encrypted body Part information is decrypted.
Believed specifically, network server receives first terminal by the encrypted identity of first terminal that base station is sent After the physical layer shared key that the base station that breath and reception base station are sent generates, network server is based on and above-mentioned encryption Place is decrypted in the identity information of the first terminal of the corresponding decryption function of function and physical layer shared key to receiving Reason.
For example, the encrypted identity that network server receives the first terminal that first terminal is sent by base station 1 is believed Cease GID=Enc ((IMSI1, eID1), Kp) and base station send physical layer shared key Kp after, network server use with The corresponding decryption function Dec (x2, y2) of encryption function Enc (x1, y1) and physical layer shared key Kp add first terminal Identity information GID after close is decrypted, wherein, the parameter x2 in decryption function Dec (x2, y2) is object to be decrypted, Parameter y2 be decruption key, the identity information (IMSI1, Eid1) of first terminal=Dec (GID, Kp) after being decrypted.
Step 206:Network server generates corresponding group's Ciphering Key based on the identity information after decryption.
Specifically, IMSI of the network server based on first terminal generates corresponding group's Ciphering Key.
In practical application, the mobile management entity of network server local (Mobile Managenment Entity, MME the service network of the IMSI of the first terminal received and local) is identified into (Serving Network identity, SN Id the home signature user server (Home Subscriber Server, HSS) of network server local, HSS roots) are sent to It is verified according to the SN id service networks accessed to first terminal application, and after by verification, the discriminating service in HSS is real Body (Authentication Service Entity, ASE) verifies the IMSI of first terminal, and after being verified, HSS generates corresponding sequence number SNQHSSAnd random parameter RAND, while generate one group of Ciphering Key (AuthenticationVector, AV), and above-mentioned one group of AV is sent to MME, wherein, any one AV in one group of AV All include following parameters for authentication:Random number (RAND), authentication token (Authentication Token, AUTN), prospective users Respond (Expected Response, XRES) and key KASME(the K based on the generation of default group keyASMEKey).
Step 207:Above-mentioned group's Ciphering Key is sent to first terminal by network server.
Specifically, after MME receives one group of AV of HSS transmissions, above-mentioned one group of AV is ranked up according to default regulation, Using an AV minimum after sequence as group's Ciphering Key, and by parameters for authentication RAND, AUTN of group's Ciphering Key and Key KASMEIt is sent to first terminal.
For example, it is assumed that MME receive HSS transmission AV1, AV2 and AV3, MME to above-mentioned 3 AV according to vectorial sequence number into Then row sequence, using the AV1 of sequence number minimum as group's Ciphering Key of the first terminal group, and the certification of AV1 is joined Number is sent to first terminal.
Step 208:First terminal receive network server based on first terminal identity information generation group's certification to Amount.
Specifically, first, first terminal receives the authentication request message that network server is sent, wherein, the certification request Message carries group's Ciphering Key;Then, the parameters for authentication that first terminal is included based on group's Ciphering Key is to the certification Request message carries out legitimate verification, and when the definite authentication request message is legal, generation is corresponding to the authentication request message Authentication response message;Finally, which is returned to network server by first terminal.
In practical application, first terminal receives the authentication request message that network server is sent, and the authentication request message is extremely Include parameters for authentication, the first terminals such as RAND, AUTN that group's Ciphering Key includes less to include based on group's Ciphering Key AUTN generates corresponding authentication data information, and is judging the authentication data information of the generation and the original number of above-mentioned AUTN carryings During according to information match, determine that above-mentioned authentication request message is legal.
For example, first terminal discerns pipe after the AV1 of network server transmission is received for the AV1 AUTN included Reason domain (Authentication Management Field, AMF) is verified, if by verification, generates corresponding message Authentication code (Message Authentication Code, MAC), and judge that the MAC and AUTN of above-mentioned generation are carried original disappears When breath authentication code is identical, first terminal determines that authentication request message is legal.
First terminal generates corresponding response data based on above-mentioned legal authentication request message, and is spread out based on group key The key K bornASMEAbove-mentioned response data is encrypted, obtains corresponding authentication response message, wherein, above-mentioned group Key is for the default key of all terminals in the first terminal group.
For example, first terminal after definite authentication request message is legal, calculates user response (Response, RES), and makes With encryption function Enc (x3, y3) and key KASMEThe eID of RES and first terminal is encrypted, wherein, encryption Parameter x3 in function Enc (x3, y3) is object to be encrypted, and parameter y3 is encryption key, obtains corresponding authentication response message RES '=Enc ((RES, eID), KASME), wherein, KASMEIt is based on being preset for all terminals in the first terminal group Group key generation key.
Further, authentication response message is returned to network server by first terminal, and network server is receiving first After the authentication response message that terminal returns, it is decrypted for the content of the authentication response message, verifies the authentication response The legitimacy of message.
For example, network server is receiving RES '=Enc ((RES, eID), the K of first terminal returnASME) after, it uses Decryption function Dec (x4, y4) corresponding with encryption function Enc (x3, y3) and key KASMETo RES '=Enc ((RES, EID), KASME) be decrypted, (RES, eID)=Dec (RES ', KASME), wherein, it decrypts in close function Dec (x4, y4) Parameter x4 is object to be decrypted, and parameter y4 is decruption key, if included in the RES and group's Ciphering Key that are obtained after decryption XRES is identical, it is determined that the authentication response message is legal.
Step 209:First terminal is based on physical layer shared key and group key generates corresponding session key, completes net Network certification.
Specifically, key K of the first terminal based on physical layer shared key and based on group key generationASMEGenerate phase The session key answered, wherein, which is applied to the service data interaction flow between first terminal and network server.
For example, first terminal is by " physical layer shared key+key KASME" as with network server carry out business datum Interactive session key;Alternatively, first terminal is by " key KASME+ physical layer shared key " as between network server into The session key of row service data interaction.
First terminal is based on physical layer shared key and the key K based on group key generationASMEGenerate session key Mode is not specifically limited herein.
Step 210:Network server is triggered obtains group with other group endpoints of group with first terminal from network server Group Ciphering Key, and network authentication is carried out using above-mentioned group's Ciphering Key.
Specifically, network server definite first terminal complete network authentication after, to first terminal with group other Group endpoints transmission paging message, the paging message are used for triggering and same other group endpoints organized of first terminal from network service Device obtains group's Ciphering Key, and carries out network authentication using group's Ciphering Key.
Wherein, above-mentioned other group endpoints with first terminal with group are based on set by user, belong to same group All group endpoints in slave terminal.
Further, from terminal receive network server determine first terminal complete network authentication when, transmission is sought After exhaling message, access application is initiated to network server, after the identity request message of network server transmission is received, is based on Channel characteristics parameter between local and base station generates corresponding physical layer shared key, and with above-mentioned physical layer shared key pair Identity information is sent to network server after being encrypted, at this point, network server is not required to again according to the body from terminal Part information generation group Ciphering Key, group's Ciphering Key of generation can be complete when need to only use first terminal progress network authentication Into the network authentication from terminal.
As shown in fig.3, in the embodiment of the present invention, first terminal that above-mentioned steps 203 refer to be based on it is local with base station it Between channel characteristics parameter, generate physical layer shared key idiographic flow it is as follows:First terminal sends UE detection letters to base station Number 1, after UE detectable signals 1 are received, the UE signal characteristics 1 for calculating UE detectable signals 1 simultaneously return to eNB to first terminal for base station Detectable signal 1, first terminal calculate the eNB signals of eNB detectable signals 1 after the eNB detectable signals 1 of base station transmission are received Feature 1;…;First terminal sends UE detectable signal n to base station, and base station calculates UE detection letters after UE detectable signals n is received The UE signal characteristics n of number n simultaneously returns to eNB detectable signal n to first terminal, and first terminal is visited in the eNB for receiving base station transmission After surveying signal n, the eNB signal characteristic n of eNB detectable signals n are calculated, wherein, n >=1.After n times are sent (n >=1), first eventually End and base station generate a corresponding signal characteristic sequence respectively based on the detectable signal feature being each calculated, due to first There are the factors such as noise and detection time difference between terminal and base station, therefore, first terminal and base station are needed for each spontaneous Into signal characteristic sequence carry out quantization correction process, and treated signal characteristic sequence is converted into corresponding physics Layer shared key Kp.
Application of the embodiment of the present invention in practical business scene will be illustrated with below.
For example, as shown in fig.4, in the embodiment of the present invention, main equipment initiates access application to 3GPP networks, and MME is connecing Receive access application after, by base station to main equipment send identity request message, main equipment after identity request message is received, According to the corresponding physical layer shared key Kp of channel characteristics parameter generation between local and base station, encryption function and Kp pairs are used IMSI and eID are encrypted, and obtain encrypted identity information GID, and GID is sent to base station, and base station is receiving GID and Kp are reported to MME after GID, MME uses after the GID and Kp that base station reports is received are corresponding with encryption function Decryption function and Kp GID is decrypted, obtain the IMSI and eID of master terminal, and IMSI, SN id and eID sent To HSS, HSS is based on IMSI, and SN id and eID generate an AV group, and the AV groups of generation are sent to MME, and MME chooses one The AV of sequence number minimum is as group's Ciphering Key, and parameters for authentication RAND, AUTN that group's Ciphering Key is included, KSIASMEHair Master terminal is given, after master terminal receives the parameters for authentication that group's Ciphering Key includes, verifies AUTN, and after being verified, It calculates RES and uses encryption function and KASMERES is encrypted, obtains RES ', and RES ' is returned into MME, And based on Kp and KASMEGenerate session key Ks, MME after RES ' is received, by decryption function corresponding with encryption function with And KASMEIt is decrypted, obtains RES, whether verification RES and XRES is identical, and after being verified, based on Kp and KASMEIt is raw Into session key Ks.
Based on above-described embodiment, as shown in fig.5, in the embodiment of the present invention, a kind of network authentication device of group endpoints (e.g., first terminal), including at least generation unit 50,51 and first receiving unit 52 of encryption unit, wherein,
Generation unit 50, for based on the channel characteristics parameter between local and base station, generating physical layer shared key;
Encryption unit 51 for being based on the physical layer shared key, is encrypted the identity information of described device, and Encrypted identity information is sent to network server;
First receiving unit 52, for receive the network server based on group's certification that the identity information generates to Amount, and network authentication is completed based on group's Ciphering Key and triggers network server notice with described device with group Other group endpoints carry out network authentication using group's Ciphering Key.
Optionally, described device is based on the channel characteristics parameter between local and base station, when generating physical layer shared key, Generation unit 50 is used for:
The detectable signal that a base station is sent often is received, based on the channel characteristics parameter between local and base station, calculating connects The corresponding signal characteristic of detectable signal of receipts, and each signal characteristic of generation is formed into signal characteristic sequence;
Quantization correction process is carried out for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described.
Optionally, described device is based on the physical layer shared key, and the identity information of described device is encrypted, and When encrypted identity information is sent to network server, encryption unit 51 is used for:
Based on the physical layer shared key, to the international mobile subscriber identity IMSI of described device and/or electronics body Part card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server.
Optionally, described device receives group's Ciphering Key that the network server is generated based on the identity information, And during based on group's Ciphering Key completion network authentication, the first receiving unit 52 is used for:
The authentication request message that network server is sent is received, wherein, the authentication request message carries the group Ciphering Key;
Legitimate verification is carried out to the authentication request message based on the parameters for authentication that group's Ciphering Key includes, and When determining that the authentication request message is legal, authentication response message corresponding with the authentication request message is generated;
The authentication response message is returned into network server.
Optionally, described device based on the parameters for authentication that group's Ciphering Key includes to the authentication request message into Row legitimate verification, and when determining that the authentication request message is legal, generate certification corresponding with the authentication request message During response message, the first receiving unit 52 is used for:
Corresponding authentication data information is generated based on the authentication token AUTN that group's Ciphering Key includes, and is being judged When the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the certification request is determined Message is legal;
Corresponding response data is generated based on the authentication request message, and based on group key to the response data into Row encryption obtains corresponding authentication response message, wherein, the group key is in the described device group All default keys of terminal.
Optionally, described device be based on group's Ciphering Key complete network authentication after, the first receiving unit 52 into One step is used for:
Corresponding session key is generated based on physical layer shared key and group key, the session key is applied to described Service data interaction flow between device and network server.
As shown in fig.6, in the embodiment of the present invention, a kind of network authentication device (e.g., network server) of group endpoints, Including at least the second receiving unit 60, decryption unit 61 and transmitting element 62, wherein,
Second receiving unit 60, for receiving first terminal transmission, after being encrypted based on physical layer shared key Identity information, wherein, the physical layer shared key is first terminal based on the channel characteristics parameter life between local and base station Into;
Decryption unit 61, for the encrypted identity information to be decrypted, and based on the identity information after decryption Generate corresponding group's Ciphering Key;
Transmitting element 62 for group's Ciphering Key to be sent to first terminal, and triggers first terminal and is based on institute It states group's Ciphering Key and completes network authentication;
Notification unit 63, for notify with the first terminal with group other group endpoints using group's certification to Amount carries out network authentication.
Optionally, described device notice with the first terminal with group other group endpoints using group's certification to When amount carries out network authentication, notification unit 63 is used for:
After definite first terminal completes network authentication, sent to the first terminal with other group endpoints of group It is instructed into certification;Described other group endpoints for completing certification instruction for triggering with the same group of described device are obtained from network server Group's Ciphering Key is taken, and network authentication is carried out using group's Ciphering Key.
In conclusion in the embodiment of the present invention, during network authentication is carried out, first terminal is based on logical group endpoints The physical layer shared key for the channel characteristics parameter generation crossed between local and base station adds the identity information of first terminal It is close, and encrypted identity information is sent to network server, receive the group of network server identity-based information generation Ciphering Key, and network authentication and triggering network server notice and same group of first terminal are completed based on group's Ciphering Key Other group endpoints network authentication is carried out using group Ciphering Key.
Using the above method, operator need to be only that all terminals in group preset an identical IMSI, identical group Group key and an eID is preset respectively for each terminal, reduce O&M cost, each terminal can be by being based on this The identity information of terminal is encrypted in the corresponding physical layer shared key of channel characteristics parameter generation between ground and base station It transmits again afterwards, in this way, just reducing the probability of terminal identity information leakage, further, terminal is shared based on above-mentioned physical layer Response data is encrypted to obtain authentication response message key and network server is directed to above-mentioned authentication response message It is decrypted, in this way, the security of terminal authentication procedure is just further enhanced, finally, terminal and network server Based on physical layer shared key and the key K based on group key generationASMECorresponding session key is generated, in this way, can just protect The uniqueness and privacy of session key are demonstrate,proved, so as to improve the peace that service data interaction is carried out between equipment and network server Quan Xing.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware can be used in the present invention Apply the form of example.Moreover, the computer for wherein including computer usable program code in one or more can be used in the present invention The computer program production that usable storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided The processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction generation being stored in the computer-readable memory includes referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps is performed on calculation machine or other programmable devices to generate computer implemented processing, so as in computer or The instruction offer performed on other programmable devices is used to implement in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation Property concept, then can make these embodiments other change and modification.So appended claims be intended to be construed to include it is excellent It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out the embodiment of the present invention various modification and variations without departing from this hair The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention And its within the scope of equivalent technologies, then the present invention is also intended to comprising including these modification and variations.

Claims (16)

1. a kind of method for network authorization of group endpoints, which is characterized in that including:
First terminal generates physical layer shared key based on the channel characteristics parameter between local and base station;
First terminal is based on the physical layer shared key, and the identity information of the first terminal is encrypted, and will encryption Identity information afterwards is sent to network server;
First terminal receives group's Ciphering Key that the network server is generated based on the identity information, and based on the group Group Ciphering Key completes network authentication and triggers other group endpoints of network server notice with the first terminal with group Network authentication is carried out using group's Ciphering Key.
2. the method as described in claim 1, which is characterized in that first terminal is joined based on the channel characteristics between local and base station Number generates physical layer shared key, specifically includes:
First terminal often receives the detectable signal that a base station is sent, based on the channel characteristics parameter between local and base station, meter The corresponding signal characteristic of detectable signal received is calculated, and each signal characteristic of generation is formed into signal characteristic sequence;
First terminal carries out quantization correction process for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described for first terminal.
3. the method as described in claim 1, which is characterized in that first terminal is based on the physical layer shared key, to described The identity information of first terminal is encrypted, and encrypted identity information is sent to network server, specifically includes:
First terminal is based on the physical layer shared key, to the international mobile subscriber identity IMSI of the first terminal and/ Or electronic ID card eID is encrypted;
Encrypted IMSI and/or eID are sent to network server by first terminal.
4. the method as described in claim 1,2 or 3, which is characterized in that first terminal receives the network server and is based on institute It states group's Ciphering Key of identity information generation and network authentication is completed based on group's Ciphering Key, specifically include:
First terminal receives the authentication request message that network server is sent, wherein, the authentication request message carries described Group's Ciphering Key;
First terminal carries out legitimacy to the authentication request message based on the parameters for authentication that group's Ciphering Key includes and tests Card, and when determining that the authentication request message is legal, generate authentication response message corresponding with the authentication request message;
The authentication response message is returned to network server by first terminal.
5. method as claimed in claim 4, which is characterized in that the certification that first terminal is included based on group's Ciphering Key Parameter carries out the authentication request message legitimate verification, and when determining that the authentication request message is legal, generation and institute The corresponding authentication response message of authentication request message is stated, is specifically included:
The corresponding authentication data information of authentication token AUTN generations that first terminal is included based on group's Ciphering Key, and When judging that the authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the certification is determined Request message is legal;
First terminal is based on the authentication request message and generates corresponding response data, and based on group key to the number of responses According to being encrypted, corresponding authentication response message is obtained, wherein, the group key is for the first terminal group In the default key of all terminals.
6. method as claimed in claim 5, which is characterized in that first terminal, which is based on group's Ciphering Key completion network, to be recognized After card, further comprise:
First terminal is based on physical layer shared key and group key generates corresponding session key, and the session key is applied to Service data interaction flow between the first terminal and network server.
7. a kind of method for network authorization of group endpoints, which is characterized in that including:
Network server receives what first terminal was sent, the identity information after being encrypted based on physical layer shared key, wherein, The physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station;
The encrypted identity information is decrypted in network server, and corresponding based on the identity information generation after decryption Group's Ciphering Key;
Group's Ciphering Key is sent to first terminal by network server, and is triggered first terminal and be based on group's certification Vector completes network authentication;
Network server notifies that carrying out network using group's Ciphering Key with other group endpoints of group with first terminal recognizes Card.
8. the method for claim 7, which is characterized in that other of network server notice and the same group of the first terminal Group endpoints carry out network authentication using group's Ciphering Key, including:
Network server is after definite first terminal completes network authentication, to other group endpoints with the first terminal with group Send paging message;The paging message is used for notice and same other group endpoints organized of the first terminal from network server Group's Ciphering Key is obtained, and network authentication is carried out using group's Ciphering Key.
9. a kind of network authentication device of group endpoints, which is characterized in that including:
Generation unit, for based on the channel characteristics parameter between local and base station, generating physical layer shared key;
Encryption unit for being based on the physical layer shared key, is encrypted the identity information of described device, and will encryption Identity information afterwards is sent to network server;
First receiving unit, for receiving group's Ciphering Key that the network server is generated based on the identity information, and Network authentication is completed based on group's Ciphering Key and triggers other groups of network server notice with described device with group Group terminal carries out network authentication using group's Ciphering Key.
10. device as claimed in claim 9, which is characterized in that described device is based on the channel characteristics between local and base station Parameter, when generating physical layer shared key, the generation unit is used for:
The detectable signal that a base station is sent often is received, based on the channel characteristics parameter between local and base station, calculates reception The corresponding signal characteristic of detectable signal, and each signal characteristic of generation is formed into signal characteristic sequence;
Quantization correction process is carried out for the signal characteristic sequence, the signal characteristic sequence that obtains that treated;
Treated that signal characteristic sequence is converted to physical layer shared key by described.
11. device as claimed in claim 9, which is characterized in that described device is based on the physical layer shared key, to described The identity information of device is encrypted, and when encrypted identity information is sent to network server, the encryption unit is used In:
Based on the physical layer shared key, to the international mobile subscriber identity IMSI and/or electronic ID card of described device EID is encrypted;
Encrypted IMSI and/or eID are sent to network server.
12. the device as described in claim 9,10 or 11, which is characterized in that described device receives the network server and is based on Group's Ciphering Key of identity information generation and when completing network authentication based on group's Ciphering Key, described the One receiving unit is used for:
The authentication request message that network server is sent is received, wherein, the authentication request message carries group's certification Vector;
Legitimate verification is carried out to the authentication request message based on the parameters for authentication that group's Ciphering Key includes, and true When the authentication request message is legal calmly, authentication response message corresponding with the authentication request message is generated;
The authentication response message is returned into network server.
13. device as claimed in claim 12, which is characterized in that described device is recognized based on what group's Ciphering Key included Demonstrate,prove parameter and legitimate verification carried out to the authentication request message, and when determining that the authentication request message is legal, generation with During the corresponding authentication response message of the authentication request message, first receiving unit is used for:
Corresponding authentication data information is generated based on the authentication token AUTN that group's Ciphering Key includes, and described in judgement When authentication data information matches with the authentication token AUTN primary data information (pdi)s carried, the authentication request message is determined It is legal;
Corresponding response data is generated based on the authentication request message, and the response data is added based on group key Close processing obtains corresponding authentication response message, wherein, the group key is for all in the described device group The default key of terminal.
14. device as claimed in claim 13, which is characterized in that described device is based on group's Ciphering Key and completes network After certification, first receiving unit is further used for:
Corresponding session key is generated based on physical layer shared key and group key, the session key is applied to described device Service data interaction flow between network server.
15. a kind of network authentication device of group endpoints, which is characterized in that including:
Second receiving unit, for receiving first terminal transmission, the identity letter after being encrypted based on physical layer shared key Breath, wherein, the physical layer shared key is first terminal based on the channel characteristics parameter generation between local and base station;
Decryption unit for the encrypted identity information to be decrypted, and generates phase based on the identity information after decryption The group's Ciphering Key answered;
Transmitting element for group's Ciphering Key to be sent to first terminal, and triggers first terminal and is based on the group Ciphering Key completes network authentication;
Notification unit, for notifying to carry out using group's Ciphering Key with other group endpoints of group with the first terminal Network authentication.
16. device as claimed in claim 15, which is characterized in that other of described device notice and the same group of the first terminal When group endpoints carry out network authentication using group's Ciphering Key, the notification unit is used for:
After definite first terminal completes network authentication, disappear to paging is sent with other group endpoints of group with the first terminal Breath;The paging message obtains the group for notifying other group endpoints with the same group of the first terminal from network server Group Ciphering Key, and network authentication is carried out using group's Ciphering Key.
CN201611052482.0A 2016-11-24 2016-11-24 The method for network authorization and device of a kind of group endpoints Pending CN108112012A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611052482.0A CN108112012A (en) 2016-11-24 2016-11-24 The method for network authorization and device of a kind of group endpoints

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611052482.0A CN108112012A (en) 2016-11-24 2016-11-24 The method for network authorization and device of a kind of group endpoints

Publications (1)

Publication Number Publication Date
CN108112012A true CN108112012A (en) 2018-06-01

Family

ID=62204056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611052482.0A Pending CN108112012A (en) 2016-11-24 2016-11-24 The method for network authorization and device of a kind of group endpoints

Country Status (1)

Country Link
CN (1) CN108112012A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924838A (en) * 2018-09-11 2018-11-30 中国联合网络通信集团有限公司 Method for switching network, device, Provider Equipment and the terminal of cross operator
CN109819444A (en) * 2019-01-11 2019-05-28 杭州电子科技大学 A kind of physical layer initial authentication method and system based on radio channel characteristic
CN109840407A (en) * 2018-12-24 2019-06-04 航天信息股份有限公司 Intelligent personnel's verification system and method
CN110012467A (en) * 2019-04-18 2019-07-12 苏州博联科技有限公司 The packet authentication method of narrowband Internet of Things
CN110769420A (en) * 2018-07-25 2020-02-07 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN112887981A (en) * 2021-01-12 2021-06-01 国网电力科学研究院有限公司 Authentication method and system for power wireless private network terminal access
CN113302895A (en) * 2018-11-23 2021-08-24 泰雷兹数字安全法国股份有限公司 Method and apparatus for authenticating a group of wireless communication devices
CN113905379A (en) * 2021-10-15 2022-01-07 绍兴建元电力集团有限公司 Method for 5G base station to participate in local optimization of terminal security communication authentication
CN114339744A (en) * 2020-10-10 2022-04-12 中移(成都)信息通信科技有限公司 Communication method, device, equipment and storage medium
CN114362967A (en) * 2022-03-09 2022-04-15 南京易科腾信息技术有限公司 Authentication method, device and storage medium
CN114760626A (en) * 2021-10-18 2022-07-15 西安电子科技大学 Self-adaptive combined authentication method for 5G large-scale terminal

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101699890A (en) * 2009-10-30 2010-04-28 天津工业大学 3G-WLAN authentication method
CN102088668A (en) * 2011-03-10 2011-06-08 西安电子科技大学 Group-based authentication method of machine type communication (MTC) devices
CN102137397A (en) * 2011-03-10 2011-07-27 西安电子科技大学 Authentication method based on shared group key in machine type communication (MTC)
CN102238484A (en) * 2010-04-22 2011-11-09 中兴通讯股份有限公司 Method and system for group-based authentication in machine to machine communication systems
CN102469458A (en) * 2010-11-19 2012-05-23 中兴通讯股份有限公司 Group authentication method and group authentication system in M2M communication
CN102905265A (en) * 2012-10-11 2013-01-30 大唐移动通信设备有限公司 Mobile equipment (ME) attaching method and device
CN103039053A (en) * 2010-06-10 2013-04-10 阿尔卡特朗讯公司 Secure registration of group of clients using single registration procedure
US20160262019A1 (en) * 2013-11-04 2016-09-08 Samsung Electronics Co., Ltd. Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101699890A (en) * 2009-10-30 2010-04-28 天津工业大学 3G-WLAN authentication method
CN102238484A (en) * 2010-04-22 2011-11-09 中兴通讯股份有限公司 Method and system for group-based authentication in machine to machine communication systems
CN103039053A (en) * 2010-06-10 2013-04-10 阿尔卡特朗讯公司 Secure registration of group of clients using single registration procedure
CN102469458A (en) * 2010-11-19 2012-05-23 中兴通讯股份有限公司 Group authentication method and group authentication system in M2M communication
CN102088668A (en) * 2011-03-10 2011-06-08 西安电子科技大学 Group-based authentication method of machine type communication (MTC) devices
CN102137397A (en) * 2011-03-10 2011-07-27 西安电子科技大学 Authentication method based on shared group key in machine type communication (MTC)
CN102905265A (en) * 2012-10-11 2013-01-30 大唐移动通信设备有限公司 Mobile equipment (ME) attaching method and device
US20160262019A1 (en) * 2013-11-04 2016-09-08 Samsung Electronics Co., Ltd. Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHINA MOBILE: "[MTCe] A new solution for group based authentication", 《3GPP TSG SA WG3 (SECURITY) MEETING #81 S3-152327》 *
CHINA MOBILE: "[MTCe] group authentication mechanism", 《3GPP TSG SA WG3 (SECURITY) MEETING #78 S3-151076》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110769420B (en) * 2018-07-25 2022-05-13 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN110769420A (en) * 2018-07-25 2020-02-07 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN108924838A (en) * 2018-09-11 2018-11-30 中国联合网络通信集团有限公司 Method for switching network, device, Provider Equipment and the terminal of cross operator
CN108924838B (en) * 2018-09-11 2021-09-14 中国联合网络通信集团有限公司 Inter-operator network switching method and device, operator equipment and terminal
CN113302895A (en) * 2018-11-23 2021-08-24 泰雷兹数字安全法国股份有限公司 Method and apparatus for authenticating a group of wireless communication devices
CN113302895B (en) * 2018-11-23 2023-04-18 泰雷兹数字安全法国简易股份公司 Method and apparatus for authenticating a group of wireless communication devices
CN109840407A (en) * 2018-12-24 2019-06-04 航天信息股份有限公司 Intelligent personnel's verification system and method
CN109819444A (en) * 2019-01-11 2019-05-28 杭州电子科技大学 A kind of physical layer initial authentication method and system based on radio channel characteristic
CN109819444B (en) * 2019-01-11 2021-07-30 杭州电子科技大学 Physical layer initial authentication method and system based on wireless channel characteristics
CN110012467A (en) * 2019-04-18 2019-07-12 苏州博联科技有限公司 The packet authentication method of narrowband Internet of Things
CN114339744A (en) * 2020-10-10 2022-04-12 中移(成都)信息通信科技有限公司 Communication method, device, equipment and storage medium
CN112887981A (en) * 2021-01-12 2021-06-01 国网电力科学研究院有限公司 Authentication method and system for power wireless private network terminal access
CN112887981B (en) * 2021-01-12 2022-10-04 国网电力科学研究院有限公司 Authentication method and system for power wireless private network terminal access
CN113905379B (en) * 2021-10-15 2024-05-03 绍兴建元电力集团有限公司 Method for locally optimizing security communication authentication of 5G base station participation terminal
CN113905379A (en) * 2021-10-15 2022-01-07 绍兴建元电力集团有限公司 Method for 5G base station to participate in local optimization of terminal security communication authentication
CN114760626A (en) * 2021-10-18 2022-07-15 西安电子科技大学 Self-adaptive combined authentication method for 5G large-scale terminal
CN114760626B (en) * 2021-10-18 2024-04-02 西安电子科技大学 Self-adaptive combined authentication method for 5G large-scale terminal
CN114362967A (en) * 2022-03-09 2022-04-15 南京易科腾信息技术有限公司 Authentication method, device and storage medium

Similar Documents

Publication Publication Date Title
CN108112012A (en) The method for network authorization and device of a kind of group endpoints
CN106899410B (en) A kind of method and device of equipment identities certification
RU2663972C1 (en) Security assurance at connection between communication device and network device
Lai et al. A novel group access authentication and key agreement protocol for machine‐type communication
CN102215474B (en) Method and device for carrying out authentication on communication equipment
CN101816199B (en) It is attached to the authentication method of the mobile unit of Femto cell with the security kernel network service of such as IMS
US20180034635A1 (en) GPRS System Key Enhancement Method, SGSN Device, UE, HLR/HSS, and GPRS System
CN101926188B (en) Security policy distribution to communication terminal
CN103220671B (en) Method for authenticating a mobile unit attached to a femtocell that operates according to code division multiple access
CN106888092B (en) Information processing method and device
CN102318386A (en) Service-based authentication to a network
CN106304264B (en) Wireless network access method and device
Xu et al. An anonymous handover authentication scheme based on LTE‐A for vehicular networks
CN107820239A (en) Information processing method and device
CN108809903A (en) A kind of authentication method, apparatus and system
Kumar et al. Design of a USIM and ECC based handover authentication scheme for 5G-WLAN heterogeneous networks
CN112235799B (en) Network access authentication method and system for terminal equipment
US11202192B2 (en) Registering user equipment with a visited public land mobile network
CN104168566B (en) A kind of method and device of access network
CN101610509B (en) Method, device and system for protecting communication security
CN102905267B (en) ME identifies authentication, security mode control method and device
Lin et al. A fast iterative localized re-authentication protocol for heterogeneous mobile networks
CN108183925A (en) narrow band communication method based on LoT
CN108271154A (en) A kind of authentication method and device
Alezabi et al. On the authentication and re‐authentication protocols in LTE‐WLAN interworking architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180601