CN108282775A - Dynamic Additional Verification method towards mobile ad hoc network and system - Google Patents
Dynamic Additional Verification method towards mobile ad hoc network and system Download PDFInfo
- Publication number
- CN108282775A CN108282775A CN201711401758.6A CN201711401758A CN108282775A CN 108282775 A CN108282775 A CN 108282775A CN 201711401758 A CN201711401758 A CN 201711401758A CN 108282775 A CN108282775 A CN 108282775A
- Authority
- CN
- China
- Prior art keywords
- sas
- key
- hss
- access authentication
- control plane
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012795 verification Methods 0.000 title claims abstract description 18
- 230000002452 interceptive effect Effects 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000000977 initiatory effect Effects 0.000 abstract description 3
- 230000004044 response Effects 0.000 description 12
- 230000003993 interaction Effects 0.000 description 10
- 238000010295 mobile communication Methods 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W64/00—Locating users or terminals or network equipment for network management purposes, e.g. mobility management
- H04W64/003—Locating users or terminals or network equipment for network management purposes, e.g. mobility management locating network equipment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The step of present invention provides a kind of dynamic Additional Verification method and system towards mobile ad hoc network, this method include:UE judges whether to need to start access authentication, if desired, then initiating access authentication request to SAS;Judge whether to need to start the access authentication between SAS and UE alternatively, S/P GW receive the service request triggering that UE is sent out, if desired, then initiating access authentication request to SAS;After SAS receives access authentication request, it is determined whether start access authentication, if started, the IMSI information for sending User ID to HSS and being provided by S/P GW;After HSS is received, initial key is generated;SAS generates key according to initial key, protects its control plane interactive information between UE;UE generates initial key, generates key according to the initial key, protects its control plane interactive information between SAS;After UE receives the authentication command of SAS, the legitimacy of the special core net of certification, and notify SAS;The legitimacy of SAS certifications UE, and notify UE.
Description
Technical field
The present invention relates to Network Communicate Security technical fields, more particularly to user and equipment and specially in the mobile communication network
With the inter-authentication method and system between network.
Background technology
Mobile communications network service has been widely used for daily life due to its mobility and convenience.With
The large scale deployment of 4G mobile communications networks, more and more people begin to use 4G network services.Enjoying mobile communications network band
Simultaneously, pseudo-base station, false network also bring new safety problem to the facility come to mobile application.Meanwhile mobile communications network also face
Face to come from and more carrys out intelligent hand-held terminal equipment, it is more and more diversified, bear the illegal access that quantity has big internet-of-things terminal
And attack.
During mobile ad hoc network user uses network service, due to the mobility and private network operator of user
The limitation of the network coverage, in some cases, such as roaming scence, user may need through Public Mobile Network to roam
Mode accesses special mobile core net.The public Mobile Access Network in roaming place is endless for private network user and special core net
It is complete believable.In roaming situations, it needs to be authenticated when user accesses special core net, default identifying procedure is by unrestrained
Trip ground core net MME executes and determines authentication result, then may have the wind of man-in-the-middle attack for special core net
Danger.In addition, when private network user is in non-roaming state, at this point, user be directly accessed by believable overnet it is special
Core net, then how the problem of above-mentioned non-fully credible MME acts as an intermediary for different scenes just without taking flexibly
Efficient safety prevention measure is be worthy of consideration the problem of.
Disabled user accesses 3G and 4G networks in order to prevent, devises the authentication mechanism of AKA, utilizes network side HSS and end
The shared security documents information and AKA algorithms at end allow network to authenticate the legitimacy of user, while subscriber terminal equipment
The legitimacy of network can be authenticated.3GPP designs mobile network's security authentication mechanism hypothesis access net at present and core net institute is active
Can all be safe and reliable.Existing 3G and 4G mobile networks assume that roaming place network and belonging area network are mutual in safety
Believable, i.e., belonging area network always trusts roaming place network, therefore does not just account for during above-mentioned roaming place core net MME becomes
Between people security risk.4G networks are completely believable it is assumed that also based on roaming place network to roaming user authentication method at present
Not being directed to roaming place core net function becomes go-between's way to solve the problem.Existing roaming user authentication measure can not solve
The new problem that certainly the new usage scenario of mobile ad hoc network faces.
Invention content
It is an object of the invention to propose a kind of dynamic Additional Verification method and system towards mobile ad hoc network, i.e., specially
With mobile communications network and private network user's inter-authentication method, may be implemented under untrusted 3GPP access net environment or roaming environments
Being securely and reliably mutually authenticated between lower private network user and dedicated network, to avoid private network user and equipment from accessing pseudo- private network
Network accesses dedicated network prevented also from disabled user and equipment.
In order to achieve the above objectives, the technical solution adopted by the present invention is as follows:
A kind of dynamic Additional Verification method towards mobile ad hoc network, step include:
The user for having carried out two-way authentication with the mobile management nodes MME and server HSS positioned at special core net is whole
End UE judges whether that needing to start dynamic adds access authentication, if desired, then the UE is to the secure accessing positioned at special core net
Server S AS initiates access authentication request;Alternatively, the gateway S/P-GW of special core net receives the service request that the UE is sent out
Triggering judges whether that the dynamic for needing to start between SAS and UE adds access authentication, if desired, then the S/P-GW is initiated to SAS
Access authentication is asked;
After SAS receives the access authentication request, it is determined whether start access authentication, if started, SAS is sent out to HSS
The user identity IMSI information sent User ID and provided by S/P-GW;
After HSS receives the User ID and IMSI information, the initial key that control plane safeguard protection needs is generated;
SAS generates the key that control plane safeguard protection needs according to the initial key, protects its control between UE
Face interactive information;
UE generates the initial key that control plane safeguard protection needs, and control plane safeguard protection need are generated according to the initial key
The key wanted protects its control plane interactive information between SAS;
After UE receives the authentication command of SAS, the legitimacy of the special core net of certification, and notify SAS;
The legitimacy of SAS certifications UE, and the authentication result is notified into UE.
Further, according to the current location of the UE, whether roam, access network security confidence level, access network class
Whether the business that type, access network ID, UE are accessed is that the security strategy of private network related service and pre-configuration judges whether to start
Dynamic adds access authentication.
Further, the security strategy is for judging that whether needing to start access between the UE and special core net recognizes
Card, the policy definition need to start the condition of Additional Verification.Such as:If the UE is by untrusted 3GPP or in roaming shape
Lead to public LTE nets (PLMN ID=A) under state and access special core net, then needs to start access authentication;If in non-roaming state
Net (PLMN ID=B) is accessed by special LTE down and accesses special core net, then need not start access authentication.
Further, the access authentication request includes the current locations UE, hardware ID, access network type, access net ID
And PLMN ID, IP address information.
Further, security documents information (including CK, IK and the sharing learning that the UE and HSS is shared according to UE and HSS
Factor initial key) is generated.
Further, the generating algorithm of the initial key is (USIM is set on UE in figure) as shown in Figure 2, specially:
With the CK, IK and sharing learning Factor, service network identification SN ID and sequence of the UE and HSS security documents information shared
Number SQN exclusive or AK is input, passes through standard key and calculates function KDF operations and generates initial key Ks_init.
Further, security documents information (including the sharing learning that the UE and SAS is shared also according to UE and SAS
Factor and shared time stamp T imestamp) and the shared security documents information of UE and HSS generate key;The shared packet
Include the static information being pre-configured or transmitted by shared third party device.
Further, the key includes Confidentiality protection key and tegrity protection key;
The generating algorithm of the Confidentiality protection key is (USIM is set on UE in figure) as shown in Figure 3, specially:With first
It is shared beginning key Ks_init, UE and HSS shared security documents information, UE and SAS security documents information, Alg-ID, new fixed
The Confidentiality protection algorithm types identifier SA-init-enc-alg of the justice and algorithm mark 256-EEA4 AES newly defined
Based algorithm (AES-CTR) generate Confidentiality protection key as input, through key calculation function KDF operations
Kinit_enc;
The generating algorithm of the tegrity protection key is as shown in figure 3, be specially:With initial key Ks_init, UE and
Shared security documents information, UE and SAS shared HSS security documents information, Alg-ID, the protection algorithm integrallty newly defined
The type identifier SA-init-int-alg and algorithm mark 256-EIA4 AES based algorithm newly defined
(AES-CMAC) as input, tegrity protection key Kinit_int is generated through key calculation function KDF operations;
It is specific as follows that the key calculates framework:
Algorithm type distinguishers
Expand definition:
SA-init-enc-alg=0x09,
SA-init-int-alg=0x10;
Alg-ID;
Expand definition:
" 0100 "=256-EEA4 AES based algorithm (AES-CTR),
" 0110 "=256-EIA4 AES based algorithm (AES-CMAC);
Confidentiality protection key:
Kinit_enc
=KDF (Factor, TIME, SA-init-enc-alg, 256-EEA4 AES based algorithm (AES-
CTR),Ks_init);
Tegrity protection key:
Kinit_int
=KDF (Factor, TIME, SA-init-int-alg, 256-EIA4 AES based algorithm (AES-
CMAC),Ks_init)。
Further, the authentication command includes the random parameter RAND and authentication token AUTN information that HSS is generated.
Further, the UE is according to the shared security documents information of the initial key, UE and SAS of its generation and AKA
Algorithm carrys out the legitimacy of the special core net of certification.
Further, the SAS is generated according to HSS initial key, UE and SAS shared security documents information and
AKA algorithms carry out the legitimacy of certification UE.
A kind of dynamic Additional Verification system towards mobile ad hoc network, including:
UE, for send access authentication request or service request, generate control plane safeguard protection need initial key and
Key protects its control plane interactive information between SAS, and the legitimacy of the special core net of certification;
SAS is located at special core net, is used to determine whether that starting dynamic adds access authentication, generates control plane and protects safely
The key needed is protected, its control plane interactive information between UE, and the legitimacy of certification UE are protected;
HSS is located at special core net, the initial key for generating control plane safeguard protection needs;
S/P-GW is located at special core net, for providing user identity IMSI information to SAS.
Further, if the UE sends access authentication request, first judge whether to need to start before transmitting dynamic
State adds access authentication;If the UE sends service request, which triggers the S/P-GW and judges whether to need
The dynamic started between SAS and UE adds access authentication.
The present invention proposes safe and reliable between a kind of Private Mobile Communication Network network user and Private Mobile Communication Network network
The method being mutually authenticated.In order to avoid Creditability Problems caused by common core network control surface function MME under roaming condition, special
Core net introduces SAS.This method generates calculation by using UE and special core net shared security documents information and according to key
The key that method generates protects the interface message between UE to SAS.SAS according to the current location of UE, access network security is credible
The information such as degree, user roaming state decide whether to add access authentication into Mobile state to the UE.It is authenticated if necessary, SAS
The authentication data generated according to the security documents information that UE and HSS shares is obtained with HSS interactions, and uses the authentication data and UE
Carry out access authentication.According to authentication result, determine whether the UE can access dedicated network.
In addition, the present invention, which passes through, enhances terminal function so that UE is utilized and HSS and SAS is shared security documents information and
Initial key generating algorithm generates key, to protect the interface between UE and SAS.In addition it needs to enhance core net HSS functions,
HSS needs the security documents information and initial key generating algorithm that utilize and UE is shared to generate initial key and transmits the key
To SAS.UE or S/P-GW is determined according to access network ID, the network trusted degree of access, roaming state and the security strategy of pre-configuration
Whether trigger SAS and starts additional independent authentication.
Fig. 1 show the calculation system of the control plane safeguard protection key on existing LTE keys calculation system basis.
The relevant key calculation unit of USIM/AUC, UE/HSS, UE/MME and UE/ENB is divided into current current mechanism in figure.In order to solve
Control plane safety protection problem between UE and newly-increased secure access server SAS, on existing LTE keys calculation system basis
It is extended, introduces UE/SAS association keys calculation mechanism.The parameter that UE and HSS respectively uses IK, CK and newly introduces, such as
Sharing learning Factor etc. generates initial key Ks_init by KDF functional calculus.HSS passes to the initial key of generation
SAS.Then, UE and SAS respectively uses initial key Ks_init and other new defined parameters, including sharing learning
Factor, time stamp T imestamp etc. generate Confidentiality protection key Kinit_enc and integrality using KDF functional calculus
Key Kinit_int is protected, for protecting Signalling exchange safety between UE and secure access server SAS.
Description of the drawings
Fig. 1 is the key calculation system figure that control plane safeguard protection needs.
Fig. 2 is the initial key calculation schematic diagram that control plane safeguard protection needs.
Fig. 3 is the key calculation schematic diagram that control plane safeguard protection needs.
Fig. 4 is a kind of dynamic Additional Verification system construction drawing towards mobile ad hoc network of embodiment one.
Fig. 5 is a kind of dynamic Additional Verification method flow chart towards mobile ad hoc network of embodiment one.
Fig. 6 is a kind of dynamic Additional Verification system construction drawing towards mobile ad hoc network of embodiment two.
Fig. 7 is a kind of dynamic Additional Verification method flow chart towards mobile ad hoc network of embodiment two.
Specific implementation mode
Features described above and advantage to enable the present invention are clearer and more comprehensible, special embodiment below, and institute's attached drawing is coordinated to make
Detailed description are as follows.
Based on the same technical concept of the present invention, it is contemplated that the Different Effects of existing terminal and network, the present invention proposes
Two kinds of embodiments.
Embodiment one
The present embodiment is to enhance existing UE functions, and system architecture is as shown in Figure 4.UE according to roaming state, access network type,
Access net confidence level etc., which judges whether to trigger SAS, to be started dynamic and adds access authentication, if it is desired, then report UE relevant informations and
Net relevant information is accessed to SAS.In addition, introducing SAS in special core net, the current locations SAS root UE, access network security is credible
Degree, access network type, access net ID, the PLMN ID of access net and the security strategy of pre-configuration determine whether to start to the UE
Carry out access authentication.If SAS determines certification necessity, then UE is utilized and network side HSS is shared security documents information and initial close
Key generating algorithm, generates the initial key of control plane safeguard protection needs between UE and SAS, and starts the letter between UE to SAS
Enable message safeguard protection.SAS and HSS interactions simultaneously obtain HSS according to the authentication data of shared security documents information generation and
The key that control plane safeguard protection needs.HSS needs the security documents information and initial key generating algorithm that utilize and UE is shared,
It generates the initial key that control plane safeguard protection needs and the initial key and authentication data is passed into SAS.SAS is according to initial
Key production key protects the interface message of SAS to UE according to the key and the security strategy of pre-configuration.Meanwhile SAS is used
The authentication data that HSS is provided carries out access authentication by the interface and UE of safeguard protection according to AKA algorithms, and according to authentication result
Determine whether UE can access dedicated network.UE can determine whether to access the network according to authentication result.
The method of the present embodiment is as shown in figure 5, key step is as follows:
(1) UE sends Attach Request message to the MME of core net function, and MME and HSS interactions obtain user authentication data,
And the two-way authentication completed between user and network is interacted with UE using the authentication data.
(2) UE is according to its current location, access network security confidence level, access network type, access network ID, roaming shape
State and the business (whether being private network related service) to be accessed judge whether that triggering dynamic adds access authentication.
(3) if necessary to triggering access authentication, UE initiates access authentication request message to SAS, which includes:UE is current
The information such as position, hardware ID, access network type, access net ID and PLMN ID, IP address.
(4) SAS according to the current locations UE, roaming state, whether network credible for access, current location whether the letters such as safety
Breath, and startup access authentication is determined whether according to the security strategy of pre-configuration.
Security strategy is for example:UE accesses net (PLMN ID=B) under non-roaming state, by special LTE and accesses specific core
When heart net, access authentication need not be started;Under roaming state, when leading to public LTE nets (PLMN ID=A) access, need to start
Access authentication.
(5) SAS sends message to S/P-GW, asks user identity IMSI information.
(6) S/P-GW finds corresponding IMSI information, and IMSI information is told to SAS by response message.
(7) if necessary to start access authentication, SAS sends message request user authentication data to HSS, which includes to use
Family ID and IMSI information.
(8) HSS according to and the shared security documents information of UE generate Ciphering Key, generated according to initial key generating algorithm
The initial key that control plane safeguard protection needs.
(9) HSS notifies the Ciphering Key and initial key of generation to SAS by response message.
(10) SAS replys UE response messages, and whether which includes access inspection result, i.e., need to start access authentication.
(11) if necessary to start access authentication, UE is generated with the security documents information shared with HSS using initial key
Algorithm generates the initial key that control plane safeguard protection needs.
(12) UE is according to the safety initial key and HSS of its generation shared security documents information and shared with SAS
Authority information generates the key that control plane safeguard protection needs as input, with key schedule, is protected using algorithm is pre-configured
Protect the AKA authentication informations of the control plane interaction of SAS and UE.
(13) SAS is using the security documents information of initial key and UE shared security documents information, UE and HSS as defeated
Enter, the key that control plane protection needs is generated according to key schedule.Using pre-configuration security strategy protection SAS and UE it
Between control plane interaction AKA authentication informations.
(14) SAS sends Additional Verification command messages to UE, which includes that the random parameter RAND that HSS is generated and certification enable
Board AUTN information.
(15) legitimacy of UE foundations and the shared security documents information and the special core net of AKA algorithm certifications of HSS.
(16) after the special core Netcom of certification, UE sends authentication request message, which believes comprising authority safe to use
The authentication response result RES that breath and AKA algorithms generate.
(17) after the authentication response data for receiving UE, the legitimacy of SAS certifications UE.
(18) SAS replys UE Additional Verification response messages, which includes authentication result.
Embodiment two
The present embodiment introduces the secure access server SAS of new network function, is located at special core net, to avoid to existing
The influence of the MME of network function, system architecture are as shown in Figure 6.Special core network gateway S/P-GW receives user's access service and asks
After asking, according to access network ID, access network type, PLMN ID, the network trusted degree of access, roaming state (whether roaming), prewired
Type of service/title that the security strategy set and user access decides whether that triggering dynamic adds access authentication.If necessary
Triggering, S/P-GW report the current locations UE by the interface newly defined between SAS, access network type, access net confidence level, overflow
The information such as free state.SAS is according to the current locations UE, access network security confidence level, access network type, access net ID, access
The PLMN ID of net and the security strategy of pre-configuration, it is determined whether start and access authentication is carried out to the UE.If necessary, start UE
Verification process between special core net.
The method flow of the present embodiment is as shown in fig. 7, key step is as follows:
(1) UE sends Attach Request message to core net function MME.MME and HSS interactions obtain user authentication data, make
The two-way authentication between user and network is completed with the authentication data and UE interactions.
(2) UE is first received by S/P-GW to application server AF initiating business requests, such as HTTP request message.
(3) S/P-GW according to access network ID, access network type, PLMN ID, access it is network trusted degree, roaming state and
Type of service/title that the security strategy of pre-configuration and user access decides whether that triggering dynamic adds access authentication.
(4) if necessary to triggering access authentication, S/P-GW sends access authentication request to SAS by the interface newly defined and disappears
Breath, the message include following relevant information:The current locations UE, access network type, access network PLMN titles, access net is credible
Degree, roaming state, user identity IMSI information etc..
(5) SAS is reported according to S/P-GW current locations UE, roaming state, whether access network is credible, the current locations UE
Whether safety etc. information, according to the security strategy of pre-configuration determine whether start access authentication.
(6) if necessary to start access authentication, SAS sends message request user authentication data to HSS, which includes to use
Family ID and IMSI information.
(7) HSS according to and the shared security documents information of UE generate Ciphering Key, generated according to initial key generating algorithm
The initial key that control plane safeguard protection needs.
(8) HSS notifies the Ciphering Key and initial key of generation to SAS by response message.
(9) SAS replys UE response messages, and whether which includes access inspection result, i.e., need to start access authentication.
(10) if necessary to start access authentication, UE is generated with the security documents information shared with HSS using initial key
Algorithm generates the initial key that control plane safeguard protection needs.
(11) UE is according to the safety initial key and HSS of its generation shared security documents information and shared with SAS
Authority information generates the key that control plane safeguard protection needs as input, with key schedule, is protected using algorithm is pre-configured
Protect the AKA authentication informations of the control plane interaction of SAS and UE.
(12) SAS is using the security documents information of initial key and UE shared security documents information, UE and HSS as defeated
Enter, the key that control plane protection needs is generated according to key schedule.Using pre-configuration security strategy protection SAS and UE it
Between control plane interaction AKA authentication informations.
(13) SAS sends Additional Verification command messages to UE, which includes that the random parameter RAND that HSS is generated and certification enable
Board AUTN information.
(14) legitimacy of UE foundations and the shared security documents information and AKA algorithm certification dedicated networks of HSS.
(15) after the special core Netcom of certification, UE sends authentication request message, which believes comprising authority safe to use
The authentication response result RES that breath and AKA algorithms generate.
(16) after the authentication response data for receiving UE, the legitimacy of SAS certifications UE.
(17) SAS replys UE Additional Verification response messages, which includes authentication result;Authentication notification message is sent to S/
P-GW, the message include user authentication result.
(18) P-GW replys SAS response messages.
(19) according to authentication result, S/P-GW decides whether to allow the service request of the UE to pass through.
(20) if certification passes through, the IP data packets (business request information) of the user are routed to positioned at private network by S/P-GW
Service server AF later.
(21) UE and AF carries out service interaction.
The above embodiments are merely illustrative of the technical solutions of the present invention rather than is limited, the ordinary skill of this field
Personnel can be modified or replaced equivalently technical scheme of the present invention, without departing from the spirit and scope of the present invention, this
The protection domain of invention should be subject to described in claims.
Claims (10)
1. a kind of dynamic Additional Verification method towards mobile ad hoc network, step include:
The UE for having carried out two-way authentication with the MME and HSS positioned at special core net judges whether to need to start dynamically additional connect
Enter certification, if desired, then the UE initiates access authentication request to the SAS positioned at special core net;Alternatively, the S/ of special core net
P-GW receives the service request triggering that the UE is sent out and judges whether to need to start that the dynamic between the SAS and the UE is additional
Access authentication, if desired, then the S/P-GW initiates access authentication request to the SAS;
After the SAS receives access authentication request, it is determined whether start access authentication, if started, the SAS is to institute
State the IMSI information that HSS sends User ID and provided by the S/P-GW;
After the HSS receives the User ID and the IMSI information, the initial key that control plane safeguard protection needs is generated;
The SAS generates the key that control plane safeguard protection needs according to the initial key, protects it between the UE
Control plane interactive information;
The UE generates the initial key that control plane safeguard protection needs, and control plane safeguard protection need are generated according to the initial key
The key wanted protects its control plane interactive information between the SAS;
After the UE receives the authentication command of the SAS, the legitimacy of the special core net of certification, and notify the SAS;
The legitimacy of UE described in the SAS certifications, and notify the UE.
2. according to the method described in claim 1, it is characterized in that, according to the current location of the UE, whether roaming, accessing
Whether business is private network business, access network security confidence level, access network type, access network ID and the safety of pre-configuration
Strategy judges whether to start the access authentication.
3. according to the method described in claim 1, it is characterized in that, the access authentication request include the current locations UE,
Hardware ID, access network type, access net ID and PLMN ID, IP address information.
4. according to the method described in claim 1, it is characterized in that, the UE and the HSS between share safety with
It is believed that breath generates initial key.
5. according to the method described in claim 4, it is characterized in that, the generating algorithm of the initial key is:With the UE and
The CK, IK and sharing learning Factor of security documents the information shared HSS, service network identification SN ID and sequence number
SQN exclusive or AK is input, and calculating function KDF operations by standard key generates the initial key.
6. according to the method described in claim 1, it is characterized in that, the safety that the UE and the SAS are shared also according between
The security documents information that authority information and the UE and the HSS share generates key.
7. according to the method described in claim 6, it is characterized in that, the key includes Confidentiality protection key and integrality guarantor
Protect key;
The generating algorithm of the Confidentiality protection key is:The security documents letter shared with initial key, the UE and the HSS
It ceases, the security documents information that the UE and the SAS are shared, Alg-ID, the Confidentiality protection algorithm types identifier newly defined
The SA-init-enc-alg and algorithm mark 256-EEA4AES based algorithm (AES-CTR) newly defined is used as defeated
Enter, the Confidentiality protection key is generated through key calculation function KDF operations;
The generating algorithm of the tegrity protection key is:The security documents letter shared with initial key, the UE and the HSS
It ceases, the security documents information that the UE and the SAS are shared, Alg-ID, the protection algorithm integrallty type identifier newly defined
SA-init-int-alg and algorithm mark 256-EIA4AES based algorithm (AES-CMAC) conduct newly defined
Input generates the tegrity protection key through key calculation function KDF operations.
8. according to the method described in claim 1, it is characterized in that, the UE according to its generation initial key, itself and it is described
Security documents information and AKA algorithms shared SAS carrys out the legitimacy of the special core net of certification;The SAS gives birth to according to the HSS
At initial key, the shared security documents information and AKA algorithms of itself and the UE carry out the legitimacy of UE described in certification.
9. a kind of dynamic Additional Verification system towards mobile ad hoc network, including:
UE, for send access authentication request or service request, generate control plane safeguard protection need initial key and key,
Protect its control plane interactive information between SAS, and the legitimacy of the special core net of certification;
SAS is located at special core net, is used to determine whether that starting dynamic adds access authentication, generating control plane safeguard protection needs
The key wanted protects its control plane interactive information between the UE, and the legitimacy of UE described in certification;
HSS is located at special core net, the initial key for generating control plane safeguard protection needs;
S/P-GW is located at special core net, for providing IMSI information to the SAS.
10. system according to claim 9, which is characterized in that if the UE sends access authentication request, sending
First judge whether that needing to start dynamic adds access authentication before;If the UE sends service request, which touches
It sends out S/P-GW described and judges whether that the dynamic for needing to start between SAS and UE adds access authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711401758.6A CN108282775B (en) | 2017-12-22 | 2017-12-22 | Dynamic additional authentication method and system for mobile private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711401758.6A CN108282775B (en) | 2017-12-22 | 2017-12-22 | Dynamic additional authentication method and system for mobile private network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108282775A true CN108282775A (en) | 2018-07-13 |
| CN108282775B CN108282775B (en) | 2021-01-01 |
Family
ID=62801979
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711401758.6A Expired - Fee Related CN108282775B (en) | 2017-12-22 | 2017-12-22 | Dynamic additional authentication method and system for mobile private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108282775B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110753346A (en) * | 2019-10-30 | 2020-02-04 | 北京微智信业科技有限公司 | Private mobile communication network key generation method, private mobile communication network key generation device and controller |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101472263A (en) * | 2008-05-04 | 2009-07-01 | 中兴通讯股份有限公司 | Method for deciding network connection mode |
| US9060263B1 (en) * | 2011-09-21 | 2015-06-16 | Cellco Partnership | Inbound LTE roaming footprint control |
| WO2017077441A1 (en) * | 2015-11-03 | 2017-05-11 | Telefonaktiebolaget Lm Ericsson (Publ) | Selection of gateway node in a communication system |
| EP2276281A4 (en) * | 2008-05-05 | 2017-07-12 | China Academy of Telecommunications Technology | Method, system and device for obtaining a trust type of a non-3gpp access system |
| WO2017143521A1 (en) * | 2016-02-23 | 2017-08-31 | 华为技术有限公司 | Secure communication method and core network node |
-
2017
- 2017-12-22 CN CN201711401758.6A patent/CN108282775B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101472263A (en) * | 2008-05-04 | 2009-07-01 | 中兴通讯股份有限公司 | Method for deciding network connection mode |
| EP2276281A4 (en) * | 2008-05-05 | 2017-07-12 | China Academy of Telecommunications Technology | Method, system and device for obtaining a trust type of a non-3gpp access system |
| US9060263B1 (en) * | 2011-09-21 | 2015-06-16 | Cellco Partnership | Inbound LTE roaming footprint control |
| WO2017077441A1 (en) * | 2015-11-03 | 2017-05-11 | Telefonaktiebolaget Lm Ericsson (Publ) | Selection of gateway node in a communication system |
| WO2017143521A1 (en) * | 2016-02-23 | 2017-08-31 | 华为技术有限公司 | Secure communication method and core network node |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110753346A (en) * | 2019-10-30 | 2020-02-04 | 北京微智信业科技有限公司 | Private mobile communication network key generation method, private mobile communication network key generation device and controller |
| CN110753346B (en) * | 2019-10-30 | 2021-02-19 | 北京微智信业科技有限公司 | Private mobile communication network key generation method, private mobile communication network key generation device and controller |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108282775B (en) | 2021-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Arapinis et al. | New privacy issues in mobile telephony: fix and verification | |
| KR101170191B1 (en) | Improved subscriber authentication for unlicensed mobile access signaling | |
| Golde et al. | Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunications. | |
| CN102415119B (en) | Managing undesired service requests in a network | |
| WO2020010515A1 (en) | Identity-based message integrity protection and verification for wireless communication | |
| US12089041B2 (en) | Method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network | |
| CN103430582B (en) | Prevention of eavesdropping type of attack in hybrid communication system | |
| US10582378B2 (en) | Message protection method, user equipment, and core network device | |
| CN108235300B (en) | Method and system for protecting user data security of mobile communication network | |
| Koien | Entity authentication and personal privacy in future cellular systems | |
| CN108243416A (en) | User equipment authority identification method, mobile management entity and user equipment | |
| CN104244210A (en) | Emergency communication method, mobile terminal, authentication server and wireless access point | |
| CN108282775A (en) | Dynamic Additional Verification method towards mobile ad hoc network and system | |
| Escudero-Andreu et al. | Analysis and design of security for next generation 4G cellular networks | |
| Abdeljebbar et al. | Fast authentication during handover in 4G LTE/SAE networks | |
| Ouaissa et al. | Group access authentication of machine to machine communications in LTE networks | |
| JP5670926B2 (en) | Wireless LAN access point terminal access control system and authorization server device | |
| Bodhe et al. | Wireless LAN security attacks and CCM protocol with some best practices in deployment of services | |
| Singh et al. | Security analysis of lte/sae networks with the possibilities of tampering e-utran on ns3 | |
| KR100968522B1 (en) | Mobile Authentication Method for Strengthening the Mutual Authentication and Handover Security | |
| KR20140055675A (en) | Geography-based pre-authentication for wlan data offloading in umts-wlan networks | |
| CN117692902B (en) | Intelligent home interaction method and system based on embedded home gateway | |
| Borgaonkar | Security analysis of femtocell-enabled cellular network architecture | |
| Odarchenko et al. | RESEARCH OF CYBER SECURITY MECHANISMS IN MODERN 5G CELLULAR NETWORKS | |
| Kim et al. | Towards Securing Availability in 5G: Analyzing the Injection Attack Impact on Core Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210101 |